|
 |
5e5f7c |
From 0aa25dc4f8c44434e3f28a7fe25a72c0871ac13b Mon Sep 17 00:00:00 2001
|
|
|
5e5f7c |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
5e5f7c |
Date: Wed, 29 Apr 2020 16:50:16 -0400
|
|
|
5e5f7c |
Subject: [PATCH 33/39] Improve logging in SCEP helper
|
|
|
5e5f7c |
|
|
|
5e5f7c |
Always check return value of cm_pkcs7_verify_signed() and return
|
|
|
5e5f7c |
a unique error message.
|
|
|
5e5f7c |
|
|
|
5e5f7c |
Change log level from 1 to 0 for all errors in scep.c and pkcs7.c
|
|
|
5e5f7c |
so they appear by default.
|
|
|
5e5f7c |
|
|
|
5e5f7c |
Centralize logging across scep.c and pkcs7.c to reduce code
|
|
|
5e5f7c |
duplication.
|
|
|
5e5f7c |
|
|
|
5e5f7c |
Check the return code to cm_pkcs7_verify_signed in all cases.
|
|
|
5e5f7c |
|
|
|
5e5f7c |
Add the last available message, if any, to the error returned
|
|
|
5e5f7c |
via stdout to certmonger as a hint to what is going on.
|
|
|
5e5f7c |
---
|
|
|
5e5f7c |
src/pkcs7.c | 111 +++++++++++++++++++++++++++---------------------
|
|
|
5e5f7c |
src/pkcs7.h | 2 +
|
|
|
5e5f7c |
src/scep.c | 59 ++++++++++---------------
|
|
|
5e5f7c |
src/scepgen-n.c | 28 ++++++------
|
|
|
5e5f7c |
src/scepgen-o.c | 72 ++++++++++++++++---------------
|
|
|
5e5f7c |
src/scepgen.c | 2 +-
|
|
|
5e5f7c |
6 files changed, 140 insertions(+), 134 deletions(-)
|
|
|
5e5f7c |
|
|
|
5e5f7c |
diff --git a/src/pkcs7.c b/src/pkcs7.c
|
|
|
5e5f7c |
index 6de1775..29420b9 100644
|
|
|
5e5f7c |
--- a/src/pkcs7.c
|
|
|
5e5f7c |
+++ b/src/pkcs7.c
|
|
|
5e5f7c |
@@ -274,6 +274,25 @@ cm_pkcs7_parse_buffer(const unsigned char *buffer, size_t length,
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
+void
|
|
|
5e5f7c |
+log_pkcs7_errors(int level, char *msg)
|
|
|
5e5f7c |
+{
|
|
|
5e5f7c |
+ char buf[LINE_MAX] = "";
|
|
|
5e5f7c |
+ long error;
|
|
|
5e5f7c |
+ int nss_err;
|
|
|
5e5f7c |
+
|
|
|
5e5f7c |
+ cm_log(level, "%s\n", msg);
|
|
|
5e5f7c |
+ while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
+ memset(buf, '\0', sizeof(buf));
|
|
|
5e5f7c |
+ ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
+ cm_log(level, "%s\n", buf);
|
|
|
5e5f7c |
+ }
|
|
|
5e5f7c |
+ nss_err = PORT_GetError();
|
|
|
5e5f7c |
+ if (nss_err < 0) {
|
|
|
5e5f7c |
+ cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
|
|
|
5e5f7c |
+ }
|
|
|
5e5f7c |
+}
|
|
|
5e5f7c |
+
|
|
|
5e5f7c |
int
|
|
|
5e5f7c |
cm_pkcs7_parsev(unsigned int flags, void *parent,
|
|
|
5e5f7c |
char **certleaf, char **certtop, char ***certothers,
|
|
|
5e5f7c |
@@ -520,26 +539,26 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
|
|
|
5e5f7c |
|
|
|
5e5f7c |
in = BIO_new_mem_buf(encryption_cert, -1);
|
|
|
5e5f7c |
if (in == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
recipient = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
|
|
5e5f7c |
if (recipient == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error parsing recipient certificate.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error parsing recipient certificate.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
BIO_free(in);
|
|
|
5e5f7c |
|
|
|
5e5f7c |
recipients = sk_X509_new(util_o_cert_cmp);
|
|
|
5e5f7c |
if (recipients == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
sk_X509_push(recipients, recipient);
|
|
|
5e5f7c |
|
|
|
5e5f7c |
in = BIO_new_mem_buf(data, dlength);
|
|
|
5e5f7c |
if (in == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
p7 = PKCS7_encrypt(recipients, in, cm_prefs_ossl_cipher_by_pref(cipher),
|
|
|
5e5f7c |
@@ -547,22 +566,22 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
|
|
|
5e5f7c |
BIO_free(in);
|
|
|
5e5f7c |
|
|
|
5e5f7c |
if (p7 == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error encrypting signing request.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error encrypting signing request.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
len = i2d_PKCS7(p7, NULL);
|
|
|
5e5f7c |
if (len < 0) {
|
|
|
5e5f7c |
- cm_log(1, "Error encoding encrypted signing request.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
dp7 = malloc(len);
|
|
|
5e5f7c |
if (dp7 == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
u = dp7;
|
|
|
5e5f7c |
if (i2d_PKCS7(p7, &u) != len) {
|
|
|
5e5f7c |
- cm_log(1, "Error encoding encrypted signing request.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
*enveloped = dp7;
|
|
|
5e5f7c |
