rpms / certmonger

Clone
Source Code
GIT

Blame SOURCES/1001-Remove-rekey-feature.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   bda584dd213e97aa18484322946fd365576c29ae
  2.   SOURCES
  3.   1001-Remove-rekey-feature.patch
Blob History Raw
f64bd5 
From c47a439f510adffe4e2225408261d0e93059e077 Mon Sep 17 00:00:00 2001
3eac4d 
From: Jan Cholasta <jcholast@redhat.com>
3eac4d 
Date: Fri, 7 Aug 2015 13:40:41 +0200
3eac4d 
Subject: [PATCH] Remove rekey feature
3eac4d
3eac4d 
https://bugzilla.redhat.com/show_bug.cgi?id=1250397
3eac4d 
---
3eac4d 
 src/certmonger-scep-submit.8.in |  8 --------
3eac4d 
 src/certmonger.conf.5.in        | 19 -------------------
3eac4d 
 src/getcert-add-scep-ca.1.in    |  8 --------
3eac4d 
 src/getcert.c                   |  3 ---
3eac4d 
 src/prefs.c                     | 27 +--------------------------
3eac4d 
 src/scep.c                      |  5 -----
3eac4d 
 src/submit-e.c                  |  6 ------
3eac4d 
 src/tdbush.c                    | 10 +---------
3eac4d 
 tests/010-iterate/expected.out  | 14 +++++---------
3eac4d 
 tests/028-dbus/expected.out     |  6 ------
3eac4d 
 tests/036-getcert/expected.out  | 26 ++++++++++++++------------
3eac4d 
 tests/037-rekey2/expected.out   |  4 ++--
3eac4d 
 12 files changed, 23 insertions(+), 113 deletions(-)
3eac4d
3eac4d 
diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
3eac4d 
index 7319c6a42c090420eb035515d94fd0640d990dda..31203c37fde407d2306de9d7f5aba9d3541eaaa3 100644
3eac4d 
--- a/src/certmonger-scep-submit.8.in
3eac4d 
+++ b/src/certmonger-scep-submit.8.in
3eac4d 
@@ -80,14 +80,6 @@ When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to
3eac4d 
 specify the CA identifier which is passed to the server as part of the client's
3eac4d 
 request.  The default is "0".
3eac4d 
 .TP
3eac4d 
-\fB\-n\fR
3eac4d 
-The SCEP Renewal feature allows a client with a previously-issued certificate
3eac4d 
-to use that certificate and the associated private key to request a new
3eac4d 
-certificate for a different key pair, and can be used to support
3eac4d 
-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
3eac4d 
-it.  This option forces the \fIscep-submit\fR helper to prefer to issue
3eac4d 
-requests which do not make use of this feature.
3eac4d 
-.TP
3eac4d 
 \fB-v\fR
3eac4d 
 Increases the logging level.  Use twice for more logging.  This option
3eac4d 
 is mainly useful for troubleshooting.
3eac4d 
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
3eac4d 
index 241f48b07b5045708aa118663b569d5ac3947782..e1220f134c30e760af73fb0abc88a498e94f23d2 100644
3eac4d 
--- a/src/certmonger.conf.5.in
3eac4d 
+++ b/src/certmonger.conf.5.in
3eac4d 
@@ -72,25 +72,6 @@ These are the trust attributes which are applied to certificates which are not
3eac4d 
 necessarily to be trusted, when they are saved to NSS databases.  The default
3eac4d 
 is \fI,,\fP.
3eac4d
3eac4d 
-.IP max_key_use_count
3eac4d 
-When attempting to replace a certificate, if \fIcertmonger\fR has previously
3eac4d 
-obtained at least this number of certificates using the current key pair, it
3eac4d 
-will generate a new key pair to use before proceeding.  There is effectively no
3eac4d 
-default for this setting.
3eac4d 
-
3eac4d 
-.IP max_key_lifetime
3eac4d 
-The amount of time after a key was first generated when \fIcertmonger\fR will
3eac4d 
-attempt to generate a new key pair to replace it, as part of the process of
3eac4d 
-replacing a certificate.
3eac4d 
-The value is specified as a combination of years (y), months (M), weeks (w),
3eac4d 
-days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is
3eac4d 
-specified, seconds are assumed.
