From 37ebf87fb6fc93d445139310a1c89b98f3f514de Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Wed, 29 Apr 2020 16:29:50 -0400

Subject: [PATCH 37/39] Add new option to allow overriding the detected SCEP CA

 chain

The -R option was doing double-duty for the SCEP CA.

1. It was required if the SCEP URL used TLS

2. It override the CA certificate downloaded from the SCEP server

If the chains were different then validating the SCEP responses would

fail.

https://bugzilla.redhat.com/show_bug.cgi?id=1808613

---

 src/certmonger-scep-submit.8.in | 14 +++++++++-----

 src/getcert-add-scep-ca.1.in    | 12 ++++++++----

 src/getcert.c                   |  6 +++++-

 src/scep.c                      | 13 ++++++-------

 4 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in

index 95d674a..42ffcd6 100644

--- a/src/certmonger-scep-submit.8.in

+++ b/src/certmonger-scep-submit.8.in

@@ -8,6 +8,7 @@ scep-submit -u SERVER-URL

 [-r ra-cert-file]

 [-R ca-cert-file]

 [-I other-certs-file]

+[-N ca-cert-file]

 [-i ca-identifier]

 [-v]

 [-n]

@@ -57,11 +58,14 @@ typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or

 always required.

 .TP

 \fB\-R\fR CA-certificate-file

-The location of the SCEP server's CA certificate, which was used to

-issue the SCEP server's certificate, or the SCEP server's own

-certificate, if it is self-signed, in PEM form.  If the URL specified

-with the \fB-u\fR option is an \fIhttps\fR URL, then this option is

-required.

+The location of the CA certificate which was used to issue the SCEP web

+server's certificate in PEM form. If the URL specified with the

+\fB-u\fR option is an \fIhttps\fR URL, then this option is required.

+.TP

+\fB\-N\fR ca-certificate-file

+The location of a PEM-formatted copy of the SCEP server's CA certificate.

+A discovered value is normally supplied by the certmonger daemon, but one can

+be specified for troubleshooting purposes.

 .TP

 \fB\-r\fR RA-certificate-file

 The location of the SCEP server's RA certificate, which is expected to

diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in

index 11ab4ce..bf07306 100644

--- a/src/getcert-add-scep-ca.1.in

+++ b/src/getcert-add-scep-ca.1.in

@@ -24,12 +24,16 @@ The location of the SCEP server's enrollment interface.  This option must be

 specified.

 .TP

 \fB\-R\fR ca-certificate-file

-The location of a PEM-formatted copy of the SCEP server's CA's certificate.

-A discovered value is supplied by the certmonger daemon for use in verifying

-the signature on data returned by the SCEP server, but it is not used for

-verifying HTTPS server certificates.

+The location of a PEM-formatted copy of the CA's certificate used to verify

+the TLS connection the SCEP server.

+

 This option must be specified if the URL is an \fIhttps\fR location.

 .TP

+\fB\-N\fR ca-certificate-file

+The location of a PEM-formatted copy of the SCEP server's CA certificate.

+A discovered value is normally supplied by the certmonger daemon, but one can

+be specified for troubleshooting purposes.

+.TP

 \fB\-r\fR ra-certificate-file

 The location of a PEM-formatted copy of the SCEP server's RA's certificate.

 A discovered value is normally supplied by the certmonger daemon, but one can

diff --git a/src/getcert.c b/src/getcert.c

index 3d78a73..493771f 100644

--- a/src/getcert.c

+++ b/src/getcert.c

@@ -4496,6 +4496,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)

 	enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;

 	char *caname = NULL, *url = NULL, *path = NULL, *id = NULL;

 	char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command;

+	char *signingca = NULL;

 	const char *err;

 	int c, prefer_non_renewal = 0, verbose = 0;

 	dbus_bool_t b;

@@ -4508,6 +4509,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)

 		{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},

 		{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},

 		{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},

+		{"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},

 		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},

 		{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},

 		{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},

@@ -4569,7 +4571,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)

 		return 1;

 	}

 	command = talloc_asprintf(globals.tctx,

-				  "%s -u %s %s %s %s %s %s %s %s",

+				  "%s -u %s %s %s %s %s %s %s %s %s %s",

 				  shell_escape(globals.tctx,

 					       CM_SCEP_HELPER_PATH),

 				  shell_escape(globals.tctx, url),

@@ -4579,6 +4581,8 @@ add_scep_ca(const char *argv0, int argc, const char **argv)

 				  racert ? shell_escape(globals.tctx, racert) : "",

 				  certs ? "-I" : "",

 				  certs ? shell_escape(globals.tctx, certs) : "",

+				  signingca ? "-N" : "",

+				  signingca ? shell_escape(globals.tctx, signingca) : "",

 				  prefer_non_renewal ? "-n" : "");

 	for (c = 0; c < verbose; c++) {

 		command = talloc_strdup_append(command, " -v");

diff --git a/src/scep.c b/src/scep.c

index b80278e..4294cda 100644

--- a/src/scep.c

+++ b/src/scep.c

@@ -206,7 +206,6 @@ main(int argc, const char **argv)

 	enum known_ops op = op_unset;

 	const char *id = NULL;

 	char *cainfo = NULL;

-	char *poptarg;

 	char *message = NULL, *rekey_message = NULL;

 	const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;

 	void *ctx;

@@ -235,8 +234,9 @@ main(int argc, const char **argv)

 		{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},

 		{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},

 		{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},

-		{"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},

+		{"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"},

 		{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},

+		{"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"},

 		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},

 		{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},

 		POPT_AUTOHELP

@@ -329,9 +329,10 @@ main(int argc, const char **argv)

 			racert = cm_submit_u_from_file(poptGetOptArg(pctx));

 			break;

 		case 'R':

-			poptarg = poptGetOptArg(pctx);

-			cainfo = strdup(poptarg);

-			cacert = cm_submit_u_from_file(poptarg);

+			cainfo = poptGetOptArg(pctx);

+			break;

+		case 'N':

+			cacert = cm_submit_u_from_file(poptGetOptArg(pctx));

 			break;

 		case 'I':

 			certs = cm_submit_u_from_file(poptGetOptArg(pctx));

@@ -340,7 +341,6 @@ main(int argc, const char **argv)

 	}

 	if (c != -1) {

 		poptPrintUsage(pctx, stdout, 0);

-		free(cainfo);

 		return CM_SUBMIT_STATUS_UNCONFIGURED;

 	}

@@ -1189,7 +1189,6 @@ done:

 	if (pctx) {

 		poptFreeContext(pctx);

 	}

-	free(cainfo);

 	free(id);

 	cm_submit_h_cleanup(hctx);

 	talloc_free(ctx);

-- 

2.21.1