From 2c41678603b774f54dc23c3e0c5abc602863ec1e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 15 2021 16:23:56 +0000 Subject: import certmonger-0.79.13-4.el8 --- diff --git a/SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch b/SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch new file mode 100644 index 0000000..7f90105 --- /dev/null +++ b/SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch @@ -0,0 +1,38 @@ +From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 14 Apr 2021 15:34:48 -0400 +Subject: [PATCH] Fix local CA to work under FIPS + +The PKCS12 file used for the local CA fails to be created because +it uses default OpenSSL encryption algorithms that are disallowed +under FIPS. This patch simply updates the PKCS12_create() command +to use allowed encryption algorithms. +--- + src/local.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/local.c b/src/local.c +index 92bea144..2f50ac77 100644 +--- a/src/local.c ++++ b/src/local.c +@@ -39,6 +39,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots, + return CM_SUBMIT_STATUS_UNREACHABLE; + } + p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert, +- cas, 0, 0, 0, 0, 0); ++ cas, NID_aes_128_cbc, NID_aes_128_cbc, ++ 0, 0, 0); + if (p12 != NULL) { + if (!i2d_PKCS12_fp(fp, p12)) { + fclose(fp); +-- +2.26.3 + diff --git a/SOURCES/0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch b/SOURCES/0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch new file mode 100644 index 0000000..fcb1b1f --- /dev/null +++ b/SOURCES/0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch @@ -0,0 +1,123 @@ +From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001 +From: Your Name +Date: Fri, 9 Jul 2021 20:49:28 +0000 +Subject: [PATCH] Add SCEP config option to treat the challenge password as an + OTP + +SCEP RFC 8894 specifies that a challenge password SHOULD be +removed from subsequent requests but that it MAY be included. + +This adds a new configuration option to treat the challenge password +as a one-time password (OTP) so that it will not be sent on +subsequent requests, like renewals, by removing it completely +from the tracking request. + +This allows certmonger to be able to renew AD-issued SCEP certificates +if the AD registry entry DisableRenewalSubjectNameMatch is set to 1. + +https://bugzilla.redhat.com/show_bug.cgi?id=1577570 + +Signed-off-by: Rob Crittenden +--- + src/certmonger.conf.5.in | 9 +++++++++ + src/certsave.c | 13 +++++++++++++ + src/prefs.c | 15 +++++++++++++++ + src/prefs.h | 4 ++++ + 4 files changed, 41 insertions(+) + +diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in +index 6a42d3cb..1b941b9d 100644 +--- a/src/certmonger.conf.5.in ++++ b/src/certmonger.conf.5.in +@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the + \fIselfsign\fR section, if one is set there, will be used. The default value + is \fI@CM_DEFAULT_CERT_LIFETIME@\fR. + ++.SH SCEP ++Within the \fIscep\fR section, these variables and values are recognized: ++ ++.IP challenge_password_otp ++This controls whether the SCEP challenge password is treated as a one-time ++password. If set to yes then the challenge password and/or challenge password ++file will be removed from the tracking request after the first certificate ++issuance so will not be sent with renewal requests. The default is no. ++ + .SH BUGS + Please file tickets for any that you find at https://fedorahosted.org/certmonger/ + +diff --git a/src/certsave.c b/src/certsave.c +index 6eaafe59..f8503662 100644 +--- a/src/certsave.c ++++ b/src/certsave.c +@@ -18,12 +18,25 @@ + #include "config.h" + #include "certsave.h" + #include "certsave-int.h" ++#include "prefs.h" + #include "store-int.h" ++#include "talloc.h" + + /* Start writing the certificate from the entry to the configured location. */ + struct cm_certsave_state * + cm_certsave_start(struct cm_store_entry *entry) + { ++ /* If saving a SCEP certificate wipe out the challenge password */ ++ if ((cm_prefs_scep_password_otp()) && ++ (entry->cm_template_challenge_password != NULL) && ++ (entry->cm_scep_nonce != NULL)) ++ { ++ talloc_free(entry->cm_template_challenge_password); ++ entry->cm_template_challenge_password = NULL; ++ talloc_free(entry->cm_template_challenge_password_file); ++ entry->cm_template_challenge_password_file = NULL; ++ } ++ + switch (entry->cm_cert_storage_type) { + #ifdef HAVE_OPENSSL + case cm_cert_storage_file: +diff --git a/src/prefs.c b/src/prefs.c +index 669e8f1f..52ffc908 100644 +--- a/src/prefs.c ++++ b/src/prefs.c +@@ -595,3 +595,18 @@ prefs_max_key_use_count(void) + } + return count; + } ++ ++int ++cm_prefs_scep_password_otp(void) ++{ ++ static int populate = -1; ++ if (populate == -1) { ++ const char *val; ++ val = cm_prefs_config("scep", "challenge_password_otp"); ++ if (val == NULL) { ++ val = "no"; ++ } ++ populate = cm_prefs_yesno(val); ++ } ++ return populate != -1 ? populate : 0; ++} +diff --git a/src/prefs.h b/src/prefs.h +index 248e1016..a107fb6c 100644 +--- a/src/prefs.h ++++ b/src/prefs.h +@@ -18,6 +18,8 @@ + #ifndef cmprefs_h + #define cmprefs_h + ++#include ++ + enum cm_prefs_cipher { + cm_prefs_aes128, + cm_prefs_aes192, +@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void); + long long prefs_key_end_of_life(time_t ref); + long prefs_max_key_use_count(void); + ++int cm_prefs_scep_password_otp(void); ++ + #endif +-- +2.31.1 + diff --git a/SOURCES/0005-Add-NULL-checks-before-string-compares-when-analyzin.patch b/SOURCES/0005-Add-NULL-checks-before-string-compares-when-analyzin.patch new file mode 100644 index 0000000..7fd494e --- /dev/null +++ b/SOURCES/0005-Add-NULL-checks-before-string-compares-when-analyzin.patch @@ -0,0 +1,42 @@ +From 0eec70b9dbd0a50a24fe173a68fd9ab72857e08d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 17 Feb 2021 13:40:52 -0500 +Subject: [PATCH] Add NULL checks before string compares when analyzing a cert + +A user reported a segfault which was due to a broken request. +How it got broken I have no idea but it was effectively empty. + +It had everything as defaults: 0, -1, UNSPECIFIED or not +present at all. + +So when trying to analyze the request it did a NULL compare. + +https://pagure.io/certmonger/issue/191 +--- + src/tdbush.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tdbush.c b/src/tdbush.c +index a10a1aff..fb81c477 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -678,14 +678,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + if (cert_storage != e->cm_cert_storage_type) { + continue; + } +- if (strcmp(cert_location, e->cm_cert_storage_location) != 0) { ++ if ((e->cm_cert_storage_location == NULL) || strcmp(cert_location, e->cm_cert_storage_location) != 0) { + continue; + } + switch (cert_storage) { + case cm_cert_storage_file: + break; + case cm_cert_storage_nssdb: +- if (strcmp(cert_nickname, e->cm_cert_nickname) != 0) { ++ if ((e->cm_cert_nickname == NULL) || strcmp(cert_nickname, e->cm_cert_nickname) != 0) { + continue; + } + break; +-- +2.31.1 + diff --git a/SOURCES/0006-Display-not_before-in-getcert-output.patch b/SOURCES/0006-Display-not_before-in-getcert-output.patch new file mode 100644 index 0000000..dff0f8e --- /dev/null +++ b/SOURCES/0006-Display-not_before-in-getcert-output.patch @@ -0,0 +1,386 @@ +From 84d575da7516cae1ee94099317cf0f8fae2c7ea1 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 8 Apr 2021 14:07:22 -0400 +Subject: [PATCH] Display not_before in getcert output + +Including not_before can help with troubleshooting +renewal problems and if time needs to be reversed +helping identify the maximum one can go back. + +https://bugzilla.redhat.com/show_bug.cgi?id=1940261 + +Signed-off-by: Rob Crittenden +--- + src/getcert.c | 21 ++++- + src/tdbush.c | 10 ++- + src/tdbusm-check.c | 32 ++++++++ + src/tdbusm.c | 150 ++++++++++++++++++++++++++++++++++++ + src/tdbusm.h | 9 +++ + tests/028-dbus/expected.out | 4 +- + tests/028-dbus/run.sh | 1 + + 7 files changed, 220 insertions(+), 7 deletions(-) + +diff --git a/src/getcert.c b/src/getcert.c +index 078f5aa1..4afafcb1 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -3389,7 +3389,7 @@ list(const char *argv0, int argc, const char **argv) + const char *capath, *request; + dbus_bool_t b; + char *s1, *s2, *s3, *s4, *s5, *s6; +- long n1, n2; ++ long n1, n2, n3; + char **as, **as1, **as2, **as3, **as4, **as5, t[25]; + int requests_only = 0, tracking_only = 0, verbose = 0, c, i, j; + unsigned int k; +@@ -3754,10 +3754,10 @@ list(const char *argv0, int argc, const char **argv) + /* Information from the certificate. */ + rep = query_rep(bus, requests[i], CM_DBUS_REQUEST_INTERFACE, + "get_cert_info", verbose); +- if (cm_tdbusm_get_sssnasasasnas(rep, globals.tctx, ++ if (cm_tdbusm_get_sssnasasasnasn(rep, globals.tctx, + &s1, &s2, &s3, &n1, + &as1, &as2, &as3, +- &n2, &as4) != 0) { ++ &n2, &as4, &n3) != 0) { + printf(_("Error parsing server response.\n")); + exit(1); + } +@@ -3768,6 +3768,21 @@ list(const char *argv0, int argc, const char **argv) + printf(_("\tissuer: %s\n"), s1); + printf(_("\tsubject: %s\n"), s3); + when = _("unknown"); ++ if (n3 != 0) { ++ if (force_utc) { ++ when = cm_store_timestamp_from_time_for_display(n3, t); ++ printf(_("\tissued: %s\n"), when); ++ } else { ++ when = cm_store_local_timestamp_from_time_for_display(n3); ++ if (when != NULL) { ++ printf(_("\tissued: %s\n"), when); ++ free(when); ++ } ++ } ++ } else { ++ printf(_("\tissued: %s\n"), when); ++ } ++ when = _("unknown"); + if (n1 != 0) { + if (force_utc) { + when = cm_store_timestamp_from_time_for_display(n1, t); +diff --git a/src/tdbush.c b/src/tdbush.c +index 3587f84f..6fc1b4be 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -2701,7 +2701,7 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg, + rep = dbus_message_new_method_return(msg); + if (rep != NULL) { + eku = eku_splitv(entry, entry->cm_cert_eku); +- cm_tdbusm_set_sssnasasasnas(rep, ++ cm_tdbusm_set_sssnasasasnasn(rep, + entry->cm_cert_issuer, + entry->cm_cert_serial, + entry->cm_cert_subject, +@@ -2710,7 +2710,8 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg, + (const char **) entry->cm_cert_hostname, + (const char **) entry->cm_cert_principal, + ku_from_string(entry->cm_cert_ku), +- (const char **) eku); ++ (const char **) eku, ++ entry->cm_cert_not_before); + dbus_connection_send(conn, rep, NULL); + dbus_message_unref(rep); + talloc_free(eku); +@@ -6563,7 +6564,10 @@ cm_tdbush_iface_request(void) + DBUS_TYPE_ARRAY_AS_STRING + DBUS_TYPE_STRING_AS_STRING, + cm_tdbush_method_arg_out, +- NULL))))))))), ++ make_method_arg("not_before", ++ DBUS_TYPE_INT64_AS_STRING, ++ cm_tdbush_method_arg_out, ++ NULL)))))))))), + NULL), + make_interface_item(cm_tdbush_interface_property, + make_property(CM_DBUS_PROP_CERT_ISSUER, +diff --git a/src/tdbusm-check.c b/src/tdbusm-check.c +index 