3eac4d 
-The date when a key was generated is not recorded if the key was not generated
3eac4d 
-by \fIcertmonger\fR, or if the key was generated with a version of
3eac4d 
-\fIcertmonger\fR older than 0.78, and for those cases, this option has no
3eac4d 
-effect.
3eac4d 
-There is effectively no default for this setting.
3eac4d 
-
3eac4d 
 .SH SELFSIGN
3eac4d 
 Within the \fIselfsign\fR section, these variables and values are recognized:
3eac4d
3eac4d 
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
3eac4d 
index f07b9002a206526ea7f0334f5ba0071d8fffd3ae..64f0f5e80cd0fa3ae01fcf27828f97935dfb99c7 100644
3eac4d 
--- a/src/getcert-add-scep-ca.1.in
3eac4d 
+++ b/src/getcert-add-scep-ca.1.in
3eac4d 
@@ -46,14 +46,6 @@ A CA identifier value which will passed to the server when the
3eac4d 
 \fIscep-submit\fR helper is used to retrieve copies of the server's
3eac4d 
 certificates.
3eac4d 
 .TP
3eac4d 
-\fB\-n\fR
3eac4d 
-The SCEP Renewal feature allows a client with a previously-issued certificate
3eac4d 
-to use that certificate and the associated private key to request a new
3eac4d 
-certificate for a different key pair, and can be used to support
3eac4d 
-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
3eac4d 
-it.  This option forces the \fIscep-submit\fR helper to issue requests without
3eac4d 
-making use of this feature.
3eac4d 
-.TP
3eac4d 
 \fB\-v\fR
3eac4d 
 Be verbose about errors.  Normally, the details of an error received from
3eac4d 
 the daemon will be suppressed if the client can make a diagnostic suggestion.
3eac4d 
diff --git a/src/getcert.c b/src/getcert.c
f64bd5 
index c84273a9bfc8730422f18ade87ce174fbbc44634..dcdbdd455dd8c61c1aeaad6a5c7feef21b56feab 100644
3eac4d 
--- a/src/getcert.c
3eac4d 
+++ b/src/getcert.c
f64bd5 
@@ -4625,7 +4625,6 @@ static struct {
3eac4d 
 	{"start-tracking", start_tracking},
3eac4d 
 	{"stop-tracking", stop_tracking},
3eac4d 
 	{"resubmit", resubmit},
3eac4d 
-	{"rekey", rekey},
3eac4d 
 	{"refresh", refresh},
3eac4d 
 	{"list", list},
3eac4d 
 	{"status", status},
f64bd5 
@@ -5041,8 +5040,6 @@ help(const char *twopartcmd, const char *category)
3eac4d 
 		 N_("stop monitoring a certificate\n")},
3eac4d 
 		{"resubmit", resubmit_help,
3eac4d 
 		 N_("resubmit an in-progress enrollment request, or start a new one\n")},
3eac4d 
-		{"rekey", rekey_help,
3eac4d 
-		 N_("generate a new private key and replace a certificate\n")},
3eac4d 
 		{"refresh", refresh_help,
3eac4d 
 		 N_("check on the status of an in-progress enrollment request\n")},
3eac4d 
 		{"list", list_help,
3eac4d 
diff --git a/src/prefs.c b/src/prefs.c
3eac4d 
index ab363bbc2c08f834e7fc1bede8f1cf2c50229f1c..0a8e166ce30f3b0288cd7430568ae18d0e5ab914 100644
3eac4d 
--- a/src/prefs.c
3eac4d 
+++ b/src/prefs.c
3eac4d 
@@ -545,36 +545,11 @@ cm_prefs_nss_other_trust(void)
3eac4d 
 long long
3eac4d 
 prefs_key_end_of_life(time_t ref)
3eac4d 
 {
3eac4d 
-	const char *cfg;
3eac4d 
-	time_t tmp;
3eac4d 
-
3eac4d 
-	tmp = -1;
3eac4d 
-	cfg = cm_prefs_config(NULL, "max_key_lifetime");
3eac4d 
-	if (cfg != NULL) {
3eac4d 
-		if (cm_submit_u_delta_from_string(cfg, ref, &tmp) == 0) {
3eac4d 
-			return tmp;
3eac4d 
-		}
3eac4d 
-	}
3eac4d 
 	return -1;
3eac4d 
 }
3eac4d
3eac4d 
 long
3eac4d 
 prefs_max_key_use_count(void)
3eac4d 
 {
3eac4d 
-	static long count = -2;
3eac4d 
-	long tmp;
3eac4d 
-	const char *cfg;
3eac4d 
-	char *p;
3eac4d 
-
3eac4d 
-	if (count == -2) {
3eac4d 
-		count = -1;
3eac4d 
-		cfg = cm_prefs_config(NULL, "max_key_use_count");
3eac4d 
-		if (cfg != NULL) {
3eac4d 
-			tmp = strtol(cfg, &p, 10);
3eac4d 
-			if ((p != NULL) && (*p == '\0')) {
3eac4d 
-				count = tmp;
3eac4d 
-			}
3eac4d 
-		}
3eac4d 
-	}
3eac4d 
-	return count;
3eac4d 
+	return -1;
3eac4d 
 }
3eac4d 
diff --git a/src/scep.c b/src/scep.c
3eac4d 
index d3bbc050947a1a0472187503110682c9028f9c6f..11f9ae3cc193981d3c2bf986a4a5c4c7d81506f5 100644
3eac4d 
--- a/src/scep.c
3eac4d 
+++ b/src/scep.c
3eac4d 
@@ -231,7 +231,6 @@ main(int argc, const char **argv)
3eac4d 
 		{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
3eac4d 
 		{"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},
3eac4d 
 		{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},
3eac4d 
-		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},
3eac4d 
 		{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},
3eac4d 
 		POPT_AUTOHELP
3eac4d 
 		POPT_TABLEEND
3eac4d 
@@ -255,8 +254,6 @@ main(int argc, const char **argv)
3eac4d 
 			message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV);
3eac4d 
 			if (message == NULL) {
3eac4d 
 				message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);
3eac4d 
-			} else {
3eac4d 
-				rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);
3eac4d 
 			}
3eac4d 
 		} else
3eac4d 
 		if (strcasecmp(mode, CM_OP_POLL) == 0) {
3eac4d 
@@ -264,8 +261,6 @@ main(int argc, const char **argv)
3eac4d 
 			message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV);
3eac4d 
 			if (message == NULL) {
3eac4d 
 				message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);
3eac4d 
-			} else {
3eac4d 
-				rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);
3eac4d 
 			}
3eac4d 
 		} else
3eac4d 
 		if (strcasecmp(mode, CM_OP_FETCH_SCEP_CA_CERTS) == 0) {
3eac4d 
diff --git a/src/submit-e.c b/src/submit-e.c
f64bd5 
index befd01e0fd00b8f9e239752ffbd80c985fae5057..af05efeb762933e31fecc67b1204001b7e81c697 100644
3eac4d 
--- a/src/submit-e.c
3eac4d 
+++ b/src/submit-e.c
3eac4d 
@@ -446,12 +446,6 @@ cm_submit_e_need_scep_messages(struct cm_submit_state *state)
3eac4d 
 static int
3eac4d 
 cm_submit_e_need_rekey(struct cm_submit_state *state)
3eac4d 
 {
3eac4d 
-	int status;
3eac4d 
-	status = cm_subproc_get_exitstatus(state->subproc);
3eac4d 
-	if (WIFEXITED(status) &&
3eac4d 
-	    (WEXITSTATUS(status) == CM_SUBMIT_STATUS_NEED_REKEY)) {
3eac4d 
-		return 0;
3eac4d 
-	}
3eac4d 
 	return -1;
3eac4d 
 }
3eac4d
3eac4d 
diff --git a/src/tdbush.c b/src/tdbush.c
f64bd5 
index 631da3ed2bbb1f6828d576760299ad51d7e41923..aec5e9d0a36a7cb5c035e1aefda04c2b32b1e100 100644
3eac4d 
--- a/src/tdbush.c
3eac4d 
+++ b/src/tdbush.c
f64bd5 
@@ -7117,14 +7117,6 @@ cm_tdbush_iface_request(void)
3eac4d 
 										     NULL))),
3eac4d 
 								     NULL),
3eac4d 
 				     make_interface_item(cm_tdbush_interface_method,
3eac4d 
-							 make_method("rekey",
3eac4d 
-								     request_rekey,
3eac4d 
-								     make_method_arg("working",
3eac4d 
-										     DBUS_TYPE_BOOLEAN_AS_STRING,
3eac4d 
-										     cm_tdbush_method_arg_out,
3eac4d 
-										     NULL),
3eac4d 
-								     NULL),
3eac4d 
-				     make_interface_item(cm_tdbush_interface_method,
3eac4d 
 							 make_method("resubmit",
3eac4d 
 								     request_resubmit,
3eac4d 
 								     make_method_arg("working",
f64bd5 
@@ -7179,7 +7171,7 @@ cm_tdbush_iface_request(void)
3eac4d 
 				     make_interface_item(cm_tdbush_interface_signal,
3eac4d 
 							 make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED,
3eac4d 
 								     NULL),
f64bd5 
-							 NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
f64bd5 
+							 NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
3eac4d 
 	}
3eac4d 
 	return ret;
3eac4d 
 }
3eac4d 
diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out
3eac4d 
index bd57a01ba8725418978259018441f6a9a6672758..85d07b3baef83dbafd39c03888881cb665518733 100644
3eac4d 
--- a/tests/010-iterate/expected.out
3eac4d 
+++ b/tests/010-iterate/expected.out
3eac4d 
@@ -398,19 +398,15 @@ HAVE_CSR
3eac4d 
 -START-
3eac4d 
 NEED_TO_SUBMIT
3eac4d 
 SUBMITTING
3eac4d 
-NEED_KEY_PAIR
3eac4d 
+NEED_GUIDANCE
3eac4d 
 -STOP-
3eac4d 
-NEED_KEY_PAIR
3eac4d 
+NEED_GUIDANCE
3eac4d 
 -START-
3eac4d 
-GENERATING_KEY_PAIR
3eac4d 
-HAVE_KEY_PAIR
3eac4d 
-NEED_KEYINFO
3eac4d 
+NEED_GUIDANCE
3eac4d 
 -STOP-
3eac4d 
-NEED_KEYINFO
3eac4d 
+NEED_GUIDANCE
3eac4d 
 -START-
3eac4d 
-READING_KEYINFO
3eac4d 
-HAVE_KEYINFO
3eac4d 
-NEED_CSR
3eac4d 
+NEED_GUIDANCE
3eac4d 
 -STOP-
3eac4d
3eac4d 
 [Enroll until we notice we have no specified CA.]
3eac4d 
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
f64bd5 
index 93cc4d184524c4b1aeba02a650c94d832462c236..26850efaedb966cd94ecd0db42d6adb378b47f37 100644
3eac4d 
--- a/tests/028-dbus/expected.out
3eac4d 
+++ b/tests/028-dbus/expected.out
f64bd5 
@@ -403,9 +403,6 @@ OK
3eac4d 
    <arg name="status" type="b" direction="out"/>
3eac4d 
    <arg name="path" type="o" direction="out"/>
3eac4d 
   </method>
3eac4d 
-  <method name="rekey">
3eac4d 
-   <arg name="working" type="b" direction="out"/>
3eac4d 
-  </method>
3eac4d 
   <method name="resubmit">
3eac4d 
    <arg name="working" type="b" direction="out"/>
3eac4d 
   </method>
f64bd5 
@@ -483,9 +480,6 @@ recently
3eac4d 
 1 on /org/fedorahosted/certmonger/requests/Request2
3eac4d 
 After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
3eac4d
3eac4d 
-[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
3eac4d 
-1
3eac4d 
-
3eac4d 
 [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.resubmit ]
3eac4d 
 1
3eac4d
3eac4d 
diff --git a/tests/036-getcert/expected.out b/tests/036-getcert/expected.out
3eac4d 
index c1a13c8e058e39285ee842b173356002da2fd0e6..b6d1eaf7c733e04d5b928e7a59edeca43a27a5ef 100644
3eac4d 
--- a/tests/036-getcert/expected.out
3eac4d 
+++ b/tests/036-getcert/expected.out
3eac4d 
@@ -11,20 +11,21 @@ certs:1
3eac4d 
 keys:1
3eac4d 
 -----BEGIN PRIVATE KEY-----
3eac4d 
 [Files, rekey]
3eac4d 
-Resubmitting "first" to "local".
3eac4d 
 certs:1
3eac4d 
 -----BEGIN CERTIFICATE-----
3eac4d 
 keys:1
3eac4d 
 -----BEGIN PRIVATE KEY-----
3eac4d 
+ERROR: keys were not changed on rekey
3eac4d 
+ERROR: cert was not changed on rekey
3eac4d 
 [Files, rekey with preserve=1]
3eac4d 
-Resubmitting "first" to "local".
3eac4d 
 certs:1
3eac4d 
 -----BEGIN CERTIFICATE-----
3eac4d 
-keys:2
3eac4d 
------BEGIN PRIVATE KEY-----
3eac4d 
+keys:1
3eac4d 
 -----BEGIN PRIVATE KEY-----
3eac4d 
+ERROR: keys were not changed on rekey
3eac4d 
+ERROR: cert was not changed on rekey
3eac4d 
+ERROR: old keys were not saved on rekey
3eac4d 
 [Files, rekey with jerk CA]
3eac4d 
-Resubmitting "first" to "jerkca".
3eac4d 
 certs:1
3eac4d 
 -----BEGIN CERTIFICATE-----
3eac4d 
 keys:1
3eac4d 
@@ -44,30 +45,31 @@ pk12util: PKCS12 EXPORT SUCCESSFUL
3eac4d 
 cert:1
3eac4d 
 key:1
3eac4d 
 [Database, rekey]
3eac4d 
-Resubmitting "first" to "local".
3eac4d 
 certs:1
3eac4d 
 keys:1
3eac4d 
 pk12util: PKCS12 EXPORT SUCCESSFUL
3eac4d 
 cert:1
3eac4d 
 key:1
3eac4d 
+ERROR: keys were not changed on rekey
3eac4d 
+ERROR: cert was not changed on rekey
3eac4d 
 [Database, rekey with preserve=1]
3eac4d 
-Resubmitting "first" to "local".
3eac4d 
 certs:1
3eac4d 
-keys:2
3eac4d 
+keys:1
3eac4d 
 pk12util: PKCS12 EXPORT SUCCESSFUL
3eac4d 
 cert:1
3eac4d 
 key:1
3eac4d 
+ERROR: keys were not changed on rekey
3eac4d 
+ERROR: cert was not changed on rekey
3eac4d 
+ERROR: old keys were not saved on rekey
3eac4d 
 [Database, rekey with jerk CA]
3eac4d 
-Resubmitting "first" to "jerkca".
3eac4d 
 certs:1
3eac4d 
-keys:3
3eac4d 
+keys:1
3eac4d 
 pk12util: PKCS12 EXPORT SUCCESSFUL
3eac4d 
 cert:1
3eac4d 
 key:1
3eac4d 
 [Database, rekey with jerk CA, nonpreserving]
3eac4d 
-Resubmitting "first" to "jerkca".
3eac4d 
 certs:1
3eac4d 
-keys:3
3eac4d 
+keys:1
3eac4d 
 pk12util: PKCS12 EXPORT SUCCESSFUL
3eac4d 
 cert:1
3eac4d 
 key:1
3eac4d 
diff --git a/tests/037-rekey2/expected.out b/tests/037-rekey2/expected.out
3eac4d 
index bd8cca7c3eedb5a02249f450451b651bb270ec24..62a1c746f86bb53fe79d1226ab9194825f7642d8 100644
3eac4d 
--- a/tests/037-rekey2/expected.out
3eac4d 
+++ b/tests/037-rekey2/expected.out
3eac4d 
@@ -112,7 +112,7 @@ MONITORING
3eac4d 
 -STOP-
3eac4d 
 MONITORING
3eac4d 
 -START-
3eac4d 
-NEED_KEY_PAIR
3eac4d 
+NEED_CSR
3eac4d 
 -STOP-
3eac4d 
 [Uses = 2.]
3eac4d 
 NEED_KEY_PAIR
3eac4d 
@@ -228,6 +228,6 @@ MONITORING
3eac4d 
 -STOP-
3eac4d 
 MONITORING
3eac4d 
 -START-
3eac4d 
-NEED_KEY_PAIR
3eac4d 
+NEED_CSR
3eac4d 
 -STOP-
3eac4d 
 Test complete.
3eac4d 
--
f64bd5 
2.7.4
3eac4d

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation