|
 |
10e13a |
From afe1fc05a5da349c3e24e8c96b1e185e4da53613 Mon Sep 17 00:00:00 2001
|
|
|
10e13a |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
10e13a |
Date: Thu, 17 Aug 2017 11:38:43 +1000
|
|
|
10e13a |
Subject: [PATCH] MS cert template: add D-Bus property and storage
|
|
|
10e13a |
|
|
|
10e13a |
Add a D-Bus property and storage for a new template attribute, which
|
|
|
10e13a |
will hold data to be included in CSRs in the MS V2 certificate
|
|
|
10e13a |
template extension.
|
|
|
10e13a |
|
|
|
10e13a |
The server does not validate the extension data (validation
|
|
|
10e13a |
behaviour is implemented in a subsequent commit).
|
|
|
10e13a |
|
|
|
10e13a |
Part of: https://pagure.io/certmonger/issue/78
|
|
|
10e13a |
---
|
|
|
10e13a |
doc/api.txt | 2 ++
|
|
|
10e13a |
src/store-files.c | 10 ++++++++++
|
|
|
10e13a |
src/store-int.h | 1 +
|
|
|
10e13a |
src/tdbus.h | 1 +
|
|
|
10e13a |
src/tdbush.c | 29 ++++++++++++++++++++++++++++-
|
|
|
10e13a |
tests/028-dbus/expected.out | 1 +
|
|
|
10e13a |
6 files changed, 43 insertions(+), 1 deletion(-)
|
|
|
10e13a |
|
|
|
10e13a |
diff --git a/doc/api.txt b/doc/api.txt
|
|
|
10e13a |
index 31016be..83cf375 100644
|
|
|
10e13a |
--- a/doc/api.txt
|
|
|
10e13a |
+++ b/doc/api.txt
|
|
|
10e13a |
@@ -56,6 +56,7 @@ o object layout
|
|
|
10e13a |
{("template-crldp"),array-of-string (CRL distribution point URIs)}
|
|
|
10e13a |
{("template-ns-comment"),string (Netscape comment)}
|
|
|
10e13a |
{("template-profile"),string (certificate profile)}
|
|
|
10e13a |
+ {("template-ms-certificate-template"),string (MS V2 template specifier; format: <oid>:<major-version>[:<minor-version>] )}
|
|
|
10e13a |
{("template-issuer"),string (requested issuer)}
|
|
|
10e13a |
{("template-challenge-password"),string (password to add to CSR)}
|
|
|
10e13a |
{("template-challenge-password-file"),string (password file)
|
|
|
10e13a |
@@ -165,6 +166,7 @@ o object layout
|
|
|
10e13a |
{("template-crldp"),array-of-string (CRL distribution point URIs)}
|
|
|
10e13a |
{("template-ns-comment"),string (Netscape comment)}
|
|
|
10e13a |
{("template-profile"),string (certificate profile)}
|
|
|
10e13a |
+ {("template-ms-certificate-template"),string (MS V2 template specifier; format: <oid>:<major-version>[:<minor-version>] )}
|
|
|
10e13a |
{("template-issuer"),string (requested issuer)}
|
|
|
10e13a |
{("template-challenge-password"),string (password to add to CSR)}
|
|
|
10e13a |
{("template-challenge-password-file"),string (password file)
|
|
|
10e13a |
diff --git a/src/store-files.c b/src/store-files.c
|
|
|
10e13a |
index 889829c..977e896 100644
|
|
|
10e13a |
--- a/src/store-files.c
|
|
|
10e13a |
+++ b/src/store-files.c
|
|
|
10e13a |
@@ -130,6 +130,7 @@ enum cm_store_file_field {
|
|
|
10e13a |
cm_store_entry_field_template_ns_comment,
|
|
|
10e13a |
cm_store_entry_field_template_profile,
|
|
|
10e13a |
cm_store_entry_field_template_issuer,
|
|
|
10e13a |
+ cm_store_entry_field_template_certificate_template,
|
|
|
10e13a |
cm_store_entry_field_template_no_ocsp_check,
|
|
|
10e13a |
cm_store_entry_field_template_ns_certtype,
|
|
|
10e13a |
|
|
|
10e13a |
@@ -305,6 +306,7 @@ static struct cm_store_file_field_list {
|
|
|
10e13a |
{cm_store_entry_field_template_profile, "template_profile"}, /* right */
|
|
|
10e13a |
{cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */
|
|
|
10e13a |
{cm_store_entry_field_template_issuer, "template_issuer"},
|
|
|
10e13a |
+ {cm_store_entry_field_template_certificate_template, "template_certificate_template"},
|
|
|
10e13a |
{cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"},
|
|
|
10e13a |
{cm_store_entry_field_template_ns_certtype, "template_ns_certtype"},
|
|
|
10e13a |
|
|
|
10e13a |
@@ -1129,6 +1131,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp)
|
|
|
10e13a |
case cm_store_entry_field_template_profile:
