commit 8b3c2453acf23ae6396a1260d966d042327cd8ef Author: CentOS Sources Date: Tue Nov 15 01:34:23 2022 -0500 import certmonger-0.79.14-7.el9 diff --git a/.certmonger.metadata b/.certmonger.metadata new file mode 100644 index 0000000..0062f2b --- /dev/null +++ b/.certmonger.metadata @@ -0,0 +1 @@ +40c73b20ce99e2ffd521c5e6039ab4982ef363b6 SOURCES/certmonger-0.79.14.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9e0149e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/certmonger-0.79.14.tar.gz diff --git a/SOURCES/0002-candidate-openssl-3.0-compat-fixes.patch b/SOURCES/0002-candidate-openssl-3.0-compat-fixes.patch new file mode 100644 index 0000000..0d4ca18 --- /dev/null +++ b/SOURCES/0002-candidate-openssl-3.0-compat-fixes.patch @@ -0,0 +1,573 @@ +From 3fb9420e843694567a4976c6d5fbe4551d6e0c99 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 18 May 2021 15:40:53 -0400 +Subject: [PATCH 1/3] candidate openssl 3.0 compat fixes + +--- + src/keyiread-o.c | 16 +++++-- + src/util-o.c | 2 + + tests/001-keyiread-ec/run.sh | 2 +- + tests/001-keyiread-rsa/run.sh | 2 +- + tests/001-keyiread/run.sh | 2 +- + tests/002-keygen-sql/prequal.sh | 5 +++ + tests/002-keygen/run.sh | 2 +- + tests/003-csrgen-ec/run.sh | 2 +- + tests/003-csrgen-rsa/run.sh | 2 +- + tests/003-csrgen/run.sh | 2 +- + tests/004-selfsign-ec/run.sh | 2 +- + tests/004-selfsign-rsa/run.sh | 2 +- + tests/004-selfsign/run.sh | 2 +- + tests/025-casave/run.sh | 2 +- + tests/026-local/expected.openssl1 | 73 ++++++++++++++++++++++++++++++ + tests/026-local/expected.openssl3 | 68 ++++++++++++++++++++++++++++ + tests/026-local/expected.out | 74 +------------------------------ + tests/026-local/run.sh | 11 ++++- + tests/030-rekey/expected.out | 4 -- + tests/030-rekey/run.sh | 10 +---- + tests/036-getcert/run.sh | 2 +- + 21 files changed, 184 insertions(+), 103 deletions(-) + create mode 100755 tests/002-keygen-sql/prequal.sh + create mode 100644 tests/026-local/expected.openssl1 + create mode 100644 tests/026-local/expected.openssl3 + +diff --git a/src/keyiread-o.c b/src/keyiread-o.c +index 9fceacf6..51f7f829 100644 +--- a/src/keyiread-o.c ++++ b/src/keyiread-o.c +@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + pubikey = cm_store_hex_from_bin(NULL, tmp, length); + } + tmp = NULL; +- length = i2d_PublicKey(pkey, (unsigned char **) &tmp); ++ length = i2d_PublicKey(pkey, NULL); + if (length > 0) { +- pubkey = cm_store_hex_from_bin(NULL, tmp, length); ++ tmp = malloc(length); ++ if (tmp != NULL) { ++ length = i2d_PublicKey(pkey, (unsigned char **) &tmp); ++ pubkey = cm_store_hex_from_bin(NULL, tmp, length); ++ } + } + } + fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey); +@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + pubikey = cm_store_hex_from_bin(NULL, tmp, length); + } + tmp = NULL; +- length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp); ++ length = i2d_PublicKey(nextpkey, NULL); + if (length > 0) { +- pubkey = cm_store_hex_from_bin(NULL, tmp, length); ++ tmp = malloc(length); ++ if (tmp != NULL) { ++ length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp); ++ pubkey = cm_store_hex_from_bin(NULL, tmp, length); ++ } + } + fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey); + } else { +diff --git a/src/util-o.c b/src/util-o.c +index 0415014a..2208ab64 100644 +--- a/src/util-o.c ++++ b/src/util-o.c +@@ -46,6 +46,7 @@ + void + util_o_init(void) + { ++#if OPENSSL_VERSION_MAJOR < 3 + #if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS + OpenSSL_add_all_algorithms(); + #elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS +@@ -53,6 +54,7 @@ util_o_init(void) + #else + SSL_library_init(); + #endif ++#endif + } + + char * +diff --git a/tests/001-keyiread-ec/run.sh b/tests/001-keyiread-ec/run.sh +index 3045f6d0..8a810d15 100755 +--- a/tests/001-keyiread-ec/run.sh ++++ b/tests/001-keyiread-ec/run.sh +@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do + EOF + $toolsdir/keyiread entry.nss.$size + # Export the key. +- if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then ++ if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then + echo Error exporting key for $size, continuing. + continue + fi +diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh +index c6b4d38b..997ce000 100755 +--- a/tests/001-keyiread-rsa/run.sh ++++ b/tests/001-keyiread-rsa/run.sh +@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do + -s "cn=T$size" -c "cn=T$size" \ + -x -t u -k rsa + # Export the key. +- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 + openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 + cat > entry.openssl.$size <<- EOF + key_storage_type=FILE +diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh +index 25acdbd8..3a2502a6 100755 +--- a/tests/001-keyiread/run.sh ++++ b/tests/001-keyiread/run.sh +@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do + -s "cn=T$size" -c "cn=T$size" \ + -x -t u + # Export the key. +- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 + openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 + cat > entry.openssl.$size <<- EOF + key_storage_type=FILE +diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh +new file mode 100755 +index 00000000..d146a650 +--- /dev/null ++++ b/tests/002-keygen-sql/prequal.sh +@@ -0,0 +1,5 @@ ++#!/bin/sh ++if test `id -u` -eq 0 ; then ++ echo "This test won't work right if run as root." ++ exit 1 ++fi +diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh +index 8bb609c5..e7e6525f 100755 +--- a/tests/002-keygen/run.sh ++++ b/tests/002-keygen/run.sh +@@ -2,7 +2,7 @@ + + cd "$tmpdir" + +-scheme="${scheme:-dbm:}" ++scheme="${scheme:-sql:}" + + source "$srcdir"/functions + initnssdb "$scheme$tmpdir" +diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh +index 91117ec8..408ea526 100755 +--- a/tests/003-csrgen-ec/run.sh ++++ b/tests/003-csrgen-ec/run.sh +@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ + -x -t u -k ec -q $size + # Export the key. +-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ++pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 + openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : ) + # Read the public key and cache it. + cat > entry.openssl.$size <<- EOF +diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh +index bb8ebecb..9c11c708 100755 +--- a/tests/003-csrgen-rsa/run.sh ++++ b/tests/003-csrgen-rsa/run.sh +@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do + -s "cn=T$size" -c "cn=T$size" \ + -x -t u -k rsa + # Export the key. +- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" ++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" + openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : ) + # Read the public key and cache it. + cat > entry.openssl.$size <<- EOF +diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh +index d3dfbaf0..2a674679 100755 +--- a/tests/003-csrgen/run.sh ++++ b/tests/003-csrgen/run.sh +@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do + -s "cn=T$size" -c "cn=T$size" \ + -x -t u + # Export the key. +- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" ++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" + openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : ) + # Read the public key and cache it. + cat > entry.openssl.$size <<- EOF +diff --git a/tests/004-selfsign-ec/run.sh b/tests/004-selfsign-ec/run.sh +index 9d5bd11f..d1161fe5 100755 +--- a/tests/004-selfsign-ec/run.sh ++++ b/tests/004-selfsign-ec/run.sh +@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ + -x -t u -k ec -q $size + # Export the certificate and key. +-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ++pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 + openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1 + # Read that OpenSSL key. + cat > entry.$size <<- EOF +diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh +index c1dd4c80..b0cc71d2 100755 +--- a/tests/004-selfsign-rsa/run.sh ++++ b/tests/004-selfsign-rsa/run.sh +@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do + -s "cn=T$size" -c "cn=T$size" \ + -x -t u -k rsa + # Export the certificate and key. +- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 + openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1 + # Read that OpenSSL key. + cat > entry.$size <<- EOF +diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh +index eb1df4ee..ea00f4d7 100755 +--- a/tests/004-selfsign/run.sh ++++ b/tests/004-selfsign/run.sh +@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do + -s "cn=T$size" -c "cn=T$size" \ + -x -t u + # Export the certificate and key. +- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 + openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1 + # Read that OpenSSL key. + cat > entry.$size <<- EOF +diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh +index d81df82f..089d8223 100755 +--- a/tests/025-casave/run.sh ++++ b/tests/025-casave/run.sh +@@ -2,7 +2,7 @@ + + cd $tmpdir + +-scheme="${scheme:-dbm}" ++scheme="${scheme:-sql}" + cat > $tmpdir/entrycb1 <<- EOF + id=EntryCB1 + ca_name=CAB1 +diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1 +new file mode 100644 +index 00000000..1f81c7ce +--- /dev/null ++++ b/tests/026-local/expected.openssl1 +@@ -0,0 +1,73 @@ ++[key] ++OK. ++[csr] ++Certificate Request: ++ Data: ++ Version: 1 (0x0) ++ Subject: CN=Babs Jensen's Signer ++ Attributes: ++ friendlyName :unable to print attribute ++ Requested Extensions: ++ X509v3 Key Usage: ++ Digital Signature, Certificate Sign, CRL Sign ++ X509v3 Subject Alternative Name: ++ email:root@localhost, email:root@localhost.localdomain ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Authority Key Identifier: ++ keyid:(160 bits) ++ ++ X509v3 Subject Key Identifier: ++ (160 bits) ++ Authority Information Access: ++ OCSP - URI:http://ocsp-1.example.com:12345 ++ OCSP - URI:http://ocsp-2.example.com:12345 ++ ++ OCSP No Check: ++ ++[issue] ++[issuer] ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: CN=Local Signing Authority, CN=$UUID ++ Subject: CN=Local Signing Authority, CN=$UUID ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ (160 bits) ++ X509v3 Authority Key Identifier: ++ keyid:(160 bits) ++ ++ X509v3 Key Usage: critical ++ Digital Signature, Certificate Sign, CRL Sign ++[subject] ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: CN=Local Signing Authority, CN=$UUID ++ Subject: CN=Babs Jensen's Signer ++ X509v3 extensions: ++ X509v3 Key Usage: ++ Digital Signature, Certificate Sign, CRL Sign ++ X509v3 Subject Alternative Name: ++ email:root@localhost, email:root@localhost.localdomain ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Authority Key Identifier: ++ keyid:(160 bits) ++ ++ X509v3 Subject Key Identifier: ++ (160 bits) ++ Authority Information Access: ++ OCSP - URI:http://ocsp-1.example.com:12345 ++ OCSP - URI:http://ocsp-2.example.com:12345 ++ ++ OCSP No Check: ++ ++[verify] ++cert: OK ++OK. +diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3 +new file mode 100644 +index 00000000..05666ccc +--- /dev/null ++++ b/tests/026-local/expected.openssl3 +@@ -0,0 +1,68 @@ ++[key] ++OK. ++[csr] ++Certificate Request: ++ Data: ++ Version: 1 (0x0) ++ Subject: CN=Babs Jensen's Signer ++ Attributes: ++ friendlyName :unable to print attribute ++ Requested Extensions: ++ X509v3 Key Usage: ++ Digital Signature, Certificate Sign, CRL Sign ++ X509v3 Subject Alternative Name: ++ email:root@localhost, email:root@localhost.localdomain ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Authority Key Identifier: ++ (160 bits) ++ X509v3 Subject Key Identifier: ++ (160 bits) ++ Authority Information Access: ++ OCSP - URI:http://ocsp-1.example.com:12345 ++ OCSP - URI:http://ocsp-2.example.com:12345 ++ OCSP No Check: ++ ++[issue] ++[issuer] ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: CN=Local Signing Authority, CN=$UUID ++ Subject: CN=Local Signing Authority, CN=$UUID ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ (160 bits) ++ X509v3 Authority Key Identifier: ++ (160 bits) ++ X509v3 Key Usage: critical ++ Digital Signature, Certificate Sign, CRL Sign ++[subject] ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: CN=Local Signing Authority, CN=$UUID ++ Subject: CN=Babs Jensen's Signer ++ X509v3 extensions: ++ X509v3 Key Usage: ++ Digital Signature, Certificate Sign, CRL Sign ++ X509v3 Subject Alternative Name: ++ email:root@localhost, email:root@localhost.localdomain ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Authority Key Identifier: ++ (160 bits) ++ X509v3 Subject Key Identifier: ++ (160 bits) ++ Authority Information Access: ++ OCSP - URI:http://ocsp-1.example.com:12345 ++ OCSP - URI:http://ocsp-2.example.com:12345 ++ OCSP No Check: ++ ++[verify] ++cert: OK ++OK. +diff --git a/tests/026-local/expected.out b/tests/026-local/expected.out +index 1f81c7ce..64afb8f5 100644 +--- a/tests/026-local/expected.out ++++ b/tests/026-local/expected.out +@@ -1,73 +1 @@ +-[key] +-OK. +-[csr] +-Certificate Request: +- Data: +- Version: 1 (0x0) +- Subject: CN=Babs Jensen's Signer +- Attributes: +- friendlyName :unable to print attribute +- Requested Extensions: +- X509v3 Key Usage: +- Digital Signature, Certificate Sign, CRL Sign +- X509v3 Subject Alternative Name: +- email:root@localhost, email:root@localhost.localdomain +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- keyid:(160 bits) +- +- X509v3 Subject Key Identifier: +- (160 bits) +- Authority Information Access: +- OCSP - URI:http://ocsp-1.example.com:12345 +- OCSP - URI:http://ocsp-2.example.com:12345 +- +- OCSP No Check: +- +-[issue] +-[issuer] +-Certificate: +- Data: +- Version: 3 (0x2) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: CN=Local Signing Authority, CN=$UUID +- Subject: CN=Local Signing Authority, CN=$UUID +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- (160 bits) +- X509v3 Authority Key Identifier: +- keyid:(160 bits) +- +- X509v3 Key Usage: critical +- Digital Signature, Certificate Sign, CRL Sign +-[subject] +-Certificate: +- Data: +- Version: 3 (0x2) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: CN=Local Signing Authority, CN=$UUID +- Subject: CN=Babs Jensen's Signer +- X509v3 extensions: +- X509v3 Key Usage: +- Digital Signature, Certificate Sign, CRL Sign +- X509v3 Subject Alternative Name: +- email:root@localhost, email:root@localhost.localdomain +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- keyid:(160 bits) +- +- X509v3 Subject Key Identifier: +- (160 bits) +- Authority Information Access: +- OCSP - URI:http://ocsp-1.example.com:12345 +- OCSP - URI:http://ocsp-2.example.com:12345 +- +- OCSP No Check: +- +-[verify] +-cert: OK +-OK. ++# purposely empty +diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh +index 6f0e74c9..3e7ade56 100755 +--- a/tests/026-local/run.sh ++++ b/tests/026-local/run.sh +@@ -1,4 +1,13 @@ +-#!/bin/bash -e ++#!/bin/bash ++ ++openssl cmp -h > /dev/null 2>&1 ++if [ $? == 1 ]; then ++ cp expected.openssl1 expected.out ++else ++ cp expected.openssl3 expected.out ++fi ++ ++set -e + + cd $tmpdir + +diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out +index e9a04221..8a9ac3fa 100644 +--- a/tests/030-rekey/expected.out ++++ b/tests/030-rekey/expected.out +@@ -11,7 +11,6 @@ key_requested_count=0 + (submit OpenSSL) + key_issued_count=0 + key_requested_count=1 +-First round certificates OK. + NSS keys before re-keygen (preserve=1,pin=""): + <-> rsa originalhex NSS Certificate DB:i2048 + key_issued_count=0 +@@ -98,7 +97,6 @@ key_requested_count=0 + (submit OpenSSL) + key_issued_count=0 + key_requested_count=1 +-First round certificates OK. + NSS keys before re-keygen (preserve=1,pin="password"): + <-> rsa originalhex NSS Certificate DB:i2048 + key_issued_count=0 +@@ -185,7 +183,6 @@ key_requested_count=0 + (submit OpenSSL) + key_issued_count=0 + key_requested_count=1 +-First round certificates OK. + NSS keys before re-keygen (preserve=0,pin=""): + <-> rsa originalhex NSS Certificate DB:i2048 + key_issued_count=0 +@@ -270,7 +267,6 @@ key_requested_count=0 + (submit OpenSSL) + key_issued_count=0 + key_requested_count=1 +-First round certificates OK. + NSS keys before re-keygen (preserve=0,pin="password"): + <-> rsa originalhex NSS Certificate DB:i2048 + key_issued_count=0 +diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh +index 07fea683..7b9125ec 100755 +--- a/tests/030-rekey/run.sh ++++ b/tests/030-rekey/run.sh +@@ -31,7 +31,7 @@ for preserve in 1 0 ; do + -s "cn=T$size" -c "cn=T$size" \ + -x -t u -m 4660 -f pinfile + # Export the certificate and key. +- pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1 ++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1 + openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size + openssl pkcs12 -in $size.p12 -passin pass: -nokeys -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size + # Grab a copy of the public key. +@@ -101,14 +101,6 @@ for preserve in 1 0 ; do + echo '(submit OpenSSL)' + $toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size + grep ^key.