385b1849..31880732 100644 +--- a/src/tdbusm-check.c ++++ b/src/tdbusm-check.c +@@ -539,6 +539,38 @@ get_sssnasasasnas(DBusMessage *rep, int msgid) + return ret; + } + static int ++get_sssnasasasnasn(DBusMessage *rep, int msgid) ++{ ++ int ret, i; ++ long n1, n2, n3; ++ char *s1, *s2, *s3, **as1, **as2, **as3, **as4; ++ ++ ret = cm_tdbusm_get_sssnasasasnasn(rep, NULL, ++ &s1, &s2, &s3, &n1, ++ &as1, &as2, &as3, &n2, &as4, &n3); ++ if (ret == 0) { ++ printf("Message %d - s:%s,s:%s,s:%s," "n:%ld,[", ++ msgid, s1, s2, s3, n1); ++ for (i = 0; (as1 != NULL) && (as1[i] != NULL); i++) { ++ printf("%ss:%s", i > 0 ? "," : "", as1[i]); ++ } ++ printf("],["); ++ for (i = 0; (as2 != NULL) && (as2[i] != NULL); i++) { ++ printf("%ss:%s", i > 0 ? "," : "", as2[i]); ++ } ++ printf("],["); ++ for (i = 0; (as3 != NULL) && (as3[i] != NULL); i++) { ++ printf("%ss:%s", i > 0 ? "," : "", as3[i]); ++ } ++ printf("],n:%ld,n:%ld,[", n2, n3); ++ for (i = 0; (as4 != NULL) && (as4[i] != NULL); i++) { ++ printf("%ss:%s", i > 0 ? "," : "", as4[i]); ++ } ++ printf("]\n"); ++ } ++ return ret; ++} ++static int + get_sasasasnas(DBusMessage *rep, int msgid) + { + int ret, i; +diff --git a/src/tdbusm.c b/src/tdbusm.c +index bc39e1d4..24e03e4c 100644 +--- a/src/tdbusm.c ++++ b/src/tdbusm.c +@@ -935,6 +935,105 @@ cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent, + return 0; + } + ++int ++cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent, ++ char **s1, char **s2, char **s3, long *n1, ++ char ***as1, char ***as2, char ***as3, ++ long *n2, char ***as4, long *n3) ++{ ++ DBusError err; ++ char **tmp1, **tmp2, **tmp3, **tmp4; ++ int64_t i641, i642, i643; ++ int32_t i321, i322, i323; ++ int16_t i161, i162, i163; ++ int i, j, k, l; ++ *s1 = NULL; ++ *s2 = NULL; ++ *s3 = NULL; ++ *as1 = NULL; ++ *as2 = NULL; ++ *as3 = NULL; ++ *as4 = NULL; ++ dbus_error_init(&err); ++ if (!dbus_message_get_args(msg, &err, ++ DBUS_TYPE_STRING, s1, ++ DBUS_TYPE_STRING, s2, ++ DBUS_TYPE_STRING, s3, ++ DBUS_TYPE_INT64, &i641, ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp1, &i, ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp2, &j, ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp3, &k, ++ DBUS_TYPE_INT64, &i642, ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp4, &l, ++ DBUS_TYPE_INT64, &i643, ++ DBUS_TYPE_INVALID)) { ++ if (dbus_error_is_set(&err)) { ++ dbus_error_free(&err); ++ dbus_error_init(&err); ++ } ++ if (!dbus_message_get_args(msg, &err, ++ DBUS_TYPE_STRING, s1, ++ DBUS_TYPE_STRING, s2, ++ DBUS_TYPE_STRING, s3, ++ DBUS_TYPE_INT32, &i321, ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, ++ &tmp1, &i, ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, ++ &tmp2, &j, ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, ++ &tmp3, &k, ++ DBUS_TYPE_INT32, &i322, ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, ++ &tmp4, &l, ++ DBUS_TYPE_INT32, &i323, ++ DBUS_TYPE_INVALID)) { ++ if (dbus_error_is_set(&err)) { ++ dbus_error_free(&err); ++ dbus_error_init(&err); ++ } ++ if (!dbus_message_get_args(msg, &err, ++ DBUS_TYPE_STRING, s1, ++ DBUS_TYPE_STRING, s2, ++ DBUS_TYPE_STRING, s3, ++ DBUS_TYPE_INT16, &i161, ++ DBUS_TYPE_ARRAY, ++ DBUS_TYPE_STRING, &tmp1, &i, ++ DBUS_TYPE_ARRAY, ++ DBUS_TYPE_STRING, &tmp2, &j, ++ DBUS_TYPE_ARRAY, ++ DBUS_TYPE_STRING, &tmp3, &k, ++ DBUS_TYPE_INT16, &i162, ++ DBUS_TYPE_ARRAY, ++ DBUS_TYPE_STRING, &tmp4, &l, ++ DBUS_TYPE_INT16, &i163, ++ DBUS_TYPE_INVALID)) { ++ if (dbus_error_is_set(&err)) { ++ dbus_error_free(&err); ++ dbus_error_init(&err); ++ } ++ return -1; ++ } ++ i321 = i161; ++ i322 = i162; ++ i323 = i163; ++ } ++ i641 = i321; ++ i642 = i322; ++ i643 = i323; ++ } ++ *s1 = *s1 ? talloc_strdup(parent, *s1) : NULL; ++ *s2 = *s2 ? talloc_strdup(parent, *s2) : NULL; ++ *s3 = *s3 ? talloc_strdup(parent, *s3) : NULL; ++ *n1 = i641; ++ *n2 = i642; ++ *n3 = i643; ++ *as1 = cm_tdbusm_take_dbus_string_array(parent, tmp1, i); ++ *as2 = cm_tdbusm_take_dbus_string_array(parent, tmp2, j); ++ *as3 = cm_tdbusm_take_dbus_string_array(parent, tmp3, k); ++ *as4 = cm_tdbusm_take_dbus_string_array(parent, tmp4, l); ++ return 0; ++} ++ + int + cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent, char **s, + char ***as1, char ***as2, char ***as3, +@@ -1856,6 +1955,57 @@ cm_tdbusm_set_sssnasasasnas(DBusMessage *msg, + } + } + ++int ++cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg, ++ const char *s1, const char *s2, const char *s3, ++ long n1, const char **as1, const char **as2, ++ const char **as3, long n2, const char **as4, ++ long n3) ++{ ++ int64_t i1 = n1, i2 = n2, i3 = n3; ++ if (s1 == NULL) { ++ s1 = empty_string; ++ } ++ if (s2 == NULL) { ++ s2 = empty_string; ++ } ++ if (s3 == NULL) { ++ s3 = empty_string; ++ } ++ if (as1 == NULL) { ++ as1 = empty_string_array; ++ } ++ if (as2 == NULL) { ++ as2 = empty_string_array; ++ } ++ if (as3 == NULL) { ++ as3 = empty_string_array; ++ } ++ if (as4 == NULL) { ++ as4 = empty_string_array; ++ } ++ if (dbus_message_append_args(msg, ++ DBUS_TYPE_STRING, &s1, ++ DBUS_TYPE_STRING, &s2, ++ DBUS_TYPE_STRING, &s3, ++ DBUS_TYPE_INT64, &i1, ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, ++ &as1, cm_tdbusm_array_length(as1), ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, ++ &as2, cm_tdbusm_array_length(as2), ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, ++ &as3, cm_tdbusm_array_length(as3), ++ DBUS_TYPE_INT64, &i2, ++ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, ++ &as4, cm_tdbusm_array_length(as4), ++ DBUS_TYPE_INT64, &i3, ++ DBUS_TYPE_INVALID)) { ++ return 0; ++ } else { ++ return -1; ++ } ++} ++ + int + cm_tdbusm_set_sasasasnas(DBusMessage *msg, const char *s, + const char **as1, const char **as2, +diff --git a/src/tdbusm.h b/src/tdbusm.h +index fe021eff..250a9b0a 100644 +--- a/src/tdbusm.h ++++ b/src/tdbusm.h +@@ -55,6 +55,10 @@ int cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent, + char **s1, char **s2, char **s3, long *n1, + char ***as1, char ***as2, + char ***as3, long *n2, char ***as4); ++int cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent, ++ char **s1, char **s2, char **s3, long *n1, ++ char ***as1, char ***as2, ++ char ***as3, long *n2, char ***as4, long *n3); + int cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent, + char **s, + char ***as1, char ***as2, +@@ -124,6 +128,11 @@ int cm_tdbusm_set_sssnasasasnas(DBusMessage *msg, + const char *s3, long n1, + const char **as1, const char **as2, + const char **as3, long n2, const char **as4); ++int cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg, ++ const char *s1, const char *s2, ++ const char *s3, long n1, ++ const char **as1, const char **as2, ++ const char **as3, long n2, const char **as4, long n3); + int cm_tdbusm_set_sasasasnas(DBusMessage *msg, + const char *s, + const char **as1, const char **as2, +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index ca7de34f..4cecbe15 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -11,6 +11,7 @@ Request ID 'Buddy': + CA: local + issuer: CN=$UUID,CN=Local Signing Authority + subject: CN=localhost ++ issued: sometime + expires: sometime + dns: localhost + principal name: host/localhost@LOCALHOST +@@ -269,6 +270,7 @@ OK + + + ++ + + + +@@ -430,7 +432,7 @@ Buddy + + + [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ] +-(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s'))) ++(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently)) + + [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ] + recently +diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh +index d0be6ad8..a457834f 100755 +--- a/tests/028-dbus/run.sh ++++ b/tests/028-dbus/run.sh +@@ -42,5 +42,6 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \ + -e '/^-----BEGIN/,/^-----END/d' \ + -e "s|$libexecdir|\$libexecdir|g" \ + -e "s|$tmpdir|\$tmpdir|g" \ ++ -e "s|issued:.*|issued: sometime|g" \ + -e "s|expires:.*|expires: sometime|g" \ + -e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \ +-- +2.31.1 + diff --git a/SOURCES/0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch b/SOURCES/0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch new file mode 100644 index 0000000..2a7925d --- /dev/null +++ b/SOURCES/0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch @@ -0,0 +1,40 @@ +From f9c774f737a060b355533c215d7443b9865992a0 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 12 Aug 2021 16:26:09 -0400 +Subject: [PATCH] Fix file descriptor leak when executing CA helpers + +cm_cadata_start_generic() creates a pipe. One half is passed +to fetch(), the function that does all helper calls, +via the cm_cadata_state variable ret. The other half is the +reader and is used to detect execution errors. There is a pair +of write/read on this descriptor which on error would be the +errno. + +This second half wasn't being closed after reading to test for +errors. + +https://bugzilla.redhat.com/show_bug.cgi?id=1992439 + +Signed-off-by: Rob Crittenden +--- + src/cadata.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/cadata.c b/src/cadata.c +index 3e916c9..d851b9e 100644 +--- a/src/cadata.c ++++ b/src/cadata.c +@@ -772,8 +772,10 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op, + cm_log(1, "Error running enrollment helper \"%s\": %s.\n", + ca->cm_ca_external_helper, strerror(u)); + talloc_free(ret); ++ close(error_fd[0]); + return NULL; + } ++ close(error_fd[0]); + return ret; + } + +-- +2.31.1 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 69eac18..ec65f7a 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -11,7 +11,7 @@ Name: certmonger Version: 0.79.13 -Release: 2%{?dist} +Release: 4%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -21,6 +21,11 @@ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz Patch0001: 0001-Don-t-run-the-002-keygen-tests-when-root.patch Patch0002: 0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch +Patch0003: 0003-Fix-local-CA-to-work-under-FIPS.patch +Patch0004: 0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch +Patch0005: 0005-Add-NULL-checks-before-string-compares-when-analyzin.patch +Patch0006: 0006-Display-not_before-in-getcert-output.patch +Patch0007: 0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch BuildRequires: autoconf BuildRequires: automake @@ -235,6 +240,16 @@ exit 0 %endif %changelog +* Wed Oct 06 2021 Rob Crittenden - 0.79.13-4 +- Certmonger SCEP renewal should not use old challenges (#1577570) +- Certmonger segfault after cert renewal request (#1881500) +- Include certificate NotBefore date in output of the 'getcert list' command + (#1940261) +- Certmonger certificates stuck in NEED_GUIDANCE (#2001079) + +* Wed Apr 28 2021 Rob Crittenden - 0.79.13-3 +- Fix local CA to work under FIPS (#1950132) + * Tue Nov 10 2020 Rob Crittenden - 0.79.13-2 - Rebuild with xmlrpc-c support enabled (#1687698)