@@ -593,29 +612,29 @@ cm_pkcs7_envelope_csr(char *encryption_cert, enum cm_prefs_cipher cipher,
|
|
|
5e5f7c |
|
|
|
5e5f7c |
in = BIO_new_mem_buf(csr, -1);
|
|
|
5e5f7c |
if (in == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
|
|
|
5e5f7c |
BIO_free(in);
|
|
|
5e5f7c |
if (req == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error parsing certificate signing request.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error parsing certificate signing request.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
dlen = i2d_X509_REQ(req, NULL);
|
|
|
5e5f7c |
if (dlen < 0) {
|
|
|
5e5f7c |
- cm_log(1, "Error encoding certificate signing request.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
dreq = malloc(dlen);
|
|
|
5e5f7c |
if (dreq == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
u = dreq;
|
|
|
5e5f7c |
if (i2d_X509_REQ(req, &u) != dlen) {
|
|
|
5e5f7c |
- cm_log(1, "Error encoding certificate signing request.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
ret = cm_pkcs7_envelope_data(encryption_cert, cipher, dreq, dlen,
|
|
|
5e5f7c |
@@ -671,59 +690,61 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
|
|
|
5e5f7c |
|
|
|
5e5f7c |
in = BIO_new_mem_buf(cacert, -1);
|
|
|
5e5f7c |
if (in == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
ca = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
|
|
5e5f7c |
BIO_free(in);
|
|
|
5e5f7c |
if (ca == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error parsing CA certificate.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error parsing CA certificate.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
in = BIO_new_mem_buf(minicert, -1);
|
|
|
5e5f7c |
if (in == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
mini = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
|
|
5e5f7c |
BIO_free(in);
|
|
|
5e5f7c |
if (mini == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error parsing client certificate.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error parsing client certificate.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
issuerlen = i2d_X509_NAME(X509_get_issuer_name(ca), NULL);
|
|
|
5e5f7c |
if (issuerlen < 0) {
|
|
|
5e5f7c |
- cm_log(1, "Error encoding CA certificate issuer name.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error encoding CA certificate issuer name.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
issuer = malloc(issuerlen);
|
|
|
5e5f7c |
if (issuer == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
u = issuer;
|
|
|
5e5f7c |
if (i2d_X509_NAME(X509_get_issuer_name(ca), &u) != issuerlen) {
|
|
|
5e5f7c |
- cm_log(1, "Error encoding CA certificate issuer name.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error encoding CA certificate issuer name.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
subjectlen = i2d_X509_NAME(X509_get_subject_name(mini), NULL);
|
|
|
5e5f7c |
if (subjectlen < 0) {
|
|
|
5e5f7c |
- cm_log(1, "Error encoding client certificate subject name.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error encoding client certificate subject name.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
subject = malloc(subjectlen);
|
|
|
5e5f7c |
if (subject == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
u = subject;
|
|
|
5e5f7c |
if (i2d_X509_NAME(X509_get_subject_name(mini), &u) != subjectlen) {
|
|
|
5e5f7c |
- cm_log(1, "Error encoding client certificate subject name.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error encoding client certificate subject name.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
+ PORT_SetError(0);
|
|
|
5e5f7c |
+ ERR_clear_error();
|
|
|
5e5f7c |
memset(&issuerandsubject, 0, sizeof(issuerandsubject));
|
|
|
5e5f7c |
issuerandsubject.issuer.data = issuer;
|
|
|
5e5f7c |
issuerandsubject.issuer.len = issuerlen;
|
|
|
5e5f7c |
@@ -731,7 +752,7 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
|
|
|
5e5f7c |
issuerandsubject.subject.len = subjectlen;
|
|
|
5e5f7c |
if (SEC_ASN1EncodeItem(NULL, &encoded, &issuerandsubject,
|
|
|
5e5f7c |
cm_pkcs7_ias_template) != &encoded) {
|
|
|
5e5f7c |
- cm_log(1, "Error encoding issuer and subject names.\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error encoding issuer and subject names.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
*ias = malloc(encoded.len);
|
|
|
5e5f7c |
@@ -948,28 +969,28 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
u = data;
|
|
|
5e5f7c |
p7 = d2i_PKCS7(NULL, &u, length);
|
|
|
5e5f7c |
if ((p7 == NULL) || (u != data + length)) {
|
|
|
5e5f7c |
- cm_log(1, "Error parsing what should be PKCS#7 signed-data.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error parsing what should be PKCS#7 signed-data.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if ((p7->type == NULL) || (OBJ_obj2nid(p7->type) != NID_pkcs7_signed)) {
|
|
|
5e5f7c |
- cm_log(1, "PKCS#7 data is not signed-data.\n");
|
|
|
5e5f7c |
+ cm_log(0, "PKCS#7 data is not signed-data.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
store = X509_STORE_new();
|
|
|
5e5f7c |
if (store == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors);
|
|
|
5e5f7c |
certs = sk_X509_new(util_o_cert_cmp);
|
|
|
5e5f7c |
if (certs == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
for (i = 0; (roots != NULL) && (roots[i] != NULL); i++) {
|
|
|
5e5f7c |
s = talloc_strdup(parent, roots[i]);
|
|
|
5e5f7c |
if (s == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
/* In case one of these is multiple PEM certificates
|
|
|
5e5f7c |
@@ -990,13 +1011,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
in = BIO_new_mem_buf(p, q - p);
|
|
|
5e5f7c |
if (in == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
|
|
5e5f7c |
BIO_free(in);
|
|
|
5e5f7c |
if (x == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error parsing chain certificate.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error parsing chain certificate.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
X509_STORE_add_cert(store, x);
|
|
|
5e5f7c |
@@ -1008,7 +1029,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
for (i = 0; (othercerts != NULL) && (othercerts[i] != NULL); i++) {
|
|
|
5e5f7c |
s = talloc_strdup(parent, othercerts[i]);
|
|
|
5e5f7c |
if (s == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
/* In case one of these is multiple PEM certificates
|
|
|
5e5f7c |
@@ -1028,13 +1049,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
in = BIO_new_mem_buf(p, q - p);
|
|
|
5e5f7c |
if (in == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
|
|
5e5f7c |
BIO_free(in);
|
|
|
5e5f7c |
if (x == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error parsing chain certificate.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error parsing chain certificate.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
sk_X509_push(certs, x);
|
|
|
5e5f7c |
@@ -1044,7 +1065,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
out = BIO_new(BIO_s_mem());
|
|
|
5e5f7c |
if (out == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if (roots != NULL) {
|
|
|
5e5f7c |
@@ -1057,19 +1078,19 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
for (i = 0; i < sk_X509_num(certs); i++) {
|
|
|
5e5f7c |
x = X509_dup(sk_X509_value(certs, i));
|
|
|
5e5f7c |
if (x == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
PKCS7_add_certificate(p7, x);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) {
|
|
|
5e5f7c |
- cm_log(1, "Message failed verification.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Message failed verification.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
p7s = p7->d.sign;
|
|
|
5e5f7c |
if (sk_PKCS7_SIGNER_INFO_num(p7s->signer_info) != 1) {
|
|
|
5e5f7c |
- cm_log(1, "Number of PKCS#7 signed-data signers != 1.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Number of PKCS#7 signed-data signers != 1.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
si = sk_PKCS7_SIGNER_INFO_value(p7s->signer_info, 0);
|
|
|
5e5f7c |
@@ -1077,12 +1098,12 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
encapsulated = p7s->contents;
|
|
|
5e5f7c |
if (expected_content_type != NID_undef) {
|
|
|
5e5f7c |
if (encapsulated == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error parsing PKCS#7 encapsulated content.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error parsing PKCS#7 encapsulated content.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if ((encapsulated->type == NULL) ||
|
|
|
5e5f7c |
(OBJ_obj2nid(encapsulated->type) != expected_content_type)) {
|
|
|
5e5f7c |
- cm_log(1, "PKCS#7 encapsulated data is not %s (%s).\n",
|
|
|
5e5f7c |
+ cm_log(0, "PKCS#7 encapsulated data is not %s (%s).\n",
|
|
|
5e5f7c |
OBJ_nid2ln(expected_content_type),
|
|
|
5e5f7c |
encapsulated->type ?