\*count= entry.openssl.$size | LANG=C sort +- # Now compare the self-signed certificates built from the keys. +- if ! cmp cert.nss.$size cert.openssl.$size ; then +- echo First round certificates differ: +- cat cert.nss.$size cert.openssl.$size +- exit 1 +- else +- echo First round certificates OK. +- fi + + # Now generate new keys, CSRs, and certificates (NSS). + echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):" +diff --git a/tests/036-getcert/run.sh b/tests/036-getcert/run.sh +index 1c99803d..bcb821d7 100755 +--- a/tests/036-getcert/run.sh ++++ b/tests/036-getcert/run.sh +@@ -51,7 +51,7 @@ listdb() { + } + + extract() { +- pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K "" ++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K "" + openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert + openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key + echo -n cert: +-- +2.26.3 + diff --git a/SOURCES/0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch b/SOURCES/0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch new file mode 100644 index 0000000..2016234 --- /dev/null +++ b/SOURCES/0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch @@ -0,0 +1,46 @@ +From f6672effea3cf9e50d6d3f29c1fbfbf6b1578e06 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 28 Sep 2021 10:01:35 -0400 +Subject: [PATCH] Add compile check for EVP_PKEY_get_id along with EVP_PKEY_id + +EVP_PKEY_id is no longer available as a function, only as a preprocessor +macro, so AC_CHECK_FUNCS cannot recognize it. + +This was changed in OpenSSL 3.0.0-beta2 + +https://bugzilla.redhat.com/show_bug.cgi?id=2008451 + +Signed-off-by: Rob Crittenden +--- + configure.ac | 1 + + src/util-o.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 8bfa3fa..3b413a1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -374,6 +374,7 @@ if ! ${configure_dist_target_only:-false} ; then + AC_CHECK_FUNCS(ASN1_TIME_set) + AC_CHECK_FUNCS(EVP_PKEY_base_id) + AC_CHECK_FUNCS(EVP_PKEY_id) ++ AC_CHECK_FUNCS(EVP_PKEY_get_id) + AC_CHECK_FUNCS(OBJ_get0_data) + AC_CHECK_FUNCS(OBJ_length) + AC_CHECK_FUNCS(X509_ATTRIBUTE_get0_object) +diff --git a/src/util-o.c b/src/util-o.c +index 2208ab6..db45964 100644 +--- a/src/util-o.c ++++ b/src/util-o.c +@@ -329,7 +329,7 @@ util_ASN1_TIME_set(ASN1_TIME *str, time_t t) + int + util_EVP_PKEY_id(const EVP_PKEY *pkey) + { +-#ifdef HAVE_EVP_PKEY_ID ++#if defined(HAVE_EVP_PKEY_ID) || defined(HAVE_EVP_PKEY_GET_ID) + return EVP_PKEY_id(pkey); + #else + return pkey->type; +-- +2.31.1 + diff --git a/SOURCES/0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch b/SOURCES/0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch new file mode 100644 index 0000000..3ebf548 --- /dev/null +++ b/SOURCES/0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch @@ -0,0 +1,123 @@ +From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 9 Jul 2021 20:49:28 +0000 +Subject: [PATCH] Add SCEP config option to treat the challenge password as an + OTP + +SCEP RFC 8894 specifies that a challenge password SHOULD be +removed from subsequent requests but that it MAY be included. + +This adds a new configuration option to treat the challenge password +as a one-time password (OTP) so that it will not be sent on +subsequent requests, like renewals, by removing it completely +from the tracking request. + +This allows certmonger to be able to renew AD-issued SCEP certificates +if the AD registry entry DisableRenewalSubjectNameMatch is set to 1. + +https://bugzilla.redhat.com/show_bug.cgi?id=1577570 + +Signed-off-by: Rob Crittenden +--- + src/certmonger.conf.5.in | 9 +++++++++ + src/certsave.c | 13 +++++++++++++ + src/prefs.c | 15 +++++++++++++++ + src/prefs.h | 4 ++++ + 4 files changed, 41 insertions(+) + +diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in +index 6a42d3cb..1b941b9d 100644 +--- a/src/certmonger.conf.5.in ++++ b/src/certmonger.conf.5.in +@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the + \fIselfsign\fR section, if one is set there, will be used. The default value + is \fI@CM_DEFAULT_CERT_LIFETIME@\fR. + ++.SH SCEP ++Within the \fIscep\fR section, these variables and values are recognized: ++ ++.IP challenge_password_otp ++This controls whether the SCEP challenge password is treated as a one-time ++password. If set to yes then the challenge password and/or challenge password ++file will be removed from the tracking request after the first certificate ++issuance so will not be sent with renewal requests. The default is no. ++ + .SH BUGS + Please file tickets for any that you find at https://fedorahosted.org/certmonger/ + +diff --git a/src/certsave.c b/src/certsave.c +index 6eaafe59..f8503662 100644 +--- a/src/certsave.c ++++ b/src/certsave.c +@@ -18,12 +18,25 @@ + #include "config.h" + #include "certsave.h" + #include "certsave-int.h" ++#include "prefs.h" + #include "store-int.h" ++#include "talloc.h" + + /* Start writing the certificate from the entry to the configured location. */ + struct cm_certsave_state * + cm_certsave_start(struct cm_store_entry *entry) + { ++ /* If saving a SCEP certificate wipe out the challenge password */ ++ if ((cm_prefs_scep_password_otp()) && ++ (entry->cm_template_challenge_password != NULL) && ++ (entry->cm_scep_nonce != NULL)) ++ { ++ talloc_free(entry->cm_template_challenge_password); ++ entry->cm_template_challenge_password = NULL; ++ talloc_free(entry->cm_template_challenge_password_file); ++ entry->cm_template_challenge_password_file = NULL; ++ } ++ + switch (entry->cm_cert_storage_type) { + #ifdef HAVE_OPENSSL + case cm_cert_storage_file: +diff --git a/src/prefs.c b/src/prefs.c +index 669e8f1f..52ffc908 100644 +--- a/src/prefs.c ++++ b/src/prefs.c +@@ -595,3 +595,18 @@ prefs_max_key_use_count(void) + } + return count; + } ++ ++int ++cm_prefs_scep_password_otp(void) ++{ ++ static int populate = -1; ++ if (populate == -1) { ++ const char *val; ++ val = cm_prefs_config("scep", "challenge_password_otp"); ++ if (val == NULL) { ++ val = "no"; ++ } ++ populate = cm_prefs_yesno(val); ++ } ++ return populate != -1 ? populate : 0; ++} +diff --git a/src/prefs.h b/src/prefs.h +index 248e1016..a107fb6c 100644 +--- a/src/prefs.h ++++ b/src/prefs.h +@@ -18,6 +18,8 @@ + #ifndef cmprefs_h + #define cmprefs_h + ++#include ++ + enum cm_prefs_cipher { + cm_prefs_aes128, + cm_prefs_aes192, +@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void); + long long prefs_key_end_of_life(time_t ref); + long prefs_max_key_use_count(void); + ++int cm_prefs_scep_password_otp(void); ++ + #endif +-- +2.31.1 + diff --git a/SOURCES/0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch b/SOURCES/0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch new file mode 100644 index 0000000..fd30ffb --- /dev/null +++ b/SOURCES/0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch @@ -0,0 +1,37 @@ +From b4c090d2e12956a2df6157592839936adf4024f4 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 12 Aug 2021 16:26:09 -0400 +Subject: [PATCH] Fix file descriptor leak when executing CA helpers + +cm_cadata_start_generic() creates a pipe. One half is passed +to fetch(), the function that does all helper calls, +via the cm_cadata_state variable ret. The other half is the +reader and is used to detect execution errors. There is a pair +of write/read on this descriptor which on error would be the +errno. + +This second half wasn't being closed after reading to test for +errors. + +https://bugzilla.redhat.com/show_bug.cgi?id=1992439 + +Signed-off-by: Rob Crittenden +--- + src/cadata.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cadata.c b/src/cadata.c +index cb9c13e2..c2764d3b 100644 +--- a/src/cadata.c ++++ b/src/cadata.c +@@ -773,6 +773,7 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op, + ca->cm_ca_external_helper, strerror(u)); + /* return the state so the process can be reaped */ + } ++ close(error_fd[0]); + return ret; + } + +-- +2.31.1 + diff --git a/SOURCES/0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch b/SOURCES/0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch new file mode 100644 index 0000000..e8db81a --- /dev/null +++ b/SOURCES/0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch @@ -0,0 +1,80 @@ +From 46cd5a7d9434ed104093152bdf0a55404e6a1c6b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 5 Oct 2021 11:04:10 -0400 +Subject: [PATCH] Update csrgen test to understand OpenSSL 3.0.0 output + +OpenSSL 3.0.0 change a lot of output messages. When verifying +a certificate instead of printing just "verify OK" it prints +"Certificate request self-signature verify OK" + +Modify the check to match both OpenSSL 1.x and 3.x + +Related: https://pagure.io/certmonger/issue/223 + +Signed-off-by: Rob Crittenden +--- + tests/003-csrgen-ec/run.sh | 4 ++-- + tests/003-csrgen-rsa/run.sh | 4 ++-- + tests/003-csrgen/run.sh | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh +index 91117ec8..7c0505f8 100755 +--- a/tests/003-csrgen-ec/run.sh ++++ b/tests/003-csrgen-ec/run.sh +@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss. + openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der + # The RSA tests already verify the contents of the requests, so we really only + # need to care about the signatures passing verification. +-openssl req -verify -noout < csr.nss.$size 2>&1 +-openssl req -verify -noout < csr.openssl.$size 2>&1 ++openssl req -verify -noout -noenc < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //' ++openssl req -verify -noout -noenc < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //' + openssl spkac -verify -noout < spkac.nss.$size 2>&1 + openssl spkac -verify -noout < spkac.openssl.$size 2>&1 + openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1 +diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh +index bb8ebecb..4f0c0ef0 100755 +--- a/tests/003-csrgen-rsa/run.sh ++++ b/tests/003-csrgen-rsa/run.sh +@@ -118,14 +118,14 @@ iterate() { + echo key_pubkey=616263 >> entry.openssl.$size + $toolsdir/csrgen entry.nss.$size > csr.nss.$size + # Both should verify. +- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then ++ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then + echo Signature failed for OpenSSL: + cat csr.openssl.$size + echo Private key: + awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size + exit 1 + fi +- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then ++ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then + echo Signature failed for NSS: + cat csr.nss.$size + echo Private key: +diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh +index d3dfbaf0..093beabf 100755 +--- a/tests/003-csrgen/run.sh ++++ b/tests/003-csrgen/run.sh +@@ -170,14 +170,14 @@ iterate() { + echo key_pubkey=616263 >> entry.openssl.$size + $toolsdir/csrgen entry.nss.$size > csr.nss.$size + # Both should verify. +- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then ++ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then + echo Signature failed for OpenSSL: + cat csr.openssl.$size + echo Private key: + awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size + exit 1 + fi +- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then ++ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then + echo Signature failed for NSS: + cat csr.nss.$size + echo Private key: +-- +2.31.1 + diff --git a/SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch b/SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch new file mode 100644 index 0000000..9264e87 --- /dev/null +++ b/SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch @@ -0,0 +1,280 @@ +From e3e4679693efc60bc7a25983909ddfa6883ab2ec Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 4 Oct 2021 18:52:53 +0200 +Subject: [PATCH] Use implicit, empty FALSE for extensions + +Cemplate had a bug that caused certmonger to create CSRs with invalid DER. +It was encoding extension's critical element even for default value FALSE. + +Fixes: https://pagure.io/certmonger/issue/223 +Signed-off-by: Christian Heimes +--- + src/certext.c | 7 +- + tests/003-csrgen-rsa/expected.out | 82 ++++++++++------------ + tests/003-csrgen/expected.out | 110 +++++++++++++----------------- + 3 files changed, 91 insertions(+), 108 deletions(-) + +diff --git a/src/certext.c b/src/certext.c +index 0d66971e..e5e0b4dc 100644 +--- a/src/certext.c ++++ b/src/certext.c +@@ -1706,9 +1706,12 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, + CERTCertExtension ext[13], *exts[14], **exts_ptr; + SECOidData *oid; + SECItem *item, encoded; ++ /* X509v3 extension's critical element has an implicit default, ++ * see https://pagure.io/certmonger/issue/223 ++ */ + SECItem der_false = { +- .len = 1, +- .data = (unsigned char *) "\000", ++ .len = 0, ++ .data = NULL, + }; + SECItem der_true = { + .len = 1, +diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out +index def53fe4..0fb88323 100644 +--- a/tests/003-csrgen-rsa/expected.out ++++ b/tests/003-csrgen-rsa/expected.out +@@ -8,8 +8,8 @@ pk12util: PKCS12 EXPORT SUCCESSFUL + 4096 OK. + Signature OK + The last CSR (the one with everything) was: +- 0:d=0 hl=4 l=1413 cons: SEQUENCE +- 4:d=1 hl=4 l=1133 cons: SEQUENCE ++ 0:d=0 hl=4 l=1389 cons: SEQUENCE ++ 4:d=1 hl=4 l=1109 cons: SEQUENCE + 8:d=2 hl=2 l= 1 prim: INTEGER :00 + 11:d=2 hl=2 l= 22 cons: SEQUENCE + 13:d=3 hl=2 l= 20 cons: SET +@@ -21,7 +21,7 @@ The last CSR (the one with everything) was: + 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption + 52:d=4 hl=2 l= 0 prim: NULL + 54:d=3 hl=4 l= 271 prim: BIT STRING +- 329:d=2 hl=4 l= 808 cons: cont [ 0 ] ++ 329:d=2 hl=4 l= 784 cons: cont [ 0 ] + 333:d=3 hl=2 l= 52 cons: SEQUENCE + 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword + 346:d=4 hl=2 l= 39 cons: SET +@@ -30,48 +30,40 @@ The last CSR (the one with everything) was: + 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName + 400:d=4 hl=2 l= 48 cons: SET + 402:d=5 hl=2 l= 46 prim: BMPSTRING +- 450:d=3 hl=4 l= 687 cons: SEQUENCE ++ 450:d=3 hl=4 l= 663 cons: SEQUENCE + 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request +- 465:d=4 hl=4 l= 672 cons: SET +- 469:d=5 hl=4 l= 668 cons: SEQUENCE +- 473:d=6 hl=2 l= 14 cons: SEQUENCE ++ 465:d=4 hl=4 l= 648 cons: SET ++ 469:d=5 hl=4 l= 644 cons: SEQUENCE ++ 473:d=6 hl=2 l= 11 cons: SEQUENCE + 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage +- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 +- 489:d=6 hl=4 l= 264 cons: SEQUENCE +- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name +- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 +- 757:d=6 hl=2 l= 32 cons: SEQUENCE +- 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage +- 764:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 +- 791:d=6 hl=2 l= 18 cons: SEQUENCE +- 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints +- 798:d=7 hl=2 l= 1 prim: BOOLEAN :255 +- 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 +- 811:d=6 hl=2 l= 34 cons: SEQUENCE +- 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +- 818:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D +- 847:d=6 hl=2 l= 32 cons: SEQUENCE +- 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +- 854:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D +- 881:d=6 hl=2 l= 107 cons: SEQUENCE +- 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access +- 893:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 +- 990:d=6 hl=2 l= 96 cons: SEQUENCE +- 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points +- 997:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 +- 1088:d=6 hl=2 l= 51 cons: SEQUENCE +- 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment +- 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 +- 1141:d=1 hl=2 l= 13 cons: SEQUENCE +- 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption +- 1154:d=2 hl=2 l= 0 prim: NULL +- 1156:d=1 hl=4 l= 257 prim: BIT STRING ++ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 ++ 486:d=6 hl=4 l= 261 cons: SEQUENCE ++ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name ++ 495:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 ++ 751:d=6 hl=2 l= 29 cons: SEQUENCE ++ 753:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage ++ 758:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 ++ 782:d=6 hl=2 l= 18 cons: SEQUENCE ++ 784:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints ++ 789:d=7 hl=2 l= 1 prim: BOOLEAN :255 ++ 792:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 ++ 802:d=6 hl=2 l= 31 cons: SEQUENCE ++ 804:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier ++ 809:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D ++ 835:d=6 hl=2 l= 29 cons: SEQUENCE ++ 837:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier ++ 842:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D ++ 866:d=6 hl=2 l= 104 cons: SEQUENCE ++ 868:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access ++ 878:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 ++ 972:d=6 hl=2 l= 93 cons: SEQUENCE ++ 974:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points ++ 979:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 ++ 1067:d=6 hl=2 l= 48 cons: SEQUENCE ++ 1069:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment ++ 1080:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 ++ 1117:d=1 hl=2 l= 13 cons: SEQUENCE ++ 1119:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption ++ 1130:d=2 hl=2 l= 0 prim: NULL ++ 1132:d=1 hl=4 l= 257 prim: BIT STRING + Test complete (32 combinations). +diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out +index 46e010cf..1081a678 100644 +--- a/tests/003-csrgen/expected.out ++++ b/tests/003-csrgen/expected.out +@@ -11,8 +11,8 @@ Signature OK + minicert.openssl.4096.pem: OK + 4096 OK. + The last CSR (the one with everything) was: +- 0:d=0 hl=4 l=1635 cons: SEQUENCE +- 4:d=1 hl=4 l=1355 cons: SEQUENCE ++ 0:d=0 hl=4 l=1599 cons: SEQUENCE ++ 4:d=1 hl=4 l=1319 cons: SEQUENCE + 8:d=2 hl=2 l= 1 prim: INTEGER :00 + 11:d=2 hl=2 l= 22 cons: SEQUENCE + 13:d=3 hl=2 l= 20 cons: SET +@@ -24,7 +24,7 @@ The last CSR (the one with everything) was: + 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption + 52:d=4 hl=2 l= 0 prim: NULL + 54:d=3 hl=4 l= 271 prim: BIT STRING +- 329:d=2 hl=4 l=1030 cons: cont [ 0 ] ++ 329:d=2 hl=4 l= 994 cons: cont [ 0 ] + 333:d=3 hl=2 l= 52 cons: SEQUENCE + 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword + 346:d=4 hl=2 l= 39 cons: SET +@@ -33,64 +33,52 @@ The last CSR (the one with everything) was: + 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName + 400:d=4 hl=2 l= 48 cons: SET + 402:d=5 hl=2 l= 46 prim: BMPSTRING +- 450:d=3 hl=4 l= 909 cons: SEQUENCE ++ 450:d=3 hl=4 l= 873 cons: SEQUENCE + 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request +- 465:d=4 hl=4 l= 894 cons: SET +- 469:d=5 hl=4 l= 890 cons: SEQUENCE +- 473:d=6 hl=2 l= 14 cons: SEQUENCE ++ 465:d=4 hl=4 l= 858 cons: SET ++ 469:d=5 hl=4 l= 854 cons: SEQUENCE ++ 473:d=6 hl=2 l= 11 cons: SEQUENCE + 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage +- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 +- 489:d=6 hl=4 l= 290 cons: SEQUENCE +- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name +- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 +- 783:d=6 hl=2 l= 32 cons: SEQUENCE +- 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage +- 790:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 +- 817:d=6 hl=2 l= 18 cons: SEQUENCE +- 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints +- 824:d=7 hl=2 l= 1 prim: BOOLEAN :255 +- 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 +- 837:d=6 hl=2 l= 34 cons: SEQUENCE +- 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +- 844:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D +- 873:d=6 hl=2 l= 32 cons: SEQUENCE +- 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +- 880:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D +- 907:d=6 hl=2 l= 107 cons: SEQUENCE +- 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access +- 919:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 +- 1016:d=6 hl=2 l= 96 cons: SEQUENCE +- 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points +- 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 +- 1114:d=6 hl=2 l= 106 cons: SEQUENCE +- 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL +- 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 +- 1222:d=6 hl=2 l= 51 cons: SEQUENCE +- 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment +- 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 +- 1275:d=6 hl=2 l= 18 cons: SEQUENCE +- 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check +- 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 +- 1295:d=6 hl=2 l= 44 cons: SEQUENCE +- 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 +- 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 +- 1341:d=6 hl=2 l= 20 cons: SEQUENCE +- 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type +- 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 +- 1363:d=1 hl=2 l= 13 cons: SEQUENCE +- 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption +- 1376:d=2 hl=2 l= 0 prim: NULL +- 1378:d=1 hl=4 l= 257 prim: BIT STRING ++ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 ++ 486:d=6 hl=4 l= 287 cons: SEQUENCE ++ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name ++ 495:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 ++ 777:d=6 hl=2 l= 29 cons: SEQUENCE ++ 779:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage ++ 784:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 ++ 808:d=6 hl=2 l= 18 cons: SEQUENCE ++ 810:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints ++ 815:d=7 hl=2 l= 1 prim: BOOLEAN :255 ++ 818:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 ++ 828:d=6 hl=2 l= 31 cons: SEQUENCE ++ 830:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier ++ 835:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D ++ 861:d=6 hl=2 l= 29 cons: SEQUENCE ++ 863:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier ++ 868:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D ++ 892:d=6 hl=2 l= 104 cons: SEQUENCE ++ 894:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access ++ 904:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 ++ 998:d=6 hl=2 l= 93 cons: SEQUENCE ++ 1000:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points ++ 1005:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 ++ 1093:d=6 hl=2 l= 103 cons: SEQUENCE ++ 1095:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL ++ 1100:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 ++ 1198:d=6 hl=2 l= 48 cons: SEQUENCE ++ 1200:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment ++ 1211:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 ++ 1248:d=6 hl=2 l= 15 cons: SEQUENCE ++ 1250:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check ++ 1261:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 ++ 1265:d=6 hl=2 l= 41 cons: SEQUENCE ++ 1267:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 ++ 1278:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 ++ 1308:d=6 hl=2 l= 17 cons: SEQUENCE ++ 1310:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type ++ 1321:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 ++ 1327:d=1 hl=2 l= 13 cons: SEQUENCE ++ 1329:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption ++ 1340:d=2 hl=2 l= 0 prim: NULL ++ 1342:d=1 hl=4 l= 257 prim: BIT STRING + Test complete (69 combinations). +-- +2.31.1 + diff --git a/SOURCES/0009-Use-extensions-template-from-NSS.patch b/SOURCES/0009-Use-extensions-template-from-NSS.patch new file mode 100644 index 0000000..99e98c3 --- /dev/null +++ b/SOURCES/0009-Use-extensions-template-from-NSS.patch @@ -0,0 +1,80 @@ +From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 4 Oct 2021 15:55:44 +0200 +Subject: [PATCH] Use extensions template from NSS + +Drop certmonger's custom extension template and use the sequence of X509v3 +extensions template from NSS. + +The certmonger template had a bug that caused certmonger to create CSRs +with invalid DER. It was encoding extension's critical element even for +default value FALSE. + +Fixes: https://pagure.io/certmonger/issue/223 +Signed-off-by: Christian Heimes +--- + src/certext.c | 41 +---------------------------------------- + 1 file changed, 1 insertion(+), 40 deletions(-) + +diff --git a/src/certext.c b/src/certext.c +index be536987..0d66971e 100644 +--- a/src/certext.c ++++ b/src/certext.c +@@ -203,45 +203,6 @@ cm_ms_template_template[] = { + {0, 0, NULL, 0}, + }; + +-/* RFC 5280, 4.1 */ +-const SEC_ASN1Template +-cm_certext_cert_extension_template[] = { +- { +- .kind = SEC_ASN1_SEQUENCE, +- .offset = 0, +- .sub = NULL, +- .size = sizeof(CERTCertExtension), +- }, +- { +- .kind = SEC_ASN1_OBJECT_ID, +- .offset = offsetof(CERTCertExtension, id), +- .sub = NULL, +- .size = sizeof(SECItem), +- }, +- { +- .kind = SEC_ASN1_BOOLEAN, +- .offset = offsetof(CERTCertExtension, critical), +- .sub = NULL, +- .size = sizeof(SECItem), +- }, +- { +- .kind = SEC_ASN1_OCTET_STRING, +- .offset = offsetof(CERTCertExtension, value), +- .sub = NULL, +- .size = sizeof(SECItem), +- }, +- {0, 0, NULL, 0}, +-}; +-const SEC_ASN1Template +-cm_certext_sequence_of_cert_extension_template[] = { +- { +- .kind = SEC_ASN1_SEQUENCE_OF, +- .offset = 0, +- .sub = cm_certext_cert_extension_template, +- .size = sizeof(CERTCertExtension **), +- }, +-}; +- + /* Windows 2000-style UPN */ + static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03}; + static const SECOidData oid_ms_upn_name = { +@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, + /* Encode the sequence. */ + memset(&encoded, 0, sizeof(encoded)); + if (i > 1) { +- template = cm_certext_sequence_of_cert_extension_template; ++ template = CERT_SequenceOfCertExtensionTemplate; + if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr, + template) == &encoded) { + *extensions = talloc_memdup(entry, encoded.data, +-- +2.31.1 + diff --git a/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch b/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch new file mode 100644 index 0000000..2bd9262 --- /dev/null +++ b/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch @@ -0,0 +1,702 @@ +From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 4 Nov 2021 13:51:31 -0400 +Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files + +If a non-PEM file was passed into add-scep-ca it would +accept it without question but later fail with: + +status: CA_UNREACHABLE +ca-error: Error: failed to verify signature on server response. + +Try to do basic validation of user-provided PEM files by: + +- stripping BEGIN/END headers +- removing newlines and carriage returns +- using OpenSSL EVP library to base64 decode the block + +This isn't fool-proof but it at least does some basic +sanity checking to ensure the file(s) exist and appear +to be PEM files. + +The unit tests use some Let's Encrypt CA certificates. + +https://bugzilla.redhat.com/show_bug.cgi?id=1492112 + +Signed-off-by: Rob Crittenden +--- + src/Makefile.am | 2 +- + src/getcert-add-scep-ca.1.in | 2 + + src/getcert.c | 39 ++++- + src/util-o.c | 144 ++++++++++++++++++ + src/util-o.h | 7 + + tests/040-pem/bad.empty | 0 + .../bad.isrg-root-x1-cross-signed.der.b64 | 25 +++ + tests/040-pem/expected.out | 7 + + .../good.isrg-root-x1-cross-signed.pem | 31 ++++ + .../good.isrg-root-x1-cross-signed_cr.pem | 31 ++++ + tests/040-pem/good.lets_encrypt_chain.pem | 93 +++++++++++ + tests/040-pem/run.sh | 21 +++ + tests/Makefile.am | 8 +- + tests/tools/Makefile.am | 3 +- + tests/tools/pem.c | 69 +++++++++ + 15 files changed, 474 insertions(+), 8 deletions(-) + create mode 100644 tests/040-pem/bad.empty + create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 + create mode 100644 tests/040-pem/expected.out + create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem + create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem + create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem + create mode 100755 tests/040-pem/run.sh + create mode 100644 tests/tools/pem.c + +diff --git a/src/Makefile.am b/src/Makefile.am +index 53571c5..d8e0a2e 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE) + getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS) + getcert_SOURCES = getcert.c tm.c tm.h + getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \ +- $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) ++ $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS) + if WITH_IPA + bin_PROGRAMS += ipa-getcert + ipa_getcert_CFLAGS = $(getcert_CFLAGS) +diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in +index c2751ed..901791e 100644 +--- a/src/getcert-add-scep-ca.1.in ++++ b/src/getcert-add-scep-ca.1.in +@@ -14,6 +14,8 @@ helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the + + .SH OPTIONS + .TP ++All user\-provided certificate files must be in PEM format. ++.TP + \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + The nickname to give to this CA configuration. This same value can later be + passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and +diff --git a/src/getcert.c b/src/getcert.c +index 4afafcb..ddcb739 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -49,6 +49,7 @@ + #include "submit-u.h" + #include "tdbus.h" + #include "tdbusm.h" ++#include "util-o.h" + + #ifdef ENABLE_NLS + #include +@@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + int c, prefer_non_renewal = 0, verbose = 0; + dbus_bool_t b; + static DBusMessage *req, *rep; ++ const char *poptarg; + poptContext pctx; + struct poptOption popts[] = { + {"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME}, + {"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL}, + {"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID}, +- {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME}, +- {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME}, +- {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, +- {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, ++ {"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME}, ++ {"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME}, ++ {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, ++ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, + {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL}, + {"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL}, + {"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL}, +@@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + return 1; + } + while ((c = poptGetNextOpt(pctx)) > 0) { ++ poptarg = poptGetOptArg(pctx); + switch (c) { + case 's': + bus = cm_tdbus_session; +@@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + poptPrintHelp(pctx, stdout, 0); + return 1; + break; ++ case 'R': ++ if (validate_pem(globals.tctx, poptarg) != 0) { ++ printf("The root certificate(s) in %s is not valid PEM\n", poptarg); ++ return 1; ++ } ++ root = talloc_strdup(globals.tctx, poptarg); ++ break; ++ case 'r': ++ if (validate_pem(globals.tctx, poptarg) != 0) { ++ printf("The RA certificate(s) in %s is not valid PEM\n", poptarg); ++ return 1; ++ } ++ racert = talloc_strdup(globals.tctx, poptarg); ++ break; ++ case 'I': ++ if (validate_pem(globals.tctx, poptarg) != 0) { ++ printf("The certificate(s) in %s is not valid PEM\n", poptarg); ++ return 1; ++ } ++ certs = talloc_strdup(globals.tctx, poptarg); ++ break; ++ case 'N': ++ if (validate_pem(globals.tctx, poptarg) != 0) { ++ printf("The certificate(s) in %s is not valid PEM\n", poptarg); ++ return 1; ++ } ++ signingca = talloc_strdup(globals.tctx, poptarg); ++ break; + } + } + if (c != -1) { +diff --git a/src/util-o.c b/src/util-o.c +index db45964..c05872c 100644 +--- a/src/util-o.c ++++ b/src/util-o.c +@@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey) + { + return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey); + } ++ ++static unsigned char * ++decode_base64(const unsigned char *input, int length, int *outlength) { ++ int expected_len; ++ unsigned char *output; ++ int output_len; ++ ++ expected_len = 3 * length / 4; ++ output = calloc(expected_len + 1, 1); ++ output_len = EVP_DecodeBlock(output, input, length); ++ ++ if (output_len < 0) { ++ *outlength = -1; ++ free(output); ++ return NULL; ++ } ++ if (output_len % 3 != 0) { ++ *outlength = -1; ++ free(output); ++ return NULL; ++ } ++ if (expected_len != output_len) { ++ *outlength = -1; ++ free(output); ++ return NULL; ++ } ++ *outlength = output_len; ++ return output; ++} ++ ++int ++validate_pem(void *parent, const char *path) ++{ ++ char *p; ++ char *s = NULL, *sp, *sq; ++ int ret = 0; ++ FILE *fp; ++ struct stat st; ++ char *tmp1 = NULL; ++ unsigned char *tmp2 = NULL; ++ char *buffer; ++ int n, i, length; ++ int found = 0; ++ ++ fp = fopen(path, "r"); ++ if (fp == NULL) { ++ printf("Unable to open %s for reading: %s\n", ++ path, strerror(errno)); ++ return -1; ++ } ++ if (fstat(fileno(fp), &st) == -1) { ++ printf("Error opening %s for reading: %s\n", ++ path, strerror(errno)); ++ fclose(fp); ++ return -1; ++ } ++ if (st.st_size == 0) { ++ printf("%s is an empty file.