From c47a439f510adffe4e2225408261d0e93059e077 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Fri, 7 Aug 2015 13:40:41 +0200
Subject: [PATCH] Remove rekey feature
https://bugzilla.redhat.com/show_bug.cgi?id=1250397
---
src/certmonger-scep-submit.8.in | 8 --------
src/certmonger.conf.5.in | 19 -------------------
src/getcert-add-scep-ca.1.in | 8 --------
src/getcert.c | 3 ---
src/prefs.c | 27 +--------------------------
src/scep.c | 5 -----
src/submit-e.c | 6 ------
src/tdbush.c | 10 +---------
tests/010-iterate/expected.out | 14 +++++---------
tests/028-dbus/expected.out | 6 ------
tests/036-getcert/expected.out | 26 ++++++++++++++------------
tests/037-rekey2/expected.out | 4 ++--
12 files changed, 23 insertions(+), 113 deletions(-)
diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
index 7319c6a42c090420eb035515d94fd0640d990dda..31203c37fde407d2306de9d7f5aba9d3541eaaa3 100644
--- a/src/certmonger-scep-submit.8.in
+++ b/src/certmonger-scep-submit.8.in
@@ -80,14 +80,6 @@ When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to
specify the CA identifier which is passed to the server as part of the client's
request. The default is "0".
.TP
-\fB\-n\fR
-The SCEP Renewal feature allows a client with a previously-issued certificate
-to use that certificate and the associated private key to request a new
-certificate for a different key pair, and can be used to support
-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
-it. This option forces the \fIscep-submit\fR helper to prefer to issue
-requests which do not make use of this feature.
-.TP
\fB-v\fR
Increases the logging level. Use twice for more logging. This option
is mainly useful for troubleshooting.
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
index 241f48b07b5045708aa118663b569d5ac3947782..e1220f134c30e760af73fb0abc88a498e94f23d2 100644
--- a/src/certmonger.conf.5.in
+++ b/src/certmonger.conf.5.in
@@ -72,25 +72,6 @@ These are the trust attributes which are applied to certificates which are not
necessarily to be trusted, when they are saved to NSS databases. The default
is \fI,,\fP.
-.IP max_key_use_count
-When attempting to replace a certificate, if \fIcertmonger\fR has previously
-obtained at least this number of certificates using the current key pair, it
-will generate a new key pair to use before proceeding. There is effectively no
-default for this setting.
-
-.IP max_key_lifetime
-The amount of time after a key was first generated when \fIcertmonger\fR will
-attempt to generate a new key pair to replace it, as part of the process of
-replacing a certificate.
-The value is specified as a combination of years (y), months (M), weeks (w),
-days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is
-specified, seconds are assumed.
-The date when a key was generated is not recorded if the key was not generated
-by \fIcertmonger\fR, or if the key was generated with a version of
-\fIcertmonger\fR older than 0.78, and for those cases, this option has no
-effect.
-There is effectively no default for this setting.
-
.SH SELFSIGN
Within the \fIselfsign\fR section, these variables and values are recognized:
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
index f07b9002a206526ea7f0334f5ba0071d8fffd3ae..64f0f5e80cd0fa3ae01fcf27828f97935dfb99c7 100644
--- a/src/getcert-add-scep-ca.1.in
+++ b/src/getcert-add-scep-ca.1.in
@@ -46,14 +46,6 @@ A CA identifier value which will passed to the server when the
\fIscep-submit\fR helper is used to retrieve copies of the server's
certificates.
.TP
-\fB\-n\fR
-The SCEP Renewal feature allows a client with a previously-issued certificate
-to use that certificate and the associated private key to request a new
-certificate for a different key pair, and can be used to support
-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
-it. This option forces the \fIscep-submit\fR helper to issue requests without
-making use of this feature.