|
|
|
10e13a |
ret->cm_template_profile = free_if_empty(p);
|
|
|
10e13a |
break;
|
|
|
10e13a |
+ case cm_store_entry_field_template_certificate_template:
|
|
|
10e13a |
+ ret->cm_template_certificate_template = free_if_empty(p);
|
|
|
10e13a |
+ break;
|
|
|
10e13a |
case cm_store_entry_field_template_issuer:
|
|
|
10e13a |
ret->cm_template_issuer = free_if_empty(p);
|
|
|
10e13a |
break;
|
|
|
10e13a |
@@ -1375,6 +1380,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp)
|
|
|
10e13a |
case cm_store_entry_field_template_ocsp_location:
|
|
|
10e13a |
case cm_store_entry_field_template_ns_comment:
|
|
|
10e13a |
case cm_store_entry_field_template_profile:
|
|
|
10e13a |
+ case cm_store_entry_field_template_certificate_template:
|
|
|
10e13a |
case cm_store_entry_field_template_issuer:
|
|
|
10e13a |
case cm_store_entry_field_template_no_ocsp_check:
|
|
|
10e13a |
case cm_store_entry_field_template_ns_certtype:
|
|
|
10e13a |
@@ -1984,6 +1990,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry)
|
|
|
10e13a |
entry->cm_template_no_ocsp_check ? 1 : 0);
|
|
|
10e13a |
cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype,
|
|
|
10e13a |
entry->cm_template_ns_certtype);
|
|
|
10e13a |
+ cm_store_file_write_str(fp, cm_store_entry_field_template_certificate_template,
|
|
|
10e13a |
+ entry->cm_template_certificate_template);
|
|
|
10e13a |
|
|
|
10e13a |
cm_store_file_write_str(fp, cm_store_entry_field_challenge_password,
|
|
|
10e13a |
entry->cm_template_challenge_password);
|
|
|
10e13a |
@@ -2745,6 +2753,8 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry)
|
|
|
10e13a |
ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile);
|
|
|
10e13a |
ret->cm_template_issuer = cm_store_maybe_strdup(ret, entry->cm_template_issuer);
|
|
|
10e13a |
ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check;
|
|
|
10e13a |
+ ret->cm_template_certificate_template =
|
|
|
10e13a |
+ cm_store_maybe_strdup(ret, entry->cm_template_certificate_template);
|
|
|
10e13a |
ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret,
|
|
|
10e13a |
entry->cm_template_ns_certtype);
|
|
|
10e13a |
|
|
|
10e13a |
diff --git a/src/store-int.h b/src/store-int.h
|
|
|
10e13a |
index 2d3a353..98b37e6 100644
|
|
|
10e13a |
--- a/src/store-int.h
|
|
|
10e13a |
+++ b/src/store-int.h
|
|
|
10e13a |
@@ -144,6 +144,7 @@ struct cm_store_entry {
|
|
|
10e13a |
char *cm_template_profile;
|
|
|
10e13a |
char *cm_template_issuer;
|
|
|
10e13a |
char *cm_template_ns_certtype;
|
|
|
10e13a |
+ char *cm_template_certificate_template;
|
|
|
10e13a |
unsigned int cm_template_no_ocsp_check: 1;
|
|
|
10e13a |
/* A challenge password, which may be included (in cleartext form!) in
|
|
|
10e13a |
* a CSR. */
|
|
|
10e13a |
diff --git a/src/tdbus.h b/src/tdbus.h
|
|
|
10e13a |
index 496f2dd..7164f11 100644
|
|
|
10e13a |
--- a/src/tdbus.h
|
|
|
10e13a |
+++ b/src/tdbus.h
|
|
|
10e13a |
@@ -110,6 +110,7 @@
|
|
|
10e13a |
#define CM_DBUS_PROP_TEMPLATE_PROFILE "template-profile"
|
|
|
10e13a |
#define CM_DBUS_PROP_TEMPLATE_ISSUER "template-issuer"
|
|
|
10e13a |
#define CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE "template-ns-certtype"
|
|
|
10e13a |
+#define CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE "template-ms-certificate-template"
|
|
|
10e13a |
#define CM_DBUS_SIGNAL_REQUEST_CERT_SAVED "SavedCertificate"
|
|
|
10e13a |
#define CM_DBUS_PROP_CA_PRESAVE_COMMAND "ca-presave-command"
|
|
|
10e13a |
#define CM_DBUS_PROP_CA_PRESAVE_UID "ca-presave-uid"
|
|
|
10e13a |
diff --git a/src/tdbush.c b/src/tdbush.c
|
|
|
10e13a |
index 631da3e..94bf793 100644
|
|
|
10e13a |
--- a/src/tdbush.c
|
|
|
10e13a |
+++ b/src/tdbush.c
|
|
|
10e13a |
@@ -1568,6 +1568,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
|
|
|
10e13a |
new_entry->cm_template_issuer = maybe_strdup(new_entry,
