From 2d498bdfca10e0ddee1b1a1f2742db49c27ae696 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 15 2022 06:34:23 +0000
Subject: import certmonger-0.79.14-7.el9


---

diff --git a/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch b/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch
new file mode 100644
index 0000000..2bd9262
--- /dev/null
+++ b/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch
@@ -0,0 +1,702 @@
+From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 4 Nov 2021 13:51:31 -0400
+Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files
+
+If a non-PEM file was passed into add-scep-ca it would
+accept it without question but later fail with:
+
+status: CA_UNREACHABLE
+ca-error: Error: failed to verify signature on server response.
+
+Try to do basic validation of user-provided PEM files by:
+
+- stripping BEGIN/END headers
+- removing newlines and carriage returns
+- using OpenSSL EVP library to base64 decode the block
+
+This isn't fool-proof but it at least does some basic
+sanity checking to ensure the file(s) exist and appear
+to be PEM files.
+
+The unit tests use some Let's Encrypt CA certificates.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1492112
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/Makefile.am                               |   2 +-
+ src/getcert-add-scep-ca.1.in                  |   2 +
+ src/getcert.c                                 |  39 ++++-
+ src/util-o.c                                  | 144 ++++++++++++++++++
+ src/util-o.h                                  |   7 +
+ tests/040-pem/bad.empty                       |   0
+ .../bad.isrg-root-x1-cross-signed.der.b64     |  25 +++
+ tests/040-pem/expected.out                    |   7 +
+ .../good.isrg-root-x1-cross-signed.pem        |  31 ++++
+ .../good.isrg-root-x1-cross-signed_cr.pem     |  31 ++++
+ tests/040-pem/good.lets_encrypt_chain.pem     |  93 +++++++++++
+ tests/040-pem/run.sh                          |  21 +++
+ tests/Makefile.am                             |   8 +-
+ tests/tools/Makefile.am                       |   3 +-
+ tests/tools/pem.c                             |  69 +++++++++
+ 15 files changed, 474 insertions(+), 8 deletions(-)
+ create mode 100644 tests/040-pem/bad.empty
+ create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
+ create mode 100644 tests/040-pem/expected.out
+ create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem
+ create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
+ create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem
+ create mode 100755 tests/040-pem/run.sh
+ create mode 100644 tests/tools/pem.c
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 53571c5..d8e0a2e 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE)
+ getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS)
+ getcert_SOURCES = getcert.c tm.c tm.h
+ getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \
+-			$(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
++			$(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS)
+ if WITH_IPA
+ bin_PROGRAMS += ipa-getcert
+ ipa_getcert_CFLAGS = $(getcert_CFLAGS)
+diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
+index c2751ed..901791e 100644
+--- a/src/getcert-add-scep-ca.1.in
++++ b/src/getcert-add-scep-ca.1.in
+@@ -14,6 +14,8 @@ helper.  The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
+ 
+ .SH OPTIONS
+ .TP
++All user\-provided certificate files must be in PEM format.
++.TP
+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
+ The nickname to give to this CA configuration.  This same value can later be
+ passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
+diff --git a/src/getcert.c b/src/getcert.c
+index 4afafcb..ddcb739 100644
+--- a/src/getcert.c
++++ b/src/getcert.c
+@@ -49,6 +49,7 @@
+ #include "submit-u.h"
+ #include "tdbus.h"
+ #include "tdbusm.h"
++#include "util-o.h"
+ 
+ #ifdef ENABLE_NLS
+ #include <libintl.h>
+@@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
+ 	int c, prefer_non_renewal = 0, verbose = 0;
+ 	dbus_bool_t b;
+ 	static DBusMessage *req, *rep;
++	const char *poptarg;
+ 	poptContext pctx;
+ 	struct poptOption popts[] = {
+ 		{"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME},
+ 		{"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL},
+ 		{"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID},
+-		{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
+-		{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
+-		{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
+-		{"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
++		{"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME},
++		{"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME},
++		{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
++		{"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
+ 		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
+ 		{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
+ 		{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
+@@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
+ 		return 1;
+ 	}
+ 	while ((c = poptGetNextOpt(pctx)) > 0) {
++		poptarg = poptGetOptArg(pctx);
+ 		switch (c) {
+ 		case 's':
+ 			bus = cm_tdbus_session;
+@@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
+ 			poptPrintHelp(pctx, stdout, 0);
+ 			return 1;
+ 			break;
++		case 'R':
++            if (validate_pem(globals.tctx, poptarg) != 0) {
++				printf("The root certificate(s) in %s is not valid PEM\n", poptarg);
++				return 1;
++			}
++			root = talloc_strdup(globals.tctx, poptarg);
++			break;
++		case 'r':
++            if (validate_pem(globals.tctx, poptarg) != 0) {
++				printf("The RA certificate(s) in %s is not valid PEM\n", poptarg);
++				return 1;
++			}
++			racert = talloc_strdup(globals.tctx, poptarg);
++			break;
++		case 'I':
++            if (validate_pem(globals.tctx, poptarg) != 0) {