\n", path); ++ fclose(fp); ++ return -1; ++ } ++ ++ buffer = malloc(st.st_size + 1); ++ if (buffer == NULL) { ++ printf("Error allocating memory.\n"); ++ fclose(fp); ++ return -1; ++ } ++ ++ n = 0; ++ while (n < st.st_size) { ++ i = fread(buffer + n, 1, st.st_size - n, fp); ++ if (i <= 0) { ++ printf("Error reading %s: %s.\n", ++ path, strerror(errno)); ++ fclose(fp); ++ ret = -1; ++ goto done; ++ } ++ n += i; ++ } ++ fclose(fp); ++ buffer[st.st_size] = '\0'; ++ length = st.st_size; ++ s = malloc(length + 1); ++ if (s == NULL) { ++ printf("Error allocating memory.\n"); ++ ret = -1; ++ goto done; ++ } ++ memcpy(s, buffer, length); ++ s[length] = '\0'; ++ sp = s; ++ tmp1 = NULL; ++ tmp2 = NULL; ++ while ((sp = strstr(sp, "-----BEGIN")) != NULL) { ++ sq = strstr(sp, "-----END"); ++ if (sq != NULL) { ++ found++; ++ sq += strcspn(sq, "\r\n"); ++ sq += strspn(sq, "\r\n"); ++ ++ /* Strip down to pure base64 so no headers, new lines or cr */ ++ tmp1 = strndup(sp, sq - sp); ++ p = strstr(tmp1, "-----BEGIN"); ++ if (p != NULL) { ++ p += strcspn(p, "\n"); ++ if (*p == '\n') { ++ p++; ++ } ++ memmove(tmp1, p, strlen(p) + 1); ++ } ++ p = strstr(tmp1, "\n-----END"); ++ if (p != NULL) { ++ *p = '\0'; ++ } ++ while ((p = strchr(tmp1, '\r')) != NULL) { ++ memmove(p, p + 1, strlen(p)); ++ } ++ while ((p = strchr(tmp1, '\n')) != NULL) { ++ memmove(p, p + 1, strlen(p)); ++ } ++ length = 0; ++ tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length); ++ if (length < 0) { ++ ret = -1; ++ goto done; ++ } ++ sp = sq; ++ } ++ } ++ ++ if (found == 0) { ++ ret = -1; ++ } ++ ++done: ++ free(buffer); ++ free(s); ++ free(tmp1); ++ free(tmp2); ++ ++ return ret; ++} +diff --git a/src/util-o.h b/src/util-o.h +index 916777b..8550e07 100644 +--- a/src/util-o.h ++++ b/src/util-o.h +@@ -16,6 +16,12 @@ + */ + + #ifndef utilo_h ++#include ++#include ++#include ++#include ++#include ++ + #define utilo_h + + struct cm_store_entry; +@@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version); + void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg); + EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey); + EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey); ++int validate_pem(void *parent, const char *path); + + #endif +diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 +new file mode 100644 +index 0000000..f9d7e5b +--- /dev/null ++++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 +@@ -0,0 +1,25 @@ ++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK ++ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X ++DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu ++dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi ++MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4 ++93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK ++ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD ++cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/ ++iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY ++jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu ++Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD ++j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp ++gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi ++0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB ++/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw ++cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG ++AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv ++oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE ++FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG ++rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr ++AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk ++cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc ++RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr ++6GtPAQw4dy753ec5 +diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out +new file mode 100644 +index 0000000..0459fd2 +--- /dev/null ++++ b/tests/040-pem/expected.out +@@ -0,0 +1,7 @@ ++OK ++OK ++OK ++got expected error with bad.empty ++got expected error with bad.isrg-root-x1-cross-signed.der ++got expected error with bad.notfound ++OK +diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem +new file mode 100644 +index 0000000..239794a +--- /dev/null ++++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem +@@ -0,0 +1,31 @@ ++-----BEGIN CERTIFICATE----- ++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ ++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT ++DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB ++AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ++ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL ++wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D ++LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK ++4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 ++bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y ++sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ ++Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 ++FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc ++SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql ++PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND ++TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw ++SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 ++c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ++ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu ++b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E ++U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu ++MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC ++5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW ++9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG ++WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O ++he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC ++Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ++-----END CERTIFICATE----- +diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem +new file mode 100644 +index 0000000..239794a +--- /dev/null ++++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem +@@ -0,0 +1,31 @@ ++-----BEGIN CERTIFICATE----- ++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ ++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT ++DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB ++AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ++ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL ++wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D ++LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK ++4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 ++bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y ++sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ ++Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 ++FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc ++SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql ++PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND ++TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw ++SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 ++c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ++ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu ++b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E ++U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu ++MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC ++5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW ++9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG ++WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O ++he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC ++Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ++-----END CERTIFICATE----- +diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem +new file mode 100644 +index 0000000..29a16ff +--- /dev/null ++++ b/tests/040-pem/good.lets_encrypt_chain.pem +@@ -0,0 +1,93 @@ ++-----BEGIN CERTIFICATE----- ++MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1 ++WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg ++RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi ++MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX ++NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf ++89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl ++Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc ++Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz ++uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB ++AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU ++BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB ++FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo ++SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js ++LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF ++BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG ++AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD ++VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB ++ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx ++A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM ++UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2 ++DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1 ++eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu ++OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw ++p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY ++2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0 ++ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR ++PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b ++rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt ++-----END CERTIFICATE----- ++-----BEGIN CERTIFICATE----- ++MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw ++WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg ++RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK ++AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP ++R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx ++sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm ++NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg ++Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG ++/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC ++AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB ++Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA ++FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw ++AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw ++Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB ++gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W ++PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ++ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz ++CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm ++lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 ++avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 ++yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O ++yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids ++hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ ++HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv ++MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX ++nLRbwHOoq7hHwg== ++-----END CERTIFICATE----- ++-----BEGIN CERTIFICATE----- ++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ ++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT ++DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB ++AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ++ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL ++wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D ++LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK ++4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 ++bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y ++sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ ++Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 ++FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc ++SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql ++PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND ++TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw ++SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 ++c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ++ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu ++b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E ++U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu ++MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC ++5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW ++9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG ++WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O ++he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC ++Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ++-----END CERTIFICATE----- +diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh +new file mode 100755 +index 0000000..1d4d1f4 +--- /dev/null ++++ b/tests/040-pem/run.sh +@@ -0,0 +1,21 @@ ++#!/bin/bash -e ++ ++cd "$tmpdir" ++cp -p "$srcdir"/040-pem/bad.* $tmpdir ++base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der ++rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 ++ ++for good in "$srcdir"/040-pem/good.* ; do ++ if ! "$toolsdir"/pem "$good" ; then ++ exit 1 ++ fi ++done ++for bad in "$tmpdir"/bad.* bad.notfound; do ++ if "$toolsdir"/pem "$bad" > /dev/null; then ++ echo unexpected success with `basename "$bad"` ++ exit 1 ++ else ++ echo got expected error with `basename "$bad"` ++ fi ++done ++echo OK +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 013d34b..e20b6d8 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -132,6 +132,8 @@ CLEANFILES = \ + 038-ms-v2-template/actual.err \ + 039-fromfile/actual.out \ + 039-fromfile/actual.err ++ 040-pem/actual.out \ ++ 040-pem/actual.err + EXTRA_DIST = \ + run-tests.sh functions certmonger.conf tools/cachain.sh \ + 001-keyiread/run.sh \ +@@ -353,7 +355,8 @@ EXTRA_DIST = \ + 038-ms-v2-template/expected.out \ + 038-ms-v2-template/extract-extdata.py \ + 038-ms-v2-template/run.sh \ +- 039-fromfile/run.sh ++ 039-fromfile/run.sh \ ++ 040-pem/run.sh + + subdirs = \ + 001-keyiread \ +@@ -388,7 +391,8 @@ subdirs = \ + 036-getcert \ + 037-rekey2 \ + 038-ms-v2-template \ +- 039-fromfile ++ 039-fromfile \ ++ 040-pem + + if HAVE_DBM_NSSDB + subdirs += \ +diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am +index 53f658e..1a01ee6 100644 +--- a/tests/tools/Makefile.am ++++ b/tests/tools/Makefile.am +@@ -16,7 +16,8 @@ endif + noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \ + name2oid iterate prefs dates listnicks pem2base base2pem \ + dparse payload checksig base64 cadata citerate casave hooks \ +- libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile ++ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \ ++ pem + noinst_LIBRARIES = libtools.a + if HAVE_OPENSSL + noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt +diff --git a/tests/tools/pem.c b/tests/tools/pem.c +new file mode 100644 +index 0000000..4fdd4f4 +--- /dev/null ++++ b/tests/tools/pem.c +@@ -0,0 +1,69 @@ ++/* ++ * Copyright (C) 2021 Red Hat, Inc. ++ * ++ * This program is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see . ++ */ ++ ++#include "../../src/config.h" ++ ++#include ++#include ++#include ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++ ++#include "../../src/util-o.h" ++ ++int ++main(int argc, const char **argv) ++{ ++ const char *filename; ++ void *parent; ++ int i, ret = 0; ++ poptContext pctx; ++ struct poptOption popts[] = { ++ POPT_AUTOHELP ++ POPT_TABLEEND ++ }; ++ ++ parent = talloc_new(NULL); ++ pctx = poptGetContext("pem", argc, argv, popts, 0); ++ while ((i = poptGetNextOpt(pctx)) > 0) { ++ continue; ++ } ++ if (i != -1) { ++ poptPrintUsage(pctx, stdout, 0); ++ return 1; ++ } ++ while ((filename = poptGetArg(pctx)) != NULL) { ++ if (validate_pem(parent, (char *)filename) == 0) { ++ printf("OK\n"); ++ } else { ++ ret = 1; ++ } ++ } ++ talloc_free(parent); ++ poptFreeContext(pctx); ++ return ret; ++} +-- +2.31.1 + diff --git a/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch b/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch new file mode 100644 index 0000000..43ef77c --- /dev/null +++ b/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch @@ -0,0 +1,31 @@ +From 657c9ab79a00a2003f7c02c535418896cacc410a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 15 Nov 2021 09:58:40 -0500 +Subject: [PATCH] =?UTF-8?q?Fix=20implicit=20declaration=20of=20function=20?