|
|
|
10e13a |
param->value.s);
|
|
|
10e13a |
}
|
|
|
10e13a |
+ param = cm_tdbusm_find_dict_entry(d,
|
|
|
10e13a |
+ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE,
|
|
|
10e13a |
+ cm_tdbusm_dict_s);
|
|
|
10e13a |
+ if (param != NULL) {
|
|
|
10e13a |
+ // TODO check validity
|
|
|
10e13a |
+ new_entry->cm_template_certificate_template = maybe_strdup(new_entry,
|
|
|
10e13a |
+ param->value.s);
|
|
|
10e13a |
+ }
|
|
|
10e13a |
param = cm_tdbusm_find_dict_entry(d,
|
|
|
10e13a |
CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD,
|
|
|
10e13a |
cm_tdbusm_dict_s);
|
|
|
10e13a |
@@ -3320,6 +3328,17 @@ request_modify(DBusConnection *conn, DBusMessage *msg,
|
|
|
10e13a |
propname[n_propname++] = CM_DBUS_PROP_TEMPLATE_ISSUER;
|
|
|
10e13a |
}
|
|
|
10e13a |
} else
|
|
|
10e13a |
+ if ((param->value_type == cm_tdbusm_dict_s) &&
|
|
|
10e13a |
+ (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE) == 0)) {
|
|
|
10e13a |
+ talloc_free(entry->cm_template_certificate_template);
|
|
|
10e13a |
+ // TODO check validity
|
|
|
10e13a |
+ entry->cm_template_certificate_template =
|
|
|
10e13a |
+ maybe_strdup(entry, param->value.s);
|
|
|
10e13a |
+ if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) {
|
|
|
10e13a |
+ propname[n_propname++] =
|
|
|
10e13a |
+ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE;
|
|
|
10e13a |
+ }
|
|
|
10e13a |
+ } else
|
|
|
10e13a |
if ((param->value_type == cm_tdbusm_dict_s) &&
|
|
|
10e13a |
(strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD) == 0)) {
|
|
|
10e13a |
talloc_free(entry->cm_template_challenge_password);
|
|
|
10e13a |
@@ -6734,6 +6753,14 @@ cm_tdbush_iface_request(void)
|
|
|
10e13a |
offsetof(struct cm_store_entry, cm_template_issuer),
|
|
|
10e13a |
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
|
|
|
10e13a |
NULL),
|
|
|
10e13a |
+ make_interface_item(cm_tdbush_interface_property,
|
|
|
10e13a |
+ make_property(CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE,
|
|
|
10e13a |
+ cm_tdbush_property_string,
|
|
|
10e13a |
+ cm_tdbush_property_readwrite,
|
|
|
10e13a |
+ cm_tdbush_property_char_p,
|
|
|
10e13a |
+ offsetof(struct cm_store_entry, cm_template_certificate_template),
|
|
|
10e13a |
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
|
|
|
10e13a |
+ NULL),
|
|
|
10e13a |
make_interface_item(cm_tdbush_interface_property,
|
|
|
10e13a |
make_property(CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE,
|
|
|
10e13a |
cm_tdbush_property_string,
|
|
|
10e13a |
@@ -7179,7 +7206,7 @@ cm_tdbush_iface_request(void)
|
|
|
10e13a |
make_interface_item(cm_tdbush_interface_signal,
|
|
|
10e13a |
make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED,
|
|
|
10e13a |
NULL),
|
|
|
10e13a |
- NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
|
|
|
10e13a |
+ NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
|
|
|
10e13a |
}
|
|
|
10e13a |
return ret;
|
|
|
10e13a |
}
|
|
|
10e13a |
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
|
|
|
10e13a |
index 93cc4d1..8a81a7f 100644
|
|
|
10e13a |
--- a/tests/028-dbus/expected.out
|
|
|
10e13a |
+++ b/tests/028-dbus/expected.out
|
|
|
10e13a |
@@ -330,6 +330,7 @@ OK
|
|
|
10e13a |
<property name="template-ns-comment" type="s" access="readwrite"/>
|
|
|
10e13a |
<property name="template-profile" type="s" access="readwrite"/>
|
|
|
10e13a |
<property name="template-issuer" type="s" access="readwrite"/>
|
|
|
10e13a |
+ <property name="template-ms-certificate-template" type="s" access="readwrite"/>
|
|
|
10e13a |
<property name="template-ns-certtype" type="s" access="readwrite"/>
|
|
|
10e13a |
<property name="template-challenge-password" type="s" access="readwrite"/>
|
|
|
10e13a |
<property name="template-challenge-password-file" type="s" access="readwrite"/>
|
|
|
10e13a |
--
|
|
|
10e13a |
2.14.4
|
|
|
10e13a |
|