-.TP
\fB\-v\fR
Be verbose about errors. Normally, the details of an error received from
the daemon will be suppressed if the client can make a diagnostic suggestion.
diff --git a/src/getcert.c b/src/getcert.c
index c84273a9bfc8730422f18ade87ce174fbbc44634..dcdbdd455dd8c61c1aeaad6a5c7feef21b56feab 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4625,7 +4625,6 @@ static struct {
{"start-tracking", start_tracking},
{"stop-tracking", stop_tracking},
{"resubmit", resubmit},
- {"rekey", rekey},
{"refresh", refresh},
{"list", list},
{"status", status},
@@ -5041,8 +5040,6 @@ help(const char *twopartcmd, const char *category)
N_("stop monitoring a certificate\n")},
{"resubmit", resubmit_help,
N_("resubmit an in-progress enrollment request, or start a new one\n")},
- {"rekey", rekey_help,
- N_("generate a new private key and replace a certificate\n")},
{"refresh", refresh_help,
N_("check on the status of an in-progress enrollment request\n")},
{"list", list_help,
diff --git a/src/prefs.c b/src/prefs.c
index ab363bbc2c08f834e7fc1bede8f1cf2c50229f1c..0a8e166ce30f3b0288cd7430568ae18d0e5ab914 100644
--- a/src/prefs.c
+++ b/src/prefs.c
@@ -545,36 +545,11 @@ cm_prefs_nss_other_trust(void)
long long
prefs_key_end_of_life(time_t ref)
{
- const char *cfg;
- time_t tmp;
-
- tmp = -1;
- cfg = cm_prefs_config(NULL, "max_key_lifetime");
- if (cfg != NULL) {
- if (cm_submit_u_delta_from_string(cfg, ref, &tmp) == 0) {
- return tmp;
- }
- }
return -1;
}
long
prefs_max_key_use_count(void)
{
- static long count = -2;
- long tmp;
- const char *cfg;
- char *p;
-
- if (count == -2) {
- count = -1;
- cfg = cm_prefs_config(NULL, "max_key_use_count");
- if (cfg != NULL) {
- tmp = strtol(cfg, &p, 10);
- if ((p != NULL) && (*p == '\0')) {
- count = tmp;
- }
- }
- }
- return count;
+ return -1;
}
diff --git a/src/scep.c b/src/scep.c
index d3bbc050947a1a0472187503110682c9028f9c6f..11f9ae3cc193981d3c2bf986a4a5c4c7d81506f5 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -231,7 +231,6 @@ main(int argc, const char **argv)
{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
{"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},
{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},
- {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},
{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},
POPT_AUTOHELP
POPT_TABLEEND
@@ -255,8 +254,6 @@ main(int argc, const char **argv)
message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV);
if (message == NULL) {
message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);
- } else {
- rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);
}
} else
if (strcasecmp(mode, CM_OP_POLL) == 0) {
@@ -264,8 +261,6 @@ main(int argc, const char **argv)
message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV);
if (message == NULL) {
message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);
- } else {
- rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);
}
} else
if (strcasecmp(mode, CM_OP_FETCH_SCEP_CA_CERTS) == 0) {
diff --git a/src/submit-e.c b/src/submit-e.c
index befd01e0fd00b8f9e239752ffbd80c985fae5057..af05efeb762933e31fecc67b1204001b7e81c697 100644
--- a/src/submit-e.c
+++ b/src/submit-e.c
@@ -446,12 +446,6 @@ cm_submit_e_need_scep_messages(struct cm_submit_state *state)
static int
cm_submit_e_need_rekey(struct cm_submit_state *state)
{
- int status;
- status = cm_subproc_get_exitstatus(state->subproc);
- if (WIFEXITED(status) &&
- (WEXITSTATUS(status) == CM_SUBMIT_STATUS_NEED_REKEY)) {
- return 0;
- }
return -1;
}
diff --git a/src/tdbush.c b/src/tdbush.c
index 631da3ed2bbb1f6828d576760299ad51d7e41923..aec5e9d0a36a7cb5c035e1aefda04c2b32b1e100 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -7117,14 +7117,6 @@ cm_tdbush_iface_request(void)
NULL))),
NULL),
make_interface_item(cm_tdbush_interface_method,
- make_method("rekey",
- request_rekey,
- make_method_arg("working",
- DBUS_TYPE_BOOLEAN_AS_STRING,
- cm_tdbush_method_arg_out,
- NULL),
- NULL),
- make_interface_item(cm_tdbush_interface_method,
make_method("resubmit",
request_resubmit,
make_method_arg("working",
@@ -7179,7 +7171,7 @@ cm_tdbush_iface_request(void)
make_interface_item(cm_tdbush_interface_signal,
make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED,
NULL),
- NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
+ NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
}
return ret;
}
diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out
index bd57a01ba8725418978259018441f6a9a6672758..85d07b3baef83dbafd39c03888881cb665518733 100644
--- a/tests/010-iterate/expected.out
+++ b/tests/010-iterate/expected.out
@@ -398,19 +398,15 @@ HAVE_CSR
-START-
NEED_TO_SUBMIT
SUBMITTING
-NEED_KEY_PAIR
+NEED_GUIDANCE
-STOP-
-NEED_KEY_PAIR
+NEED_GUIDANCE
-START-
-GENERATING_KEY_PAIR
-HAVE_KEY_PAIR
-NEED_KEYINFO
+NEED_GUIDANCE
-STOP-
-NEED_KEYINFO
+NEED_GUIDANCE
-START-
-READING_KEYINFO
-HAVE_KEYINFO
-NEED_CSR
+NEED_GUIDANCE
-STOP-
[Enroll until we notice we have no specified CA.]