= + =?UTF-8?q?=E2=80=98PEM=5Fread=5Fbio=5FX509=E2=80=99?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add an include for openssl/pem.h + +Signed-off-by: Rob Crittenden +--- + src/submit-n.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/submit-n.c b/src/submit-n.c +index 3dcb820a..4f763a16 100644 +--- a/src/submit-n.c ++++ b/src/submit-n.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + #include + #include +-- +2.31.1 + diff --git a/SOURCES/0012-Remove-dependency-on-SHA-1.patch b/SOURCES/0012-Remove-dependency-on-SHA-1.patch new file mode 100644 index 0000000..253db46 --- /dev/null +++ b/SOURCES/0012-Remove-dependency-on-SHA-1.patch @@ -0,0 +1,46 @@ +From 2ef0a885962ecf558a8080b19652a5bd0c11c228 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 17 Mar 2022 15:44:00 -0400 +Subject: [PATCH] Remove dependency on SHA-1 + +--- + tests/033-scep/run.sh | 4 ++-- + tests/tools/cachain.sh | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh +index a36cd5a..baaa581 100755 +--- a/tests/033-scep/run.sh ++++ b/tests/033-scep/run.sh +@@ -148,7 +148,7 @@ check_nonce + check_digest sha256 + echo OK + echo "[gic, old trust root]" +-set_digest sha1 ++set_digest sha256 + $toolsdir/scepgen ca entry > scepdata + if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then + echo missing gic +@@ -158,7 +158,7 @@ check_verified + check_msgtype $SCEP_MSGTYPE_GETCERTINITIAL + check_txid + check_nonce +-check_digest sha1 ++check_digest sha256 + echo OK + echo "[req next, no trust root]" + if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then +diff --git a/tests/tools/cachain.sh b/tests/tools/cachain.sh +index 58f0c49..93aca9b 100755 +--- a/tests/tools/cachain.sh ++++ b/tests/tools/cachain.sh +@@ -1,5 +1,5 @@ + #!/bin/bash -e +-digest=sha1 ++digest=sha256 + keytype=rsa:1024 + serial=12345678 + cat > openssl.cnf << EOF +-- +2.31.1 + diff --git a/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch b/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch new file mode 100644 index 0000000..a5853ea --- /dev/null +++ b/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch @@ -0,0 +1,267 @@ +From bdf93378eca9d28d5b49c8170c849d2c2e6f1991 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 7 Apr 2022 16:30:40 -0400 +Subject: [PATCH] Disable DSA in the RPM spec + +DSA has been disabled in default crypto policy since Fedora 30 +and will cause crashes if used in FIPS mode. + +Refresh the 028-dbus no-DSA expected output. It was out-of-sync +from previous changes. + +https://bugzilla.redhat.com/show_bug.cgi?id=2066439 + +Signed-off-by: Rob Crittenden +--- + certmonger.spec | 6 +- + tests/028-dbus/expected.out.nodsa | 135 +++--------------------------- + 2 files changed, 15 insertions(+), 126 deletions(-) + +diff --git a/certmonger.spec b/certmonger.spec +index 6715d83..9c01438 100644 +--- a/certmonger.spec ++++ b/certmonger.spec +@@ -28,7 +28,7 @@ + + Name: certmonger + Version: 0.79.14 +-Release: 1%{?dist} ++Release: 2%{?dist} + Summary: Certificate status monitor and PKI enrollment client + + Group: System Environment/Daemons +@@ -143,6 +143,7 @@ autoreconf -i -f + %if %{with xmlrpc} + --with-xmlrpc \ + %endif ++ --disable-dsa \ + --with-tmpdir=/run/certmonger --enable-pie --enable-now + %if %{with xmlrpc} + # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just +@@ -264,6 +265,9 @@ exit 0 + %endif + + %changelog ++* Mon Mar 28 2022 Rob Crittenden - 0.79.15-2 ++- Disable DSA. It is not allowed by default crypto policy (#2066439) ++ + * Tue Jun 14 2021 Rob Crittenden - 0.79.14-1 + - update to 0.79.14 + - Fix local CA to work under FIPS +diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa +index 20499bf..0e1b977 100644 +--- a/tests/028-dbus/expected.out.nodsa ++++ b/tests/028-dbus/expected.out.nodsa +@@ -11,12 +11,14 @@ Request ID 'Buddy': + CA: local + issuer: CN=$UUID,CN=Local Signing Authority + subject: CN=localhost ++ issued: sometime + expires: sometime + dns: localhost + principal name: host/localhost@LOCALHOST + key usage: digitalSignature,dataEncipherment + eku: id-kp-serverAuth + certificate template/profile: SomeProfileName ++ profile: SomeProfileName + pre-save command: echo Pre + post-save command: echo Post + track: yes +@@ -33,10 +35,6 @@ CA 'IPA': + is-default: no + ca-type: EXTERNAL + helper-location: $libexecdir/ipa-submit +-CA 'certmaster': +- is-default: no +- ca-type: EXTERNAL +- helper-location: $libexecdir/certmaster-submit + CA 'dogtag-ipa-renew-agent': + is-default: no + ca-type: EXTERNAL +@@ -44,8 +42,8 @@ CA 'dogtag-ipa-renew-agent': + + [[ API ]] + [ simpleprop.py ] +-/org/fedorahosted/certmonger/cas/CA6 +-/org/fedorahosted/certmonger/cas/CA6 ++/org/fedorahosted/certmonger/cas/CA5 ++/org/fedorahosted/certmonger/cas/CA5 + : -> : -k admin@localhost -> : + 0 -> 1 -> 0 + [ walk.py ] +@@ -181,7 +179,7 @@ OK + OK + + [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ] +-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o')) ++dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o')) + + [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ] + dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o')) +@@ -272,6 +270,7 @@ OK + + + ++ + + + +@@ -433,7 +432,7 @@ Buddy + + + [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ] +-(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s'))) ++(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently)) + + [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ] + recently +@@ -507,7 +506,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri + + + +- + + + [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ] +@@ -941,10 +939,10 @@ dbus.Array([], signature=dbus.Signature('s')) + + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ] +-$tmpdir/cas/20180327134236-2 ++$tmpdir/cas/20180327134236-3 + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ] +-certmaster ++dogtag-ipa-renew-agent + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ] + 0 +@@ -956,7 +954,7 @@ EXTERNAL + None + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ] +-$libexecdir/certmaster-submit ++$libexecdir/dogtag-ipa-renew-agent-submit + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ] + dbus.Array([], signature=dbus.Signature('s')) +@@ -964,116 +962,3 @@ dbus.Array([], signature=dbus.Signature('s')) + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ] + 1 + +-[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ] +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ] +-$tmpdir/cas/20180327134236-3 +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ] +-dogtag-ipa-renew-agent +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ] +-0 +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ] +-EXTERNAL +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ] +-None +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ] +-$libexecdir/dogtag-ipa-renew-agent-submit +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ] +-dbus.Array([], signature=dbus.Signature('s')) +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ] +-1 +- +-- +2.31.1 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec new file mode 100644 index 0000000..4a41f2d --- /dev/null +++ b/SPECS/certmonger.spec @@ -0,0 +1,1441 @@ +%if 0%{?fedora} > 15 || 0%{?rhel} > 6 +%global systemd 1 +%global sysvinit 0 +%else +%global systemd 0 +%global sysvinit 1 +%endif + +%if 0%{?fedora} > 15 && 0%{?fedora} < 20 +%global systemdsysv 1 +%else +%global systemdsysv 0 +%endif + +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +%global tmpfiles 1 +%else +%global tmpfiles 0 +%endif + +%if 0%{?fedora} > 9 || 0%{?rhel} > 5 +%global sysvinitdir %{_initddir} +%else +%global sysvinitdir %{_initrddir} +%endif + +%bcond_with xmlrpc + +Name: certmonger +Version: 0.79.14 +Release: 7%{?dist} +Summary: Certificate status monitor and PKI enrollment client + +License: GPLv3+ +URL: http://pagure.io/certmonger/ +Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz +#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig + +Patch0002: 0002-candidate-openssl-3.0-compat-fixes.patch +Patch0004: 0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch +Patch0005: 0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch +Patch0006: 0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch +Patch0007: 0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch +Patch0008: 0008-Use-implicit-empty-FALSE-for-extensions.patch +Patch0009: 0009-Use-extensions-template-from-NSS.patch +Patch0010: 0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch +Patch0011: 0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch +Patch0012: 0012-Remove-dependency-on-SHA-1.patch +Patch0013: 0013-Disable-DSA-in-the-RPM-spec.patch + + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gettext-devel +BuildRequires: gcc +BuildRequires: openldap-devel +BuildRequires: krb5-devel +BuildRequires: libidn2-devel +BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel +%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 +BuildRequires: libuuid-devel +%else +BuildRequires: e2fsprogs-devel +%endif +BuildRequires: libtalloc-devel, libtevent-devel +%if 0%{?rhel} >= 6 || 0%{?fedora} >= 9 +BuildRequires: libcurl-devel +%else +BuildRequires: curl-devel +%endif +BuildRequires: libxml2-devel +%if %{with xmlrpc} +BuildRequires: xmlrpc-c-devel +%endif +BuildRequires: jansson-devel +%if 0%{?rhel} && 0%{?rhel} < 6 +BuildRequires: bind-libbind-devel +BuildRequires: mktemp +%endif +# Required for 'make check': +# for diff and cmp +BuildRequires: diffutils +# for expect +BuildRequires: expect +# for certutil and pk12util +BuildRequires: nss-tools +# for openssl +BuildRequires: openssl +# for dbus-launch +BuildRequires: /usr/bin/dbus-launch +# for dos2unix +BuildRequires: /usr/bin/dos2unix +BuildRequires: /usr/bin/unix2dos +# for which +BuildRequires: /usr/bin/which +# for dbus tests +BuildRequires: python3-dbus +BuildRequires: popt-devel +BuildRequires: sed + +# we need a running system bus +Requires: dbus +Requires(post): %{_bindir}/dbus-send + +%if %{systemd} +BuildRequires: systemd-units +BuildRequires: make +Requires(post): systemd-units +Requires(preun): systemd-units, dbus, sed +Requires(postun): systemd-units +%endif + +%if %{systemdsysv} +Requires(post): systemd-sysv +%global systemdsysvsave \ +# Save the current service runlevel info, in case the user wants \ +# to apply the enabled status manually later, by running \ +# "systemd-sysv-convert --apply certmonger". \ +%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||: +%else +%global systemdsysvsave %{nil} +%endif + +%if %{sysvinit} +Requires(post): /sbin/chkconfig, /sbin/service +Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed +%endif + +%if 0%{?fedora} >= 15 +# Certain versions of libtevent have incorrect internal ABI versions. +Conflicts: libtevent < 0.9.13 +%endif + +%description +Certmonger is a service which is primarily concerned with getting your +system enrolled with a certificate authority (CA) and keeping it enrolled. + +%prep +%autosetup -p1 + +%if 0%{?rhel} > 0 +# Enabled by default for RHEL for bug #765600, still disabled by default for +# Fedora pending a similar bug report there. +sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in +%endif + +%build +autoreconf -i -f +%configure \ +%if %{systemd} + --enable-systemd \ +%endif +%if %{sysvinit} + --enable-sysvinit=%{sysvinitdir} \ +%endif +%if %{tmpfiles} + --enable-tmpfiles \ +%endif + --with-homedir=/run/certmonger \ +%if %{with xmlrpc} + --with-xmlrpc \ +%endif + --disable-dsa \ + --with-tmpdir=/run/certmonger --enable-pie --enable-now +%if %{with xmlrpc} +# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just +# tell us about libxmlrpc_client, but we need more. Work around. +make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc" +%else +make %{?_smp_mflags} +%endif + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/certmonger/{cas,requests} +install -m755 -d $RPM_BUILD_ROOT/run/certmonger +%{find_lang} %{name} + +%check +make check + +%post +if test $1 -eq 1 ; then + %{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || : +fi +%if %{without xmlrpc} +# remove any existing certmaster CA configuration +if test $1 -gt 1 ; then + %{_bindir}/getcert remove-ca -c certmaster 2>&1 || : +fi +%endif +%if %{systemd} +if test $1 -eq 1 ; then + /bin/systemctl daemon-reload >/dev/null 2>&1 || : +fi +%endif +%if %{sysvinit} +/sbin/chkconfig --add certmonger +%endif + +%triggerin -- certmonger < 0.58 +if test $1 -gt 1 ; then + # If the daemon is running, remove knowledge of the dogtag renewer. + objpath=`dbus-send --system --reply-timeout=10000 --dest=org.fedorahosted.certmonger --print-reply=o /org/fedorahosted/certmonger org.fedorahosted.certmonger.find_ca_by_nickname string:dogtag-ipa-renew-agent 2> /dev/null | sed -r 's,^ +,,g' || true` + if test -n "$objpath" ; then + dbus-send --system --dest=org.fedorahosted.certmonger --print-reply /org/fedorahosted/certmonger org.fedorahosted.certmonger.remove_known_ca objpath:"$objpath" >/dev/null 2> /dev/null + fi + # Remove the data file, in case it isn't running. + for cafile in %{_localstatedir}/lib/certmonger/cas/* ; do + if grep -q '^id=dogtag-ipa-renew-agent$' "$cafile" ; then + rm -f "$cafile" + fi + done +fi +exit 0 + +%postun +%if %{systemd} +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + /bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || : +fi +%endif +%if %{sysvinit} +if test $1 -gt 0 ; then + /sbin/service certmonger condrestart 2>&1 > /dev/null +fi +%endif +exit 0 + +%preun +%if %{systemd} +if test $1 -eq 0 ; then + /bin/systemctl --no-reload disable certmonger.service > /dev/null 2>&1 || : + /bin/systemctl stop certmonger.service > /dev/null 2>&1 || : +fi +%endif +%if %{sysvinit} +if test $1 -eq 0 ; then + /sbin/service certmonger stop 2>&1 > /dev/null + /sbin/chkconfig --del certmonger +fi +%endif +exit 0 + +%if %{systemd} +%triggerun -- certmonger < 0.43 +%{systemdsysvsave} +# Do this because the old package's %%postun doesn't know we need to do it. +/sbin/chkconfig --del certmonger >/dev/null 2>&1 || : +# Do this because the old package's %%postun wouldn't have tried. +/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || : +exit 0 +%endif + +%files -f %{name}.lang +%doc README.md LICENSE STATUS doc/*.txt +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/* +%{_datadir}/dbus-1/services/* +%dir %{_sysconfdir}/certmonger +%config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf +%dir /run/certmonger +%{_bindir}/* +%{_sbindir}/certmonger +%{_mandir}/man*/* +%{_libexecdir}/%{name} +%{_localstatedir}/lib/certmonger +%if %{sysvinit} +%{sysvinitdir}/certmonger +%endif +%if %{tmpfiles} +%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/certmonger.conf +%endif +%if %{systemd} +%{_unitdir}/* +%{_datadir}/dbus-1/system-services/* +%endif + +%changelog +* Thu Apr 07 2022 Rob Crittenden - 0.79.14-7 +- Disable DSA (#2066439) + +* Thu Mar 17 2022 Rob Crittenden - 0.79.14-6 +- Certificate format validation when adding the SCEP server's CA + (#1492112) +- Replace some SHA1 usages with SHA256 in the unit tests + +* Thu Oct 07 2021 Rob Crittenden - 0.79.14-5 +- Certmonger SCEP renewal should not use old challenges (#1990926) +- Certmonger certificates stuck in NEED_GUIDANCE (#2001082) +- certmonger creates CSRs with invalid DER syntax for X509v3 extensions + with critical=FALSE (#2012261) + +* Tue Sep 28 2021 Rob Crittenden - 0.79.14-4 +- Fix FTBFS due to change in OpenSSL 3.0.0-beta2 API (#2008451) + +* Mon Aug 09 2021 Mohan Boddu - 0.79.14-3 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 28 2021 Rob Crittenden - 0.79.14-2 +- Re-enable LTO (#1986099) + +* Thu Jun 17 2021 Rob Crittenden - 0.79.14-1 +- Update to upstream 0.79.14 (#1969537) + +* Wed Jun 16 2021 Mohan Boddu - 0.79.13-6 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Wed May 19 2021 Rob Crittenden - 0.79.13-5 +- Port to OpenSSL 3.0 (#1952930) + +* Wed Apr 28 2021 Rob Crittenden - 0.79.13-4 +- Fix local CA to work under FIPS (#1954618) + +* Thu Apr 15 2021 Mohan Boddu - 0.79.13-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Jan 26 2021 Fedora Release Engineering - 0.79.