++				printf("The certificate(s) in %s is not valid PEM\n", poptarg);
++				return 1;
++			}
++			certs = talloc_strdup(globals.tctx, poptarg);
++			break;
++		case 'N':
++            if (validate_pem(globals.tctx, poptarg) != 0) {
++				printf("The certificate(s) in %s is not valid PEM\n", poptarg);
++				return 1;
++			}
++			signingca = talloc_strdup(globals.tctx, poptarg);
++			break;
+ 		}
+ 	}
+ 	if (c != -1) {
+diff --git a/src/util-o.c b/src/util-o.c
+index db45964..c05872c 100644
+--- a/src/util-o.c
++++ b/src/util-o.c
+@@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey)
+ {
+ 	return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey);
+ }
++
++static unsigned char *
++decode_base64(const unsigned char *input, int length, int *outlength) {
++	int expected_len;
++	unsigned char *output;
++	int output_len;
++
++	expected_len = 3 * length / 4;
++	output = calloc(expected_len + 1, 1);
++	output_len = EVP_DecodeBlock(output, input, length);
++
++	if (output_len < 0) {
++		*outlength = -1;
++		free(output);
++		return NULL;
++	}
++	if (output_len % 3 != 0) {
++		*outlength = -1;
++		free(output);
++		return NULL;
++	}
++	if (expected_len != output_len) {
++		*outlength = -1;
++		free(output);
++		return NULL;
++	}
++	*outlength = output_len;
++	return output;
++}
++
++int
++validate_pem(void *parent, const char *path)
++{
++	char *p;
++	char *s = NULL, *sp, *sq;
++	int ret = 0;
++	FILE *fp;
++	struct stat st;
++	char *tmp1 = NULL;
++	unsigned char *tmp2 = NULL;
++	char *buffer;
++	int n, i, length;
++	int found = 0;
++
++	fp = fopen(path, "r");
++	if (fp == NULL) {
++		printf("Unable to open %s for reading: %s\n",
++				path, strerror(errno));
++		return -1;
++	}
++	if (fstat(fileno(fp), &st) == -1) {
++		printf("Error opening %s for reading: %s\n",
++				path, strerror(errno));
++		fclose(fp);
++		return -1;
++	}
++	if (st.st_size == 0) {
++		printf("%s is an empty file.\n", path);
++		fclose(fp);
++		return -1;
++	}
++	
++	buffer = malloc(st.st_size + 1);
++	if (buffer == NULL) {
++		printf("Error allocating memory.\n");
++		fclose(fp);
++		return -1;
++	}
++
++	n = 0;
++	while (n < st.st_size) {
++		i = fread(buffer + n, 1, st.st_size - n, fp);
++		if (i <= 0) {
++			printf("Error reading %s: %s.\n",
++				   path, strerror(errno));
++			fclose(fp);
++			ret = -1;
++			goto done;
++		}
++		n += i;
++	}
++	fclose(fp);
++	buffer[st.st_size] = '\0';
++	length = st.st_size;
++	s = malloc(length + 1);
++	if (s == NULL) {
++		printf("Error allocating memory.\n");
++		ret = -1;
++		goto done;
++	}
++	memcpy(s, buffer, length);
++	s[length] = '\0';
++	sp = s;
++	tmp1 = NULL;
++	tmp2 = NULL;
++	while ((sp = strstr(sp, "-----BEGIN")) != NULL) {
++		sq = strstr(sp, "-----END");
++		if (sq != NULL) {
++			found++;
++			sq += strcspn(sq, "\r\n");
++			sq += strspn(sq, "\r\n");
++
++			/* Strip down to pure base64 so no headers, new lines or cr */
++			tmp1 = strndup(sp, sq - sp);
++			p = strstr(tmp1, "-----BEGIN");
++			if (p != NULL) {
++				p += strcspn(p, "\n");
++				if (*p == '\n') {
++   				 p++;
++				}
++				memmove(tmp1, p, strlen(p) + 1);
++			}
++			p = strstr(tmp1, "\n-----END");
++			if (p != NULL) {
++				*p = '\0';
++			}
++			while ((p = strchr(tmp1, '\r')) != NULL) {
++				memmove(p, p + 1, strlen(p));
++			}
++			while ((p = strchr(tmp1, '\n')) != NULL) {
++				memmove(p, p + 1, strlen(p));
++			}
++			length = 0;
++			tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length);
++			if (length < 0) {
++				ret = -1;
++				goto done;
++			}
++			sp = sq;
++		}
++	}
++
++	if (found == 0) {
++		ret = -1;
++	}
++
++done:
++	free(buffer);
++	free(s);
++	free(tmp1);
++	free(tmp2);
++
++	return ret;
++}
+diff --git a/src/util-o.h b/src/util-o.h
+index 916777b..8550e07 100644
+--- a/src/util-o.h
++++ b/src/util-o.h
+@@ -16,6 +16,12 @@
+  */
+ 
+ #ifndef utilo_h
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/objects.h>
++#include <openssl/x509.h>
++#include <openssl/x509v3.h>
++
+ #define utilo_h
+ 
+ struct cm_store_entry;
+@@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version);
+ void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg);
+ EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey);
+ EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey);
++int validate_pem(void *parent, const char *path);
+ 
+ #endif
+diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty
+new file mode 100644
+index 0000000..e69de29
+diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
+new file mode 100644
+index 0000000..f9d7e5b
+--- /dev/null
++++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
+@@ -0,0 +1,25 @@
++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
++ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
++DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu
++dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi
++MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4
++93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK
++ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD
++cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/
++iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY
++jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu
++Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD
++j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp
++gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi
++0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB
++/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw
++cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG
++AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv
++oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE
++FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG
++rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr
++AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk
++cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc
++RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr
++6GtPAQw4dy753ec5
+diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out
+new file mode 100644
+index 0000000..0459fd2
+--- /dev/null
++++ b/tests/040-pem/expected.out
+@@ -0,0 +1,7 @@
++OK
++OK
++OK
++got expected error with bad.empty
++got expected error with bad.isrg-root-x1-cross-signed.der
++got expected error with bad.notfound
++OK
+diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
+new file mode 100644
+index 0000000..239794a
+--- /dev/null
++++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
+@@ -0,0 +1,31 @@
++-----BEGIN CERTIFICATE----- 
++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
++DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
++AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
++ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
++wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
++LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
++4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
++bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
++sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
++Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
++FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
++SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
++PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
++TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
++SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
++c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
++ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
++b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
++U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
++MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
++5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
++9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
++WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
++he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
++Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
++-----END CERTIFICATE-----
+diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
+new file mode 100644
+index 0000000..239794a
+--- /dev/null
++++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
+@@ -0,0 +1,31 @@
++-----BEGIN CERTIFICATE----- 
++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
++DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
++AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
++ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
++wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
++LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
++4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
++bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
++sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
++Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
++FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
++SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
++PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
++TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
++SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
++c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
++ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
++b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
++U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
++MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
++5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
++9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
++WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
++he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
++Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
++-----END CERTIFICATE-----
+diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem
+new file mode 100644
+index 0000000..29a16ff
+--- /dev/null
++++ b/tests/040-pem/good.lets_encrypt_chain.pem
+@@ -0,0 +1,93 @@
++-----BEGIN CERTIFICATE-----
++MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
++WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
++RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
++MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
++NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
++89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
++Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
++Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
++uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
++AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
++BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
++FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
++SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
++LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
++BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
++AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
++VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
++ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
++A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
++UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
++DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
++eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
++OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
++p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
++2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
++ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
++PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
++rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
++WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
++RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
++AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
++R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
++sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
++NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
++Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
++/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
++AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
++Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
++FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
++AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
++Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
++gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
++PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
++ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
++CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
++lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
++avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
++yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
++yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
++hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
++HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
++MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
++nLRbwHOoq7hHwg==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
++DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
++AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
++ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
++wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
++LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
++4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
++bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
++sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
++Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
++FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
++SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
++PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
++TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
++SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
++c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
++ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
++b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
++U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
++MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
++5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
++9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
++WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
++he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
++Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
++-----END CERTIFICATE-----
+diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh
+new file mode 100755
+index 0000000..1d4d1f4
+--- /dev/null
++++ b/tests/040-pem/run.sh
+@@ -0,0 +1,21 @@
++#!/bin/bash -e
++
++cd "$tmpdir"
++cp -p "$srcdir"/040-pem/bad.* $tmpdir
++base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der
++rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64
++
++for good in "$srcdir"/040-pem/good.* ; do
++	if ! "$toolsdir"/pem "$good" ; then
++		exit 1
++	fi
++done
++for bad in "$tmpdir"/bad.* bad.notfound; do
++	if "$toolsdir"/pem "$bad" > /dev/null; then
++		echo unexpected success with `basename "$bad"`
++		exit 1
++	else
++		echo got expected error with `basename "$bad"`
++	fi
++done
++echo OK
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 013d34b..e20b6d8 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -132,6 +132,8 @@ CLEANFILES = \
+ 	038-ms-v2-template/actual.err \
+ 	039-fromfile/actual.out \
+ 	039-fromfile/actual.err
++	040-pem/actual.out \
++	040-pem/actual.err
+ EXTRA_DIST = \
+ 	run-tests.sh functions certmonger.conf tools/cachain.sh \
+ 	001-keyiread/run.sh \
+@@ -353,7 +355,8 @@ EXTRA_DIST = \
+ 	038-ms-v2-template/expected.out \
+ 	038-ms-v2-template/extract-extdata.py \
+ 	038-ms-v2-template/run.sh \
+-	039-fromfile/run.sh
++	039-fromfile/run.sh \
++	040-pem/run.sh
+ 
+ subdirs = \
+ 	001-keyiread \
+@@ -388,7 +391,8 @@ subdirs = \
+ 	036-getcert \
+ 	037-rekey2 \
+ 	038-ms-v2-template \
+-	039-fromfile
++	039-fromfile \
++	040-pem
+ 
+ if HAVE_DBM_NSSDB
+ subdirs += \
+diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
+index 53f658e..1a01ee6 100644
+--- a/tests/tools/Makefile.am
++++ b/tests/tools/Makefile.am
+@@ -16,7 +16,8 @@ endif
+ noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
+ 		  name2oid iterate prefs dates listnicks pem2base base2pem \
+ 		  dparse payload checksig base64 cadata citerate casave hooks \
+-		  libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
++		  libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \
++		  pem
+ noinst_LIBRARIES = libtools.a
+ if HAVE_OPENSSL
+ noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
+diff --git a/tests/tools/pem.c b/tests/tools/pem.c
+new file mode 100644
+index 0000000..4fdd4f4
+--- /dev/null
++++ b/tests/tools/pem.c
+@@ -0,0 +1,69 @@
++/*
++ * Copyright (C) 2021 Red Hat, Inc.
++ * 
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include "../../src/config.h"
++
++#include <sys/types.h>
++#include <errno.h>
++#include <fcntl.h>
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++#include <stdio.h>
++#include <stdint.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++
++#include <popt.h>
++
++#include <talloc.h>
++
++#include "../../src/util-o.h"
++
++int
++main(int argc, const char **argv)
++{
++	const char *filename;
++	void *parent;
++	int i, ret = 0;
++	poptContext pctx;
++	struct poptOption popts[] = {
++		POPT_AUTOHELP
++		POPT_TABLEEND
++	};
++
++	parent = talloc_new(NULL);
++	pctx = poptGetContext("pem", argc, argv, popts, 0);
++	while ((i = poptGetNextOpt(pctx)) > 0) {
++		continue;
++	}
++	if (i != -1) {
++		poptPrintUsage(pctx, stdout, 0);
++		return 1;
++	}
++	while ((filename = poptGetArg(pctx)) != NULL) {
++        if (validate_pem(parent, (char *)filename) == 0) {
++			printf("OK\n");
++		} else {
++			ret = 1;
++		}
++	}
++	talloc_free(parent);
++	poptFreeContext(pctx);
++	return ret;
++}
+-- 
+2.31.1
+
diff --git a/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch b/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch