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index 93cc4d184524c4b1aeba02a650c94d832462c236..26850efaedb966cd94ecd0db42d6adb378b47f37 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -403,9 +403,6 @@ OK
<arg name="status" type="b" direction="out"/>
<arg name="path" type="o" direction="out"/>
</method>
- <method name="rekey">
- <arg name="working" type="b" direction="out"/>
- </method>
<method name="resubmit">
<arg name="working" type="b" direction="out"/>
</method>
@@ -483,9 +480,6 @@ recently
1 on /org/fedorahosted/certmonger/requests/Request2
After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
-[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
-1
-
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.resubmit ]
1
diff --git a/tests/036-getcert/expected.out b/tests/036-getcert/expected.out
index c1a13c8e058e39285ee842b173356002da2fd0e6..b6d1eaf7c733e04d5b928e7a59edeca43a27a5ef 100644
--- a/tests/036-getcert/expected.out
+++ b/tests/036-getcert/expected.out
@@ -11,20 +11,21 @@ certs:1
keys:1
-----BEGIN PRIVATE KEY-----
[Files, rekey]
-Resubmitting "first" to "local".
certs:1
-----BEGIN CERTIFICATE-----
keys:1
-----BEGIN PRIVATE KEY-----
+ERROR: keys were not changed on rekey
+ERROR: cert was not changed on rekey
[Files, rekey with preserve=1]
-Resubmitting "first" to "local".
certs:1
-----BEGIN CERTIFICATE-----
-keys:2
------BEGIN PRIVATE KEY-----
+keys:1
-----BEGIN PRIVATE KEY-----
+ERROR: keys were not changed on rekey
+ERROR: cert was not changed on rekey
+ERROR: old keys were not saved on rekey
[Files, rekey with jerk CA]
-Resubmitting "first" to "jerkca".
certs:1
-----BEGIN CERTIFICATE-----
keys:1
@@ -44,30 +45,31 @@ pk12util: PKCS12 EXPORT SUCCESSFUL
cert:1
key:1
[Database, rekey]
-Resubmitting "first" to "local".
certs:1
keys:1
pk12util: PKCS12 EXPORT SUCCESSFUL
cert:1
key:1
+ERROR: keys were not changed on rekey
+ERROR: cert was not changed on rekey
[Database, rekey with preserve=1]
-Resubmitting "first" to "local".
certs:1
-keys:2
+keys:1
pk12util: PKCS12 EXPORT SUCCESSFUL
cert:1
key:1
+ERROR: keys were not changed on rekey
+ERROR: cert was not changed on rekey
+ERROR: old keys were not saved on rekey
[Database, rekey with jerk CA]
-Resubmitting "first" to "jerkca".
certs:1
-keys:3
+keys:1
pk12util: PKCS12 EXPORT SUCCESSFUL
cert:1
key:1
[Database, rekey with jerk CA, nonpreserving]
-Resubmitting "first" to "jerkca".
certs:1
-keys:3
+keys:1
pk12util: PKCS12 EXPORT SUCCESSFUL
cert:1
key:1
diff --git a/tests/037-rekey2/expected.out b/tests/037-rekey2/expected.out
index bd8cca7c3eedb5a02249f450451b651bb270ec24..62a1c746f86bb53fe79d1226ab9194825f7642d8 100644
--- a/tests/037-rekey2/expected.out
+++ b/tests/037-rekey2/expected.out
@@ -112,7 +112,7 @@ MONITORING
-STOP-
MONITORING
-START-
-NEED_KEY_PAIR
+NEED_CSR
-STOP-
[Uses = 2.]
NEED_KEY_PAIR
@@ -228,6 +228,6 @@ MONITORING
-STOP-
MONITORING
-START-
-NEED_KEY_PAIR
+NEED_CSR
-STOP-
Test complete.
--
2.7.4