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Oct 20 2020 Rob Crittenden - 0.79.13-1 +- Update to upstream 0.79.13 + +* Mon Oct 5 2020 Rob Crittenden - 0.79.12-1 +- Update to upstream 0.79.12 + +* Fri Sep 18 2020 Rob Crittenden - 0.79.11-4 +- Don't send SIGKILL to child processes to terminate them +- Switch to JSON for communication with IPA + +* Mon Jul 27 2020 Fedora Release Engineering - 0.79.11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jun 30 2020 Rob Crittenden - 0.79.11-2 +- Fix for an unnecessary free() which can cause core dump. + +* Tue Jun 30 2020 Rob Crittenden - 0.79.11-1 +- Update to upstream 0.79.11 + +* Thu Jun 25 2020 Rob Crittenden - 0.79.10-1 +- Update to upstream 0.79.10 + +* Thu Jan 30 2020 Rob Crittenden - 0.79.9-1 +- Update to upstream 0.79.9 + +* Tue Jan 28 2020 Fedora Release Engineering - 0.79.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Oct 30 2019 Rob Crittenden - 0.79.8-3 +- Change python2-dbus build dependency to python3 +- Convert tests to pass under python 3 +- Skip DSA tests because it is disabled by default crypto policy + +* Wed Jul 24 2019 Fedora Release Engineering - 0.79.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Jul 17 2019 Rob Crittenden - 0.79.8-1 +- Update to upstream 0.79.8 + +* Wed May 22 2019 Rob Crittenden - 0.79.7-3 +- Add BuildRequires for krb5-devel, the buildroot changed. + +* Mon May 20 2019 Rob Crittenden - 0.79.7-2 +- Move systemd tmpfiles from /var/run to /run (upstream #111) +- Change /var/run -> /run in systemd service file + +* Mon Feb 18 2019 Rob Crittenden - 0.79.7-1 +- Update to upstream 0.79.7 + +* Thu Jan 31 2019 Fedora Release Engineering - 0.79.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Oct 4 2018 Rob Crittenden - 0.79.6-4 +- Pull in upstream fixes discovered in coverity and clang. + +* Mon Oct 1 2018 Rob Crittenden - 0.79.6-3 +- Improve NSS token handling. The updated NSS crypto-policy enables all + tokens which broke requesting certificates due to the way that tokens + were managed. + +* Thu Jul 12 2018 Fedora Release Engineering - 0.79.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue May 8 2018 Rob Crittenden - 0.79.6-1 +- Update to upstream 0.79.6 + +* Wed Mar 14 2018 Iryna Shcherbina - 0.79.5-7 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Feb 23 2018 Rob Crittenden 0.79.5-6 +- Fix unit tests. NSS crypto policy disallows keys < 1024 + +* Wed Feb 21 2018 Rob Crittenden 0.79.5-5 +- Add BuildRequires on gcc + +* Wed Feb 07 2018 Fedora Release Engineering - 0.79.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 10 2018 Rob Crittenden 0.79.5-3 +- Remove BR on mktemp. It is now provided by coreutils. +- Patch to fix NSS handling of keys in sqlite databases +- Patches to fix tests now that sqlite is the NSS default. + +* Wed Oct 4 2017 Rob Crittenden 0.79.5-2 +- Switch BR from /usr/include/popt.h to popt-devel + +* Fri Sep 1 2017 Rob Crittenden 0.79.5-1 +- update to 0.79.5: + - getcert start-tracking: use issuer option when specified + - add support for specifying the MS certificate template + - Reformat certificates returned by Dogtag to strip extra newline + +* Wed Aug 16 2017 Rob Crittenden 0.79.4-2 +- Reformat certificates returned by Dogtag. Dogtag was including + a spurious newline before -----END CERTIFICATE----- + +* Mon Aug 7 2017 Rob Crittenden 0.79.4-1 +- update to 0.79.4 + - fix CA option name for ipa cert-request + - fix minor memory leak + - fix build warnings + - fix an incorrect date in the .spec changelog + - bump gettext version to avoid warning + +* Wed Aug 02 2017 Fedora Release Engineering - 0.79.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.79.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Feb 28 2017 Nalin Dahyabhai 0.79.3-1 +- update to 0.79.3: + - fix self-signing self-test cases that used DSA or EC keys + +* Mon Feb 27 2017 Nalin Dahyabhai 0.79.2-2 +- update %%docs list because README is now README.md + +* Mon Feb 27 2017 Nalin Dahyabhai 0.79.2-1 +- update to 0.79.2: + - fix 'make distcheck' target + +* Sun Feb 19 2017 Nalin Dahyabhai 0.79.1-1 +- update to 0.79.1: + - update translations + - fix 'make archive' target + +* Sun Feb 19 2017 Nalin Dahyabhai 0.79-1 +- update to 0.79: + - getcert now offers an option (-X) for requesting processing by a particular + CA if the server we're contacting is running more than one + - getcert also offers options (--for-ca, --not-for-ca, --ca-path-length) for + requesting BasicConstraints values + - getcert now displays times in local time instead of UTC, which was + previously the only way they were displayed; the --utc option can often be + used to switch back to its previous behavior + - the SCEP enrollment helper now correctly issues GetCACertChain requests to + SCEP servers, instead of issuing a GetCAChain request, which isn't part of + the protocol; from report by Jason Garland + - when issuing SCEP requests, the ID of the CA included in the HTTP request + is now URL-encoded, as it should be + - renewal or notification-of-impending-expiration logic is now triggered + closer to TTL thresholds rather than waiting for a periodic check to pass a + threshold + - properly builds with OpenSSL 1.1, thanks to Lukas Slebodnik and Tomas Mraz + for a lot of the legwork +- resync .spec file with Fedora +- upstream project migrated from fedorahosted.org to pagure.io + +* Fri Feb 10 2017 Fedora Release Engineering - 0.78.6-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sat Jan 21 2017 Igor Gnatenko - 0.78.6-5 +- Rebuild for xmlrpc-c + +* Wed Jul 6 2016 Nalin Dahyabhai 0.78.6-4 +- add backported fix to wait a reasonable amount of time after calling the + 'resubmit' method for a new certificate to be issued when we're exercising + the D-Bus API during tests (Jan Cholasta, #1351052) + +* Wed Jul 6 2016 Nalin Dahyabhai 0.78.6-3 +- instead of using killall to send a SIGHUP to the system bus daemon in %%post + to get it to reload its configuration, use dbus-send to send a ReloadConfig + request over the bus (should fix #1277573) + +* Wed Feb 03 2016 Fedora Release Engineering - 0.78.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 13 2016 Nalin Dahyabhai 0.78.6-1 +- document the -R, -N, -o, and -t flags for dogtag-ipa-renew-agent-submit +- stop checking that we can generate 512 bit keys during self-tests + +* Thu Nov 12 2015 Nalin Dahyabhai 0.78.5-1 +- fix a possible uninitialized memory read (possibly #1260871) +- log a diagnostic error when we fail to initialize libkrb5 + +* Tue Aug 4 2015 Nalin Dahyabhai 0.78.4-1 +- fix the "getcert start-tracking" -L and -l options (#1249753) +- output diagnostics about the second request when scep-submit encounters an + error during a second request to the SCEP server + +* Mon Jul 20 2015 Nalin Dahyabhai 0.78.3-1 +- call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit + and the -O and -o flags to dogtag-submit (#1244914) + +* Thu Jul 9 2015 Nalin Dahyabhai 0.78.2-1 +- tweak initialization so that we set up for providing our D-Bus API before we + register our name with the bus, so that we can handle any requests that + arrive before the acknowledgement of that registration +- on systems that run systemd, add the right data file so that the service gets + started when someone tries to talk to the daemon (ticket #38) +- correctly check for error responses when sending GetCAChain requests to SCEP + servers + +* Sun Jun 21 2015 Nalin Dahyabhai 0.78.1-1 +- self-tests: assume that certutil won't generate DSA keys with more than 1024 + bits, and will often short us by a few + +* Sat Jun 20 2015 Nalin Dahyabhai 0.78-1 +- switch to using popt for parsing command line arguments, continuing to + use old help text for now so that we can catch up with translations (print + old text for --help, new text (with longopts!) for -H) +- add some plumbing for eventually receiving per-certificate roots in + addition to issued certificates and chain certificates +- add a "rekey" command to getcert, for triggering enrollment using a new + key pair (#1087932) +- scep-submit: check for the Renewal capability, and default to taking + advantage of it during rekeying, unless the new -n flag is specified to it +- dogtag-submit: add flags for passing user names, UDNs, passwords, and PINs + to the helper (part of ticket #12) +- dogtag-submit: add a flag for using the agent creds to do TLS client auth + while submitting enrollment requests (more of ticket #12) +- dogtag-submit: handle cases where we submit a request and the server + returns a success code rather than just queuing the request (#12 again) +- ipa-submit: pass requested profile names to the server as an argument + named "profile_id"; if the server gives us an "unrecognized argument" + error, retry without it for compatibility's sake (part of IPA ticket #57) +- keygen: fix a possible crash if keygen fails to return a key from NSS +- correct the certmonger(8) man page's description of the -c flag, which it + used to call the -C flag +- add logic for setting ownership and permissions on certificates and keys + when saving them to disk +- add configuration options "max_key_lifetime" and "max_key_use_count" for + making automatic renewal prefer rekeying + +* Wed Jun 17 2015 Fedora Release Engineering - 0.77.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu May 28 2015 Nalin Dahyabhai 0.77.5-1 +- pass $CERTMONGER_REQ_IP_ADDRESS to enrollment helpers if the signing request + includes IP address subjectAltName values +- correctly verify signatures on SCEP server replies when the signer is neither + the top-level CA nor the RA (feedback in #1161768) +- correctly verify signatures on SCEP server replies when there is more than + one certificate in the chain between the RA and the top-level CA (feedback in + #1161768) + +* Fri May 15 2015 Nalin Dahyabhai 0.77.4-1 +- don't display PINs in "getcert list" output (#42) +- clean up launching of a private instance in "getcert" +- expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's + own safety checks have an effect +- backport record-keeping of key generation dates and counts of how many + times we've gotten certificates using a given key pair + +* Thu May 7 2015 Nalin Dahyabhai 0.77.3-1 +- fix a data loss bug when saving renewed certificates to NSS databases - the + private key could be removed in error since 0.77 +- fixes for bugs found by static analysis +- fix self-tests when built with OpenSSL 1.0.2 + +* Tue Apr 14 2015 Nalin Dahyabhai 0.77.2-1 +- expose the certificate's not-valid-before and not-valid-after dates as a + property over D-Bus (ticket #41) +- give the local signer its own configuration option to set the lifetime + of its signing certificate, falling back to the lifetime configured for + the self-signer as a default to match the previous behavior +- fix a potential read segfault parsing the output of an enrollment helper, + introduced in 0.77 (thanks to Steve Neuharth) +- read the ns-certtype extension value in certificates +- request an enrollment certtype extension to CSRs if we have a profile name + that we want to use (ticket #17, possibly part of IPA ticket #57) + +* Fri Feb 27 2015 Nalin Dahyabhai 0.77.1-1 +- update to 0.77 + - add initial, still rough, SCEP support (#1140241,#1161768) + - add an scep-submit helper to handle part of it + - getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands + - getcert: add -l, -L flags to request/resubmit/start-tracking commands + to provide a way to set a ChallengePassword in signing requests + - lay some groundwork for rekeying support + - bundled dogtag enrollment helpers now output debugging info to stderr (#) + - ipa-getcert: fix a crash when using DNS discovery to locate servers (#39) + - getcert: fix displaying of pre-request pre-/post-save commands (#1178190, + #1181022, patch by David Kupka) + - use Zanata for translations + - getcert list: list the certificate's profile name, if it contains one + +* Tue Nov 18 2014 Nalin Dahyabhai 0.76.8-1 +- dogtag-submit: accept additional options to pass to the server when + approving requests using agent creds (#1165155, patch by Jan Cholasta) +- getcert: print help output when 'status' isn't given any args (#1163541) + +* Tue Nov 11 2014 Nalin Dahyabhai 0.76.7-1 +- correctly read CA not-valid-after dates on 32-bit machines (also reported by + Natxo Asenjo), so that we don't spin on polling them (#1163023) + +* Mon Nov 10 2014 Nalin Dahyabhai 0.76.6-1 +- don't discard the priority value in DNS SRV records + +* Mon Nov 10 2014 Nalin Dahyabhai 0.76.5-1 +- avoid premature exit on CA data analysis failures (should fix an issue + reported by Natxo Asenjo) + +* Mon Nov 10 2014 Nalin Dahyabhai 0.76.4-1 +- fix a failure in self-tests + +* Mon Nov 10 2014 Nalin Dahyabhai 0.76.3-1 +- fixes for bugs found by static analysis +- handle IDN correctly when doing service location using SRV records +- documentation updates + +* Wed Nov 5 2014 Nalin Dahyabhai +- rework the state machine so that we save an issued certificate's associated + CA certificates, then re-read the certificate, then run the post hook and + issue notifications, in that order, instead of saving CA certificates after + running the post hook, which was always a surprising order (#1131700) +- add a generic dogtag-submit helper that doesn't include any IPA defaults, + to make it easier to know the difference between paramenters it requires + and parameters which are optional (#12) + +* Tue Nov 4 2014 Nalin Dahyabhai 0.76.2-1 +- ipa-submit: when we fail to locate/contact LDAP or XML-RPC servers, + use discovery to find them (#1136900) + +* Fri Oct 31 2014 Nalin Dahyabhai 0.76.1-1 +- allow for 'certmonger -P abstract:...' to work, too + +* Fri Oct 31 2014 Nalin Dahyabhai 0.76-1 +- require a single certificate to be specified to 'getcert status' (#1148001, + #1163541, #1163539) +- shorten the default help message which getcert prints when it's not given + a specific command (#1131704) +- add private listener (-l, -L, -P) mode to certmonger, to allow it to listen + for connections directly from clients running under the same UID +- add a command mode (-c) to certmonger, in which once it's started, it + launches a specified command, and after that command exits, the daemon exits +- when getcert is invoked with no bus running, if it's running as root, run + certmonger in private listener mode with the same invocation of getcert as + the command to start and wait for (#1134497) + +* Thu Aug 28 2014 Nalin Dahyabhai 0.75.14-1 +- make pathname canonicalization slightly smarter, to handle ".." in + locations (#1131758) +- updates to self-tests (#1144082) + +* Thu Aug 21 2014 Kevin Fenzi - 0.75.13-2 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Nalin Dahyabhai 0.75.13-1 +- add a missing test case file (whoops) + +* Mon Aug 18 2014 Nalin Dahyabhai 0.75.12-1 +- correct encoding/decoding of variant-typed data which we receive and send + as part of the org.freedesktop.DBus.Properties interface over the bus, and + add some tests for them (based on patch from David Kupka, ticket #36) + +* Fri Aug 15 2014 Fedora Release Engineering - 0.75.