|
|
|
5e5f7c |
OBJ_nid2ln(OBJ_obj2nid(encapsulated->type)) :
|
|
|
5e5f7c |
@@ -1091,7 +1112,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if (attrs == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "PKCS#7 signed-data contains no signed attributes.\n");
|
|
|
5e5f7c |
+ cm_log(0, "PKCS#7 signed-data contains no signed attributes.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
ret = 0;
|
|
|
5e5f7c |
@@ -1146,7 +1167,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
if (*payload_length > 0) {
|
|
|
5e5f7c |
*payload = talloc_size(parent, *payload_length + 1);
|
|
|
5e5f7c |
if (*payload == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
goto done;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
memcpy(*payload, s, *payload_length);
|
|
|
5e5f7c |
@@ -1154,12 +1175,6 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
done:
|
|
|
5e5f7c |
- if (ret != 0) {
|
|
|
5e5f7c |
- while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
- ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
- }
|
|
|
5e5f7c |
- }
|
|
|
5e5f7c |
if (p7 != NULL) {
|
|
|
5e5f7c |
PKCS7_free(p7);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
diff --git a/src/pkcs7.h b/src/pkcs7.h
|
|
|
5e5f7c |
index 097f7ca..fae52f8 100644
|
|
|
5e5f7c |
--- a/src/pkcs7.h
|
|
|
5e5f7c |
+++ b/src/pkcs7.h
|
|
|
5e5f7c |
@@ -63,4 +63,6 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
|
|
5e5f7c |
size_t *recipient_nonce_length,
|
|
|
5e5f7c |
unsigned char **payload, size_t *payload_length);
|
|
|
5e5f7c |
|
|
|
5e5f7c |
+void log_pkcs7_errors(int level, char *msg);
|
|
|
5e5f7c |
+
|
|
|
5e5f7c |
#endif
|
|
|
5e5f7c |
diff --git a/src/scep.c b/src/scep.c
|
|
|
5e5f7c |
index b37711c..0b8bef9 100644
|
|
|
5e5f7c |
--- a/src/scep.c
|
|
|
5e5f7c |
+++ b/src/scep.c
|
|
|
5e5f7c |
@@ -428,11 +428,15 @@ main(int argc, const char **argv)
|
|
|
5e5f7c |
if ((rekey_message != NULL) && (strlen(rekey_message) != 0)) {
|
|
|
5e5f7c |
tmp1 = cm_submit_u_base64_from_text(rekey_message);
|
|
|
5e5f7c |
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
|
|
|
5e5f7c |
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
|
|
5e5f7c |
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
|
|
5e5f7c |
NULL, NULL, NID_pkcs7_data, ctx, NULL,
|
|
|
5e5f7c |
NULL, &msgtype, NULL, NULL,
|
|
|
5e5f7c |
NULL, NULL,
|
|
|
5e5f7c |
NULL, NULL, NULL, NULL);
|
|
|
5e5f7c |
+ if (i != 0) {
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
|
|
|
5e5f7c |
+ "rekey PKCSReq.\n");
|
|
|
5e5f7c |
+ }
|
|
|
5e5f7c |
if ((msgtype == NULL) ||
|
|
|
5e5f7c |
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
|
|
|
5e5f7c |
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
|
|
|
5e5f7c |
@@ -454,11 +458,15 @@ main(int argc, const char **argv)
|
|
|
5e5f7c |
if ((message != NULL) && (strlen(message) != 0)) {
|
|
|
5e5f7c |
tmp1 = cm_submit_u_base64_from_text(message);
|
|
|
5e5f7c |
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
|
|
|
5e5f7c |
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
|
|
5e5f7c |
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
|
|
5e5f7c |
NULL, NULL, NID_pkcs7_data, ctx, NULL,
|
|
|
5e5f7c |
&sent_tx, &msgtype, NULL, NULL,
|
|
|
5e5f7c |
&sent_nonce, &sent_nonce_length,
|
|
|
5e5f7c |
NULL, NULL, NULL, NULL);
|
|
|
5e5f7c |
+ if (i != 0) {
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
|
|
|
5e5f7c |
+ "message.\n");
|
|
|
5e5f7c |
+ }
|
|
|
5e5f7c |
if ((msgtype == NULL) ||
|
|
|
5e5f7c |
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
|
|
|
5e5f7c |
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
|
|
|
5e5f7c |
@@ -933,14 +941,16 @@ main(int argc, const char **argv)
|
|
|
5e5f7c |
&payload, &payload_length);
|
|
|
5e5f7c |
if (i != 0) {
|
|
|
5e5f7c |
printf(_("Error: failed to verify signature on "
|
|
|
5e5f7c |
- "server response.\n"));
|
|
|
5e5f7c |
- cm_log(1, "Error: failed to verify signature on "
|
|
|
5e5f7c |
- "server response.\n");
|
|
|
5e5f7c |
- while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
+ "server response. "));
|
|
|
5e5f7c |
+ error = ERR_peek_last_error();
|
|
|
5e5f7c |
+ if (error != 0) {
|
|
|
5e5f7c |
memset(buf, '\0', sizeof(buf));
|
|
|
5e5f7c |
ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
+ printf("%s", buf);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
+ printf("\n");
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
|
|
|
5e5f7c |
+ "server response.\n");
|
|
|
5e5f7c |
s = cm_store_base64_from_bin(ctx, (unsigned char *) results2,
|
|
|
5e5f7c |
results_length2);
|
|
|
5e5f7c |
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
|
|
5e5f7c |
@@ -1050,26 +1060,7 @@ main(int argc, const char **argv)
|
|
|
5e5f7c |
p7 = d2i_PKCS7(NULL, &u, payload_length);
|
|
|
5e5f7c |
if (p7 == NULL) {
|
|
|
5e5f7c |
printf(_("Error: couldn't parse signed-data.\n"));
|
|
|
5e5f7c |
- while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
- memset(buf, '\0', sizeof(buf));
|
|
|
5e5f7c |
- ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
- }
|
|
|
5e5f7c |
- s = cm_store_base64_from_bin(ctx,
|
|
|
5e5f7c |
- (unsigned char *) results2,
|
|
|
5e5f7c |
- results_length2);
|
|
|
5e5f7c |
- s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
|
|
5e5f7c |
- fprintf(stderr, "Full reply:\n%s", s);
|
|
|
5e5f7c |
- free(s);
|
|
|
5e5f7c |
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
|
|
5e5f7c |
- }
|
|
|
5e5f7c |
- if (!PKCS7_type_is_enveloped(p7)) {
|
|
|
5e5f7c |
- printf(_("Error: signed-data payload is not enveloped-data.\n"));
|
|
|
5e5f7c |
- while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
- memset(buf, '\0', sizeof(buf));
|
|
|
5e5f7c |
- ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
- }
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error: couldn't parse signed-data.\n");
|
|
|
5e5f7c |
s = cm_store_base64_from_bin(ctx,
|
|
|
5e5f7c |
(unsigned char *) results2,
|
|
|
5e5f7c |
results_length2);
|
|
|
5e5f7c |
@@ -1080,11 +1071,8 @@ main(int argc, const char **argv)
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if (!PKCS7_type_is_enveloped(p7)) {
|
|
|
5e5f7c |
printf(_("Error: signed-data payload is not enveloped-data.\n"));
|
|
|
5e5f7c |
- while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
- memset(buf, '\0', sizeof(buf));
|
|
|
5e5f7c |
- ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
- }
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error: signed-data payload is not "
|
|
|
5e5f7c |
+ "enveloped-data.\n");
|
|
|
5e5f7c |
s = cm_store_base64_from_bin(ctx,
|
|
|
5e5f7c |
(unsigned char *) results2,
|
|
|
5e5f7c |
results_length2);
|
|
|
5e5f7c |
@@ -1098,11 +1086,8 @@ main(int argc, const char **argv)
|
|
|
5e5f7c |
(p7->d.enveloped->enc_data->content_type == NULL) ||
|
|
|
5e5f7c |
(OBJ_obj2nid(p7->d.enveloped->enc_data->content_type) != NID_pkcs7_data)) {
|
|
|
5e5f7c |
printf(_("Error: enveloped-data payload is not data.\n"));
|
|
|
5e5f7c |
- while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
- memset(buf, '\0', sizeof(buf));
|
|
|
5e5f7c |
- ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
- }
|
|
|
5e5f7c |
+ log_pkcs7_errors(0, "Error: enveloped-data payload is "
|
|
|
5e5f7c |
+ "not data.\n");
|
|
|
5e5f7c |
s = cm_store_base64_from_bin(ctx,
|
|
|
5e5f7c |
(unsigned char *) results2,
|
|
|
5e5f7c |
results_length2);
|
|
|
5e5f7c |
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
|
|
|
5e5f7c |
index 8c67b12..ce73c31 100644
|
|
|
5e5f7c |
--- a/src/scepgen-n.c
|
|
|
5e5f7c |
+++ b/src/scepgen-n.c
|
|
|
5e5f7c |
@@ -86,14 +86,14 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
|
|
|
5e5f7c |
return;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if (sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info) != 1) {
|
|
|
5e5f7c |
- cm_log(1, "More than one signer, not sure what to do.\n");
|
|
|
5e5f7c |
+ cm_log(0, "More than one signer, not sure what to do.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
|
|
|
5e5f7c |
salen = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, NULL, &PKCS7_ATTR_SIGN_it);
|
|
|
5e5f7c |
u = sabuf = malloc(salen);
|
|
|
5e5f7c |
if (sabuf == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
/* ASN1_item_i2d doesn't actually modify the passed-in pointer, which
|
|
|
5e5f7c |
@@ -101,7 +101,7 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
|
|
|
5e5f7c |
* that ourselves. */
|
|
|
5e5f7c |
l = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, &u, &PKCS7_ATTR_SIGN_it);
|
|
|
5e5f7c |
if (l != salen) {
|
|
|
5e5f7c |
- cm_log(1, "Error encoding attributes.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error encoding attributes.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
@@ -109,12 +109,12 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
|
|
|
5e5f7c |
digalg = cm_submit_n_tag_from_nid(OBJ_obj2nid(sinfo->digest_alg->algorithm));
|
|
|
5e5f7c |
sigalg = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digalg);
|
|
|
5e5f7c |
if (sigalg == SEC_OID_UNKNOWN) {
|
|
|
5e5f7c |
- cm_log(1, "Unable to match digest algorithm and key.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Unable to match digest algorithm and key.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if (SEC_SignData(&signature, sabuf, salen, privkey,
|
|
|
5e5f7c |
sigalg) != SECSuccess) {
|
|
|
5e5f7c |
- cm_log(1, "Error re-signing: %s.\n",
|
|
|
5e5f7c |
+ cm_log(0, "Error re-signing: %s.\n",
|
|
|
5e5f7c |
PR_ErrorToName(PORT_GetError()));
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
@@ -143,7 +143,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
if (ca->cm_ca_encryption_cert == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Can't generate new SCEP request data without "
|
|
|
5e5f7c |
+ cm_log(0, "Can't generate new SCEP request data without "
|
|
|
5e5f7c |
"the RA/CA encryption certificate.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
@@ -166,12 +166,12 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
fprintf(status, "Error opening database "
|
|
|
5e5f7c |
"'%s': %s.\n",
|
|
|
5e5f7c |
entry->cm_key_storage_location, es);
|
|
|
5e5f7c |
- cm_log(1, "Error opening database '%s': %s.\n",
|
|
|
5e5f7c |
+ cm_log(0, "Error opening database '%s': %s.\n",
|
|
|
5e5f7c |
entry->cm_key_storage_location, es);
|
|
|
5e5f7c |
} else {
|
|
|
5e5f7c |
fprintf(status, "Error opening database '%s'.\n",
|
|
|
5e5f7c |
entry->cm_key_storage_location);
|
|
|
5e5f7c |
- cm_log(1, "Error opening database '%s'.\n",
|
|
|
5e5f7c |
+ cm_log(0, "Error opening database '%s'.\n",
|
|
|
5e5f7c |
entry->cm_key_storage_location);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
switch (ec) {
|
|
|
5e5f7c |
@@ -190,7 +190,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
NSS_INIT_NOROOTINIT);
|
|
|
5e5f7c |
reason = util_n_fips_hook();
|
|
|
5e5f7c |
if (reason != NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
|
|
5e5f7c |
+ cm_log(0, "Error putting NSS into FIPS mode: %s\n", reason);
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
@@ -198,23 +198,23 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
cm_log(1, "Generating dummy key.\n");
|
|
|
5e5f7c |
key = EVP_PKEY_new();
|
|
|
5e5f7c |
if (key == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error allocating new key.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error allocating new key.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
exponent = BN_new();
|
|
|
5e5f7c |
if (exponent == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error setting up exponent.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error setting up exponent.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
BN_set_word(exponent, CM_DEFAULT_RSA_EXPONENT);
|
|
|
5e5f7c |
rsa = RSA_new();
|
|
|
5e5f7c |
if (rsa == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error allocating new RSA key.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error allocating new RSA key.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
retry_gen:
|
|
|
5e5f7c |
if (RSA_generate_key_ex(rsa, CM_DEFAULT_PUBKEY_SIZE, exponent, NULL) != 1) {
|
|
|
5e5f7c |
- cm_log(1, "Error generating key.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error generating key.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if (RSA_check_key(rsa) != 1) { /* should be unnecessary */
|
|
|
5e5f7c |
@@ -228,7 +228,7 @@ retry_gen:
|
|
|
5e5f7c |
if ((keys->privkey->keyType != rsaKey) ||
|
|
|
5e5f7c |
((keys->privkey_next != NULL) &&
|
|
|
5e5f7c |
(keys->privkey_next->keyType != rsaKey))) {
|
|
|
5e5f7c |
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
diff --git a/src/scepgen-o.c b/src/scepgen-o.c
|
|
|
5e5f7c |
index 010abb7..a431815 100644
|
|
|
5e5f7c |
--- a/src/scepgen-o.c
|
|
|
5e5f7c |
+++ b/src/scepgen-o.c
|
|
|
5e5f7c |
@@ -76,14 +76,14 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
|
|
|
5e5f7c |
keyfp = fopen(filename, "r");
|
|
|
5e5f7c |
if (keyfp == NULL) {
|
|
|
5e5f7c |
if (errno != ENOENT) {
|
|
|
5e5f7c |
- cm_log(1, "Error opening key file \"%s\" "
|
|
|
5e5f7c |
+ cm_log(0, "Error opening key file \"%s\" "
|
|
|
5e5f7c |
"for reading: %s.\n",
|
|
|
5e5f7c |
filename, strerror(errno));
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if (cm_pin_read_for_key(entry, &pin) != 0) {
|
|
|
5e5f7c |
- cm_log(1, "Internal error reading key encryption PIN.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Internal error reading key encryption PIN.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_ERROR_AUTH);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
memset(&cb_data, 0, sizeof(cb_data));
|
|
|
5e5f7c |
@@ -93,24 +93,24 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
|
|
|
5e5f7c |
cm_pin_read_for_key_ossl_cb, &cb_data);
|
|
|
5e5f7c |
if (pkey == NULL) {
|
|
|
5e5f7c |
error = errno;
|
|
|
5e5f7c |
- cm_log(1, "Error reading private key '%s': %s.\n",
|
|
|
5e5f7c |
+ cm_log(0, "Error reading private key '%s': %s.\n",
|
|
|
5e5f7c |
filename, strerror(error));
|
|
|
5e5f7c |
while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
+ cm_log(0, "%s\n", buf);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
|
|
|
5e5f7c |
} else {
|
|
|
5e5f7c |
if ((pin != NULL) &&
|
|
|
5e5f7c |
(strlen(pin) > 0) &&
|
|
|
5e5f7c |
(cb_data.n_attempts == 0)) {
|
|
|
5e5f7c |
- cm_log(1, "PIN was not needed to read private "
|
|
|
5e5f7c |
+ cm_log(0, "PIN was not needed to read private "
|
|
|
5e5f7c |
"key '%s', though one was provided. "
|
|
|
5e5f7c |
"Treating this as an error.\n",
|
|
|
5e5f7c |
filename);
|
|
|
5e5f7c |
while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
+ cm_log(0, "%s\n", buf);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
@@ -127,13 +127,13 @@ cert_from_pem(char *pem, struct cm_store_entry *entry)
|
|
|
5e5f7c |
if ((pem != NULL) && (strlen(pem) > 0)) {
|
|
|
5e5f7c |
in = BIO_new_mem_buf(pem, -1);
|
|
|
5e5f7c |
if (in == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
|
|
5e5f7c |
BIO_free(in);
|
|
|
5e5f7c |
if (cert == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error parsing certificate \"%s\".\n", pem);
|
|
|
5e5f7c |
+ cm_log(0, "Error parsing certificate \"%s\".\n", pem);
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
return cert;
|
|
|
5e5f7c |
@@ -155,19 +155,19 @@ certs_from_nickcerts(struct cm_nickcert **list)
|
|
|
5e5f7c |
if ((this->cm_cert != NULL) && (strlen(this->cm_cert) > 0)) {
|
|
|
5e5f7c |
in = BIO_new_mem_buf(this->cm_cert, -1);
|
|
|
5e5f7c |
if (in == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
|
|
5e5f7c |
BIO_free(in);
|
|
|
5e5f7c |
if (cert == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error parsing certificate.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error parsing certificate.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if (sk == NULL) {
|
|
|
5e5f7c |
sk = sk_X509_new(util_o_cert_cmp);
|
|
|
5e5f7c |
if (sk == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
@@ -300,19 +300,19 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
|
|
|
5e5f7c |
|
|
|
5e5f7c |
in = BIO_new_mem_buf(data, data_length);
|
|
|
5e5f7c |
if (in == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
ret = PKCS7_sign(signer, key, certs, in, flags);
|
|
|
5e5f7c |
if (ret == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error signing data.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error signing data.\n");
|
|
|
5e5f7c |
goto errors;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
BIO_free(in);
|
|
|
5e5f7c |
|
|
|
5e5f7c |
/* Set the digest to use for signing. */
|
|
|
5e5f7c |
if (sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info) != 1) {
|
|
|
5e5f7c |
- cm_log(1, "Error signing data: %d signers.\n",
|
|
|
5e5f7c |
+ cm_log(0, "Error signing data: %d signers.\n",
|
|
|
5e5f7c |
sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info));
|
|
|
5e5f7c |
goto errors;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
@@ -356,7 +356,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
|
|
|
5e5f7c |
PKCS7_content_new(ret, NID_pkcs7_data);
|
|
|
5e5f7c |
out = PKCS7_dataInit(ret, NULL);
|
|
|
5e5f7c |
if (out == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error signing data.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error signing data.\n");
|
|
|
5e5f7c |
goto errors;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
BIO_write(out, data, data_length);
|
|
|
5e5f7c |
@@ -366,7 +366,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
|
|
|
5e5f7c |
errors:
|
|
|
5e5f7c |
while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
+ cm_log(0, "%s\n", buf);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
@@ -394,11 +394,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
util_o_init();
|
|
|
5e5f7c |
ERR_load_crypto_strings();
|
|
|
5e5f7c |
if (RAND_status() != 1) {
|
|
|
5e5f7c |
- cm_log(1, "PRNG not seeded for generating key.\n");
|
|
|
5e5f7c |
+ cm_log(0, "PRNG not seeded for generating key.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if (RAND_bytes(nonce, nonce_length) == -1) {
|
|
|
5e5f7c |
- cm_log(1, "PRNG unable to generate nonce.\n");
|
|
|
5e5f7c |
+ cm_log(0, "PRNG unable to generate nonce.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
@@ -410,14 +410,14 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
pem = cm_submit_u_pem_from_base64("CERTIFICATE", 0,
|
|
|
5e5f7c |
entry->cm_minicert);
|
|
|
5e5f7c |
if (pem == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Out of memory.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Out of memory.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
new_cert = cert_from_pem(pem, entry);
|
|
|
5e5f7c |
if (new_cert == NULL) {
|
|
|
5e5f7c |
while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
+ cm_log(0, "%s\n", buf);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
free(pem);
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
@@ -442,7 +442,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
cipher = cm_prefs_des;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
else {
|
|
|
5e5f7c |
- cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
|
|
|
5e5f7c |
+ cm_log(0, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
|
|
|
5e5f7c |
_exit(1);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
@@ -516,7 +516,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
digest = cm_prefs_md5;
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
else {
|
|
|
5e5f7c |
- cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
|
|
|
5e5f7c |
+ cm_log(0, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
|
|
|
5e5f7c |
_exit(1);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
@@ -578,7 +578,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
ca->cm_ca_encryption_issuer_cert,
|
|
|
5e5f7c |
entry->cm_cert,
|
|
|
5e5f7c |
&old_ias, &old_ias_length) != 0) {
|
|
|
5e5f7c |
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
|
|
|
5e5f7c |
free(pem);
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
@@ -590,7 +590,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
ca->cm_ca_encryption_issuer_cert,
|
|
|
5e5f7c |
pem,
|
|
|
5e5f7c |
&new_ias, &new_ias_length) != 0) {
|
|
|
5e5f7c |
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
|
|
|
5e5f7c |
free(pem);
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
@@ -598,7 +598,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
if (cm_pkcs7_envelope_csr(ca->cm_ca_encryption_cert, cipher,
|
|
|
5e5f7c |
entry->cm_csr,
|
|
|
5e5f7c |
&csr, &csr_length) != 0) {
|
|
|
5e5f7c |
- cm_log(1, "Error generating enveloped CSR.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error generating enveloped CSR.\n");
|
|
|
5e5f7c |
+ while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
+ ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
+ cm_log(0, "%s\n", buf);
|
|
|
5e5f7c |
+ }
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
@@ -608,7 +612,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
* the matching key. */
|
|
|
5e5f7c |
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(old_cert));
|
|
|
5e5f7c |
if (pubkey == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
util_X509_set_pubkey(old_cert, old_pkey);
|
|
|
5e5f7c |
@@ -639,7 +643,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
* if we do, we did that in another code path. */
|
|
|
5e5f7c |
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
|
|
|
5e5f7c |
if (pubkey == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
util_X509_set_pubkey(new_cert, old_pkey);
|
|
|
5e5f7c |
@@ -673,7 +677,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
* any previously-issued certificate won't match. */
|
|
|
5e5f7c |
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
|
|
|
5e5f7c |
if (pubkey == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
util_X509_set_pubkey(new_cert, new_pkey);
|
|
|
5e5f7c |
@@ -703,7 +707,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
X509_free(new_cert);
|
|
|
5e5f7c |
while ((error = ERR_get_error()) != 0) {
|
|
|
5e5f7c |
ERR_error_string_n(error, buf, sizeof(buf));
|
|
|
5e5f7c |
- cm_log(1, "%s\n", buf);
|
|
|
5e5f7c |
+ cm_log(0, "%s\n", buf);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
@@ -723,14 +727,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
if (ca->cm_ca_encryption_cert == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Can't generate new SCEP request data without "
|
|
|
5e5f7c |
+ cm_log(0, "Can't generate new SCEP request data without "
|
|
|
5e5f7c |
"the RA/CA encryption certificate.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
old_pkey = key_from_file(entry->cm_key_storage_location, entry);
|
|
|
5e5f7c |
if (old_pkey == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error reading key from file \"%s\".\n",
|
|
|
5e5f7c |
+ cm_log(0, "Error reading key from file \"%s\".\n",
|
|
|
5e5f7c |
entry->cm_key_storage_location);
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
@@ -739,14 +743,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
filename = util_build_next_filename(entry->cm_key_storage_location,
|
|
|
5e5f7c |
entry->cm_key_next_marker);
|
|
|
5e5f7c |
if (filename == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error opening key file \"%s\" "
|
|
|
5e5f7c |
+ cm_log(0, "Error opening key file \"%s\" "
|
|
|
5e5f7c |
"for reading: %s.\n",
|
|
|
5e5f7c |
filename, strerror(errno));
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
new_pkey = key_from_file(filename, entry);
|
|
|
5e5f7c |
if (new_pkey == NULL) {
|
|
|
5e5f7c |
- cm_log(1, "Error reading key from file \"%s\".\n",
|
|
|
5e5f7c |
+ cm_log(0, "Error reading key from file \"%s\".\n",
|
|
|
5e5f7c |
filename);
|
|
|
5e5f7c |
free(filename);
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
|
|
5e5f7c |
@@ -757,7 +761,7 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
if ((util_EVP_PKEY_base_id(old_pkey) != EVP_PKEY_RSA) ||
|
|
|
5e5f7c |
((new_pkey != NULL) && (util_EVP_PKEY_base_id(new_pkey) != EVP_PKEY_RSA))) {
|
|
|
5e5f7c |
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
|
|
|
5e5f7c |
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
|
|
|
5e5f7c |
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
|
|
|
5e5f7c |
}
|
|
|
5e5f7c |
|
|
|
5e5f7c |
diff --git a/src/scepgen.c b/src/scepgen.c
|
|
|
5e5f7c |
index eaf2b7c..115446f 100644
|
|
|
5e5f7c |
--- a/src/scepgen.c
|
|
|
5e5f7c |
+++ b/src/scepgen.c
|
|
|
5e5f7c |
@@ -32,7 +32,7 @@ cm_scepgen_start(struct cm_store_ca *ca, struct cm_store_entry *entry)
|
|
|
5e5f7c |
{
|
|
|
5e5f7c |
switch (entry->cm_key_storage_type) {
|
|
|
5e5f7c |
case cm_key_storage_none:
|
|
|
5e5f7c |
- cm_log(1, "Can't generate new SCEP data for %s('%s') without "
|
|
|
5e5f7c |
+ cm_log(0, "Can't generate new SCEP data for %s('%s') without "
|
|
|
5e5f7c |
"the key, and we don't know where that is or should "
|
|
|
5e5f7c |
"be.\n", entry->cm_busname, entry->cm_nickname);
|
|
|
5e5f7c |
break;
|
|
|
5e5f7c |
--
|
|
|
5e5f7c |
2.21.1
|
|
|
5e5f7c |
|