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Aug 12 2014 Nalin Dahyabhai 0.75.11-1 +- when getcert is passed a -a flag, to indicate that CA root certificates + should be stored in the specified database, don't ignore locations which + don't include a storage scheme (#1129537) +- when called to 'start-tracking' with the -a or -F flags, if we have + applicable certificates on-hand for a CA that we're either told to use + or which we decide is the correct one, save the certificates (#1129696) + +* Tue Aug 5 2014 Nalin Dahyabhai 0.75.10-1 +- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in + default.conf, and no "host" is set either, try to construct the server URI + using the "server" setting (#1126985) + +* Thu Jul 31 2014 Nalin Dahyabhai 0.75.9-1 +- avoid potential use-after-free after a CA is removed dynamically (thanks to + Keenan Brock) (#1125342) +- add a "external-helper" property to CA objects + +* Mon Jul 21 2014 Nalin Dahyabhai 0.75.8-1 +- add a 'refresh' option to the getcert command +- add a '-a' flag to the getcert command's 'refresh-ca' option + +* Thu Jul 17 2014 Nalin Dahyabhai 0.75.7-2 +- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older, + conditionalized it so that it's ignored on newer releases, and make + whether or not we call systemd-sysv-convert in triggers depend on that, + too (#1104138) + +* Thu Jul 17 2014 Nalin Dahyabhai 0.75.7-1 +- fix an inconsistency in how we parse cookie values returned by CA helpers, + in that single-line values would lose the end-of-line after a daemon + restart, but not before +- handle timeout values and exit status values when calling CA helpers + in non-SUBMIT, non-POLL modes (#1118468) +- rework how we save CA certificates so that we save CA certificates associated + with end-entity certificates when we save that end-entity certificate, which + requires running all of the involved pre- and post-save commands +- drop package Requires: on systemd-sysv (#1104138) + +* Thu Jun 26 2014 Nalin Dahyabhai 0.75.6-1 +- avoid potential use-after-free and read overrun after a CA is added + dynamically (thanks to Jan Cholasta) + +* Fri Jun 20 2014 Nalin Dahyabhai 0.75.5-1 +- documentation updates + +* Fri Jun 20 2014 Nalin Dahyabhai 0.75.4-2 +- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA + when we detect certmonger versions prior to 0.58 being installed, to + avoid cases where some older versions choke on CAs with nicknames that + contain characters that can't legally be part of a D-Bus name (#948993) + +* Thu Jun 19 2014 Nalin Dahyabhai 0.75.4-1 +- fix creation and packaging of the "local" CA's data directory + +* Wed Jun 18 2014 Nalin Dahyabhai 0.75.3-1 +- read and cache whether or not we saw a noOCSPcheck extension in certificates +- documentation updates + +* Mon Jun 16 2014 Nalin Dahyabhai 0.75.2-1 +- when generating keys using OpenSSL, if key generation fails, try + again with the default key size, in case we're in FIPS mode +- documentation updates + +* Sat Jun 14 2014 Nalin Dahyabhai 0.75.1-1 +- log the state in 'getcert status' verbose mode + +* Fri Jun 13 2014 Nalin Dahyabhai 0.75-1 +- add a -w (wait) flag to the getcert's request/resubmit/start-tracking + commands, and add a non-waiting status command + +* Wed Jun 11 2014 Nalin Dahyabhai 0.74.96-1 +- make the trust settings we apply to CA-supplied certificates while + saving them to NSS databases run-time configurable +- fix compiling against EL5-era OpenSSL +- when saving CA certificates we pull from an IPA server, nickname + it using the realm name with " IPA CA" appended rather than just + naming it "IPA CA" +- fix the local signer so that when it issues itself a new certificate, + it uses the same subject name +- add a -w flag to getcert's request, resubmit, and start-tracking + commands, telling it to wait until either the certificate is issued, + we get to a state where we know that we won't be able to get one, or + we are waiting for a CA + +* Mon Jun 9 2014 Nalin Dahyabhai 0.74.95-1 +- add the "local" signer, a local toy CA that signs anything you'll + ask it to sign + +* Sat Jun 07 2014 Fedora Release Engineering - 0.74-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Jun 6 2014 Nalin Dahyabhai 0.74.94-1 +- fix self-test errors that we trigger with new OpenSSL +- fix a build error that would sometimes happen when we're told to + build PIE binaries +- quiet a compile warning + +* Thu Jun 5 2014 Nalin Dahyabhai 0.74.93-1 +- add some self-tests +- simplify the internal submit-to-CA logic +- fixes for more problems found through static analysis + +* Tue Jun 3 2014 Nalin Dahyabhai 0.74.92-1 +- retrieve CA information from CAs, if the helpers can do so, and + add a command to explicitly refresh that data: "getcert refresh-ca" +- offer to save CA certificates to files and databases, when specified with + new -a and -F flags to getcert request/resubmit/start-tracking (#1098208, + trac #31) +- add IP address subject alternate names when getcert request/resubmit + is passed the -A option (trac #35) +- read and cache the freshestCRL extension in certificates +- properly interpret KDC-unreachable errors encountered in the IPA + submission error as a server-unreachable error that we will retry, + rather than a misconfiguration error which we won't +- don't let tests get tripped up by new formatting used in dos2unix status + messages (#1099080) +- updated translations +- be explicit that we are going to use bashisms in test scripts by calling + the shell interpreter as 'bash' rather than 'sh' (trac #27) + +* Thu Apr 3 2014 Nalin Dahyabhai 0.74-1 +- also save state when we exit due to SIGHUP +- don't get tripped up when enrollment helpers hand us certificates which + include CRLF line terminators (ticket #25) +- be tolerant of certificate issuer names, subject names, DNS, email, and + Kerberos principal namem subjectAltNames, and crl distribution point URLs + that contain newlines +- read and cache the certificate template extension in certificates +- enforce different minimum key sizes depending on the type of key we're + trying to generate +- store DER versions of subject, issuer and template subject, if we have + them (Jan Cholasta, ticket #26) +- when generating signing requests with subject names that don't quite parse + as subject names, encode what we're given as PrintableString rather than + as a UTF8String +- always chdir() to a known location at startup, even if we're not becoming + a daemon +- fix a couple of memory leaks (static analysis) +- add missing buildrequires: on which + +* Thu Feb 20 2014 Nalin Dahyabhai 0.73-1 +- updates to 0.73 + - getcert no longer claims to be stuck when a CA is unreachable, + because the daemon isn't actually stuck + +* Mon Feb 17 2014 Nalin Dahyabhai +- updates to 0.73 + - also pass the key type to enrollment helpers in the environment as + a the value of "CERTMONGER_KEY_TYPE" + +* Mon Feb 10 2014 Nalin Dahyabhai +- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir}, + where it belongs (#1180978) + +* Mon Feb 10 2014 Nalin Dahyabhai +- updates for 0.73 + - set the flag to encode EC public key parameters using named curves + instead of the default of all-the-details when using OpenSSL + - don't break when NSS supports secp521r1 but OpenSSL doesn't + - also pass the CA nickname to enrollment helpers in the environment as + a text value in "CERTMONGER_CA_NICKNAME", so they can use that value + when reading configuration settings + - also pass the SPKAC value to enrollment helpers in the environment as + a base64 value in "CERTMONGER_SPKAC" + - also pass the request's SubjectPublicKeyInfo value to enrollment helpers + in the environment as a base64 value in "CERTMONGER_SPKI" (part of #16) + - when generating signing requests using NSS, be more accommodating of + requested subject names that don't parse properly + +* Mon Feb 3 2014 Nalin Dahyabhai 0.72-1 +- update to 0.72 + - support generating DSA parameters and keys on sufficiently-new OpenSSL + and NSS + - support generating EC keys when OpenSSL and NSS support it, using key + size to select the curve to use from among secp256r1, secp384r1, + secp521r1 (which are the ones that are usually available, though + secp521r1 isn't always, even if the other two are) + - stop trying to cache public key parameters at all and instead cache public + key info properly + - encode the friendlyName attribute in signing requests as a BMPString, + not as a PrintableString + - catch more filesystem permissions problems earlier (more of #996581) + +* Mon Jan 27 2014 Nalin Dahyabhai 0.71-1 +- check for cases where we fail to allocate memory while reading a request + or CA entry from disk (John Haxby) +- only handle one watch at a time, which should avoid abort() during + attempts to reconnect to the message bus after losing our connection + to it (#1055521) + +* Fri Jan 24 2014 Daniel Mach - 0.70-2 +- Mass rebuild 2014-01-24 + +* Thu Jan 2 2014 Nalin Dahyabhai 0.70-1 +- add a --with-homedir option to configure, and use it, since subprocesses + which we run and which use NSS may attempt to write to $HOME/.pki, and + 0.69's strategy of setting that to "/" was rightly hitting SELinux policy + denials (#1047798) + +* Fri Dec 27 2013 Daniel Mach - 0.69-2 +- Mass rebuild 2013-12-27 + +* Mon Dec 9 2013 Nalin Dahyabhai 0.69-1 +- tweak how we decide whether we're on the master or a minion when we're + told to use certmaster as a CA +- clean up one of the tests so that it doesn't have to work around internal + logging producing duplicate messages +- when logging errors while setting up to contact xmlrpc servers, explicitly + note that the error is client-side +- don't abort() due to incorrect locking when an attempt to save an issued + certificate to the designated location fails (part of #1032760/#1033333, + ticket #22) +- when reading an issued certificate from an enrollment helper, ignore + noise before or after the certificate itself (more of #1032760/1033333, + ticket #22) +- run subprocesses in a cleaned-up environment (more of #1032760/1033333, + ticket #22) +- clear the ca-error that we saved when we had an error talking to the CA if we + subsequently succeed in talking to the CA +- various other static-analysis fixes + +* Thu Aug 29 2013 Nalin Dahyabhai 0.68-1 +- notice when the OpenSSL RNG isn't seeded +- notice when saving certificates or keys fails due to filesystem-related + permission denial (#996581) + +* Tue Aug 6 2013 Nalin Dahyabhai 0.67-3 +- pull up a patch from master to adapt self-tests to certutil's diagnostic + output having changed (#992050) + +* Sat Aug 03 2013 Fedora Release Engineering - 0.67-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Mar 11 2013 Nalin Dahyabhai 0.67-1 +- when saving certificates to NSS databases, try to preserve the trust + value assigned to a previously-present certificate with the same nickname + and subject, if one is found +- when saving certificates to NSS databases, also prune certificates from + the database which have both the same nickname and subject as the one + we're adding, to avoid tripping up tools that only fetch one certificate + by nickname + +* Wed Feb 13 2013 Fedora Release Engineering - 0.65-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 23 2013 Nalin Dahyabhai 0.66-1 +- build as position-independent executables with early binding (#883966) +- also don't tag the unit file as a configuration file (internal tooling) + +* Wed Jan 23 2013 Nalin Dahyabhai 0.65-2 +- don't tag the D-Bus session .service file as a configuration file (internal + tooling) + +* Tue Jan 8 2013 Nalin Dahyabhai 0.65-1 +- fix a crash in the self-tests + +* Tue Jan 8 2013 Nalin Dahyabhai 0.64-1 +- at startup, if we resume the state machine for a given certificate to a state + which expects to have the newly-added lock already acquired, acquire it + before moving on with the certificate's work (still aimed at fixing #883484) + +* Tue Dec 18 2012 Nalin Dahyabhai 0.63-1 +- serialize access to NSS databases and the running of pre- and post-save + commands which might also access them (possibly fixing part of #883484) + +* Thu Nov 29 2012 Nalin Dahyabhai 0.62-1 +- add a -u flag to getcert to enable requesting a keyUsage extension value +- request subjectKeyIdentifier extensions from CAs, and include them in + self-signed certificates +- request basicConstraints from CAs, defaulting to requests for end-entity + certificates +- when requesting CA certificates, also request authorityKeyIdentifier +- add support for requesting CRL distribution point and authorityInfoAccess + extensions that specify OCSP responder locations +- don't crash when OpenSSL can't build a template certificate from a request + when we're in FIPS mode +- put NSS in FIPS mode, when the system booted that way, except when we're + trying to write certificates to a database +- fix CSR generation and self-signing in FIPS mode with NSS +- fix self-signing in FIPS mode with OpenSSL +- new languages from the translation team: mai, ml, nn, ga + +* Tue Nov 27 2012 Nalin Dahyabhai 0.61-3 +- backport change from git to not choke if X509_REQ_to_X509() fails when we're + self-signing using OpenSSL +- backport another change from git to represent this as a CA-rejected error + +* Mon Sep 24 2012 Nalin Dahyabhai 0.61-1 +- fix a regression in reading old request tracking files where the + request was in state NEED_TO_NOTIFY or NOTIFYING + +* Wed Sep 5 2012 Nalin Dahyabhai 0.60-1 +- adjust internals of logic for talking to dogtag to at least have a + concept of non-agent cases +- when talking to an IPA server's internal Dogtag instance, infer which + ports the CA is listening on from the "dogtag_version" setting in the + IPA configuration (Ade Lee) +- send a notification (or log a message, whatever) when we save a new + certificate (#766167) + +* Mon Jul 30 2012 Nalin Dahyabhai +- fix a bad %%preun scriptlet + +* Wed Jul 18 2012 Fedora Release Engineering - 0.59-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 29 2012 Nalin Dahyabhai 0.59-1 +- mostly documentation updates + +* Fri Jun 29 2012 Nalin Dahyabhai 0.58-1 +- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using + an IPA server's internal Dogtag instance +- export the requested profile and old certificate to enrollment helpers +- make libxml and libcurl into hard build-time requirements +- serialize all pre/save/post sequences to make sure that stop/save/start + doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping + a service while we muck with more than one of its certificates + +* Fri Jun 15 2012 Nalin Dahyabhai +- add a command option (-T) to getcert for specifying which enrollment + profile to tell a CA that we're using, in case it cares (#10) + +* Thu Jun 14 2012 Nalin Dahyabhai 0.57-1 +- clarify that the command passed to getcert -C is a "post"-save command +- add a "pre"-save command option to getcert, specified with the -B flag (#9) +- after we notify of an impending not-valid-after approaching, don't do it + again immediately + +* Sat Mar 3 2012 Nalin Dahyabhai 0.56-1 +- when a caller sets the is-default flag on a CA, and another CA is no longer + the default, emit the PropertiesChanged signal on the CA which is not the + default, instead on the new default a second time +- drop some dead code from the D-Bus message handlers (static analysis, + #796813) +- cache public keys when we read private keys +- go back to printing an error indicating that we're missing a required + argument when we're missing a required argument, not that the option is + invalid (broken since 0.51, #796542) + +* Wed Feb 15 2012 Nalin Dahyabhai 0.55-1 +- allow root to use our implementation of org.freedesktop.DBus.Properties +- take more care to not emit useless PropertiesChanged signals + +* Wed Feb 15 2012 Nalin Dahyabhai 0.54-1 +- fix setting the group ID when spawning the post-save command + +* Tue Feb 14 2012 Nalin Dahyabhai 0.53-1 +- large changes to the D-Bus glue, exposing a lot of data which we were + providing via D-Bus getter methods as properties, and providing more + accurate introspection data +- emit a signal when the daemon saves a certificate to the destination + location, and provide an option to have the daemon spawn an arbitrary + command at that point, too (#766167) +- enable starting the service by default on RHEL (#765600) + +* Thu Jan 12 2012 Fedora Release Engineering - 0.52-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 16 2011 Nalin Dahyabhai 0.52-1 +- note that SELinux usually confines us to writing only to cert_t in + doc/getting-started.txt (#765599) +- fix crashes when we add a request during our first run when we're + populating the hard-coded CA list +- properly deal with cases where a path is passed to us is "./XXX" +- in session mode, create our data directories as we go + +* Tue Dec 6 2011 Nalin Dahyabhai 0.51-1 +- api: lift restrictions on characters used in request and CA nicknames by + making their object names not incorporate their nicknames +- api: add find_request_by_nickname and find_ca_by_nickname +- certmonger-ipa-submit.8: list -k, -K, -t in the summary, document -K +- getcert: print "invalid option" error messages ourselves (#756291) +- ipa-submit: supply a Referer: header when submitting requests to IPA + (#750617, needed for #747710) + +* Fri Oct 14 2011 Nalin Dahyabhai 0.50-1 +- really fix these this time: + - getcert: error out when "list -c" finds no matching CA (#743488) + - getcert: error out when "list -i" finds no matching request (#743485) + +* Wed Oct 12 2011 Nalin Dahyabhai 0.49-1 +- when using an NSS database, skip loading the module database (#743042) +- when using an NSS database, skip loading root certs +- generate SPKAC values when generating CSRs, though we don't do anything + with SPKAC values yet +- internally maintain and use challenge passwords, if we have them +- behave better when certificates have shorter lifetimes +- add/recognize/handle notification type "none" +- getcert: error out when "list -c" finds no matching CA (#743488) +- getcert: error out when "list -i" finds no matching request (#743485) + +* Thu Sep 29 2011 Nalin Dahyabhai 0.48-1 +- don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated + array (#742348) + +* Tue Sep 27 2011 Nalin Dahyabhai 0.47-1 +- getcert: distinguish between {stat() succeeds but isn't a directory} and + {stat() failed} when printing an error message (#739903) +- getcert resubmit/start-tracking: when we're looking for an existing request + by ID, and we don't find one, note that specifically (#741262) + +* Mon Aug 29 2011 Stephen Gallagher - 0.46-1.1 +- Rebuild against fixed libtevent version + +* Mon Aug 15 2011 Nalin Dahyabhai 0.46-1 +- treat the ability to access keys in an NSS database without using a PIN, + when we've been told we need one, as an error (#692766, really this time) + +* Thu Aug 11 2011 Nalin Dahyabhai 0.45-1 +- modify the systemd .service file to be a proper 'dbus' service (more + of #718172) + +* Thu Aug 11 2011 Nalin Dahyabhai 0.44-1 +- check specifically for cases where a specified token that we need to + use just isn't present for whatever reason (#697058) + +* Wed Aug 10 2011 Nalin Dahyabhai 0.43-1 +- add a -K option to ipa-submit, to use the current ccache, which makes + it easier to test + +* Fri Aug 5 2011 Nalin Dahyabhai +- if xmlrpc-c's struct xmlrpc_curl_xportparms has a gss_delegate field, set + it to TRUE when we're doing Negotiate auth (#727864, #727863, #727866) + +* Wed Jul 13 2011 Nalin Dahyabhai +- treat the ability to access keys in an NSS database without using a PIN, + when we've been told we need one, as an error (#692766) +- when handling "getcert resubmit" requests, if we don't have a key yet, + make sure we go all the way back to generating one (#694184) +- getcert: try to clean up tests for NSS and PEM file locations (#699059) +- don't try to set reconnect-on-exit policy unless we managed to connect + to the bus (#712500) +- handle cases where we specify a token but the storage token isn't + known (#699552) +- getcert: recognize -i and storage options to narrow down which requests + the user wants to know about (#698772) +- output hints when the daemon has startup problems, too (#712075) +- add flags to specify whether we're bus-activated or not, so that we can + exit if we have nothing to do after handling a request received over + the bus if some specified amount of time has passed +- explicitly disallow non-root access in the D-Bus configuration (#712072) +- migrate to systemd on releases newer than Fedora 15 or RHEL 6 (#718172) +- fix a couple of incorrect calls to talloc_asprintf() (#721392) + +* Wed Apr 13 2011 Nalin Dahyabhai 0.42-1 +- getcert: fix a buffer overrun preparing a request for the daemon when + there are more parameters to encode than space in the array (#696185) +- updated translations: de, es, id, pl, ru, uk + +* Mon Apr 11 2011 Nalin Dahyabhai 0.41-1 +- read information about the keys we've just generated before proceeding + to generating a CSR (part of #694184, part of #695675) +- when processing a "resubmit" request from getcert, go back to key + generation if we don't have keys yet, else go back to CSR generation as + before (#694184, #695675) +- configure with --with-tmpdir=/var/run/certmonger and own /var/run/certmonger + (#687899), and add a systemd tmpfiles.d control file for creating + /var/run/certmonger on Fedora 15 and later +- let session instances exit when they get disconnected from the bus +- use a lock file to make sure there's only one session instance messing + around with the user's files at a time +- fix errors saving certificates to NSS databases when there's already a + certificate there with the same nickname (#695672) +- make key and certificate location output from 'getcert list' more properly + translatable (#7) + +* Mon Mar 28 2011 Nalin Dahyabhai 0.40-1 +- update to 0.40 + - fix validation check on EKU OIDs in getcert (#691351) + - get session bus mode sorted + - add a list of recognized EKU values to the getcert-request man page + +* Fri Mar 25 2011 Nalin Dahyabhai 0.39-1 +- update to 0.39 + - fix use of an uninitialized variable in the xmlrpc-based submission + helpers (#690886) + +* Thu Mar 24 2011 Nalin Dahyabhai 0.38-1 +- update to 0.38 + - catch cases where we can't read a PIN file, but we never have to log + in to the token to access the private key (more of #688229) + +* Tue Mar 22 2011 Nalin Dahyabhai 0.37-1 +- update to 0.37 + - be more careful about checking if we can read a PIN file successfully + before we even call an API that might need us to try (#688229) + - fix strict aliasing warnings + +* Tue Mar 22 2011 Nalin Dahyabhai 0.36-1 +- update to 0.36 + - fix some use-after-free bugs in the daemon (#689776) + - fix a copy/paste error in certmonger-ipa-submit(8) + - getcert now suppresses error details when not given its new -v option + (#683926, more of #681641/#652047) + - updated translations + - de, es, pl, ru, uk + - indonesian translation is now for "id" rather than "in" + +* Wed Mar 2 2011 Nalin Dahyabhai 0.35.1-1 +- fix a self-test that broke because one-year-from-now is now a day's worth + of seconds further out than it was a few days ago + +* Mon Feb 14 2011 Nalin Dahyabhai 0.35-1 +- update to 0.35 + - self-test fixes to rebuild properly in mock (#670322) + +* Tue Feb 08 2011 Fedora Release Engineering - 0.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Jan 14 2011 Nalin Dahyabhai 0.34-1 +- update to 0.34 + - explicitly note the number of requests we're tracking in the output of + "getcert list" (#652049) + - try to offer some suggestions when we get certain specific errors back + in "getcert" (#652047) + - updated translations + - es + +* Thu Dec 23 2010 Nalin Dahyabhai 0.33-1 +- update to 0.33 + - new translations + - id by Okta Purnama Rahadian! + - updated translations + - pl, uk + - roll up assorted fixes for defects + +* Fri Nov 12 2010 Nalin Dahyabhai 0.32-2 +- depend on the e2fsprogs libuuid on Fedora and RHEL releases where it's + not part of util-linux-ng + +* Wed Oct 13 2010 Nalin Dahyabhai 0.32-1 +- oops, rfc5280 says we shouldn't be populating unique identifiers, so + make it a configuration option and default the behavior to off + +* Tue Oct 12 2010 Nalin Dahyabhai 0.31-1 +- start populating the optional unique identifier fields in self-signed + certificates + +* Thu Sep 30 2010 Nalin Dahyabhai 0.30-4 +- explicitly require "dbus" to try to ensure we have a running system bus + when we get started (#639126) + +* Wed Sep 29 2010 jkeating - 0.30-3 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Nalin Dahyabhai 0.30-2 +- try to SIGHUP the messagebus daemon at first install so that it'll + let us claim our service name if it isn't restarted before we are + first started (#636876) + +* Wed Aug 25 2010 Nalin Dahyabhai 0.30-1 +- update to 0.30 + - fix errors computing the time at the end of an interval that were + caught by self-tests + +* Mon Aug 23 2010 Nalin Dahyabhai 0.29-1 +- update to 0.29 + - fix 64-bit cleanliness issue using libdbus + - actually include the full set of tests in tarballs + +* Tue Aug 17 2010 Nalin Dahyabhai 0.28-1 +- update to 0.28 + - fix self-signing certificate notBefore and notAfter values on 32-bit + machines + +* Tue Aug 17 2010 Nalin Dahyabhai 0.27-1 +- update to 0.27 + - portability and test fixes + +* Fri Aug 13 2010 Nalin Dahyabhai 0.26-1 +- update to 0.26 + - when canceling a submission request that's being handled by a helper, + reap the child process's status after killing it (#624120) + +* Fri Aug 13 2010 Nalin Dahyabhai 0.25-1 +- update to 0.25 + - new translations + - in by Okta Purnama Rahadian! + - fix detection of cases where we can't access a private key in an NSS + database because we don't have the PIN + - teach '*getcert start-tracking' about the -p and -P options which the + '*getcert request' commands already understand (#621670), and also + the -U, -K, -E, and -D flags + - double-check that the nicknames of keys we get back from + PK11_ListPrivKeysInSlot() match the desired nickname before accepting + them as matches, so that our tests won't all blow up on EL5 + - fix dynamic addition and removal of CAs implemented through helpers + +* Mon Jun 28 2010 Nalin Dahyabhai 0.24-4 +- init script: ensure that the subsys lock is created whenever we're called to + "start" when we're already running (even more of #596719) + +* Tue Jun 15 2010 Nalin Dahyabhai 0.24-3 +- more gracefully handle manual daemon startups and cleaning up of unexpected + crashes (still more of #596719) + +* Thu Jun 10 2010 Nalin Dahyabhai 0.24-2 +- don't create the daemon pidfile until after we've connected to the D-Bus + (still more of #596719) + +* Tue Jun 8 2010 Nalin Dahyabhai 0.24-1 +- update to 0.24 + - keep the lock on the pid file, if we have one, when we fork, and cancel + daemon startup if we can't gain ownership of the lock (the rest of #596719) + - make the man pages note which external configuration files we consult when + submitting requests to certmaster and ipa CAs + +* Thu May 27 2010 Nalin Dahyabhai 0.23-1 +- update to 0.23 + - new translations + - pl by Piotr Drąg! + - cancel daemon startup if we can't gain ownership of our well-known + service name on the DBus (#596719) + +* Fri May 14 2010 Nalin Dahyabhai 0.22-1 +- update to 0.22 + - new translations + - de by Fabian Affolter! + - certmaster-submit: don't fall over when we can't find a certmaster.conf + or a minion.conf (i.e., certmaster isn't installed) (#588932) + - when reading extension values from certificates, prune out duplicate + principal names, email addresses, and hostnames + +* Tue May 4 2010 Nalin Dahyabhai 0.21-1 +- update to 0.21 + - getcert/*-getcert: relay the desired CA to the local service, whether + specified on the command line (in getcert) or as a built-in hard-wired + default (in *-getcert) (#584983) + - flesh out the default certmonger.conf so that people can get a feel for + the expected formatting (Jenny Galipeau) + +* Wed Apr 21 2010 Nalin Dahyabhai 0.20-1 +- update to 0.20 + - correctly parse certificate validity periods given in years (spotted by + Stephen Gallagher) + - setup for translation + - es by Héctor Daniel Cabrera! + - ru by Yulia Poyarkova! + - uk by Yuri Chornoivan! + - fix unpreprocessed defaults in certmonger.conf's man page + - tweak the IPA-specific message that indicates a principal name also needs + to be specified if we're not using the default subject name (#579542) + - make the validity period of self-signed certificates into a configuration + setting and not a piece of the state information we track about the signer + - init script: exit with status 2 instead of 1 when invoked with an + unrecognized argument (#584517) + +* Tue Mar 23 2010 Nalin Dahyabhai 0.19-1 +- update to 0.19 + - correctly initialize NSS databases that need to be using a PIN + - add certmonger.conf, for customizing notification timings and settings, + and use of digests other than the previously-hard-coded SHA256, and + drop those settings from individual requests + - up the default self-sign validity interval from 30 days to 365 days + - drop the first default notification interval from 30 days to 28 days + (these two combined to create a fun always-reissuing loop earlier) + - record the token which contains the key or certificate when we're + storing them in an NSS database, and report it + - improve handling of cases where we're supposed to use a PIN but we + either don't have one or we have the wrong one + - teach getcert to accept a PIN file's name or a PIN value when adding + a new entry + - update the IPA submission helper to use the new 'request_cert' signature + that's landing soon + - more tests + +* Fri Feb 12 2010 Nalin Dahyabhai 0.18-1 +- update to 0.18 + - add support for using encrypted storage for keys, using PIN values + supplied directly or read from files whose names are supplied + - don't choke on NSS database locations that use the "sql:" or "dbm:" + prefix + +* Mon Jan 25 2010 Nalin Dahyabhai 0.17-2 +- make the D-Bus configuration file (noreplace) (#541072) +- make the %%check section and the deps we have just for it conditional on + the same macro (#541072) + +* Wed Jan 6 2010 Nalin Dahyabhai 0.17-1 +- update to 0.17 + - fix a hang in the daemon (Rob Crittenden) + - documentation updates + - fix parsing of submission results from IPA (Rob Crittenden) + +* Fri Dec 11 2009 Nalin Dahyabhai 0.16-1 +- update to 0.16 + - set a umask at startup (Dan Walsh) + +* Tue Dec 8 2009 Nalin Dahyabhai 0.15-1 +- update to 0.15 + - notice that a directory with a trailing '/' is the same location as the + directory without it + - fix handling of the pid file when we write one (by actually giving it + contents) + +* Wed Nov 25 2009 Nalin Dahyabhai 0.14-1 +- update to 0.14 + - check key and certificate location at add-time to make sure they're + absolute paths to files or directories, as appropriate + - IPA: dig into the 'result' item if the named result value we're looking + for isn't in the result struct + +* Tue Nov 24 2009 Nalin Dahyabhai 0.13-1 +- update to 0.13 + - change the default so that we default to trying to auto-refresh + certificates unless told otherwise + - preemptively enforce limitations on request nicknames so that they + make valid D-Bus object path components + +* Tue Nov 24 2009 Nalin Dahyabhai 0.12-1 +- update to 0.12 + - add a crucial bit of error reporting when CAs reject our requests + - count the number of configured CAs correctly + +* Mon Nov 23 2009 Nalin Dahyabhai 0.11-1 +- update to 0.11 + - add XML-RPC submission for certmaster and IPA + - prune entries with duplicate names from the data store + +* Fri Nov 13 2009 Nalin Dahyabhai 0.10-1 +- update to 0.10 + - add some compiler warnings and then fix them + +* Fri Nov 13 2009 Nalin Dahyabhai 0.9-1 +- update to 0.9 + - run external submission helpers correctly + - fix signing of signing requests generated for keys stored in files + - only care about new interface and route notifications from netlink, + and ignore notifications that don't come from pid 0 + - fix logic for determining expiration status + - correct the version number in self-signed certificates + +* Tue Nov 10 2009 Nalin Dahyabhai 0.8-1 +- update to 0.8 + - encode windows UPN values in requests correctly + - watch for netlink routing changes and restart stalled submission requests + - 'getcert resubmit' can force a regeneration of the CSR and submission + +* Fri Nov 6 2009 Nalin Dahyabhai 0.7-1 +- update to 0.7 + - first cut at a getting-started document + - refactor some internal key handling with NSS + - check for duplicate request nicknames at add-time + +* Tue Nov 3 2009 Nalin Dahyabhai 0.6-1 +- update to 0.6 + - man pages + - 'getcert stop-tracking' actually makes the server forget now + - 'getcert request -e' was redundant, dropped the -e option + - 'getcert request -i' now sets the request nickname + - 'getcert start-tracking -i' now sets the request nickname + +* Mon Nov 2 2009 Nalin Dahyabhai 0.5-1 +- update to 0.5 + - packaging fixes + - add a selfsign-getcert client + - self-signed certs now get basic constraints and their own serial numbers + - accept id-ms-kp-sc-logon as a named EKU value in a request + +* Thu Oct 29 2009 Nalin Dahyabhai 0.4-1 +- update to 0.4 + +* Thu Oct 22 2009 Nalin Dahyabhai 0.1-1 +- update to 0.1 + +* Sun Oct 18 2009 Nalin Dahyabhai 0.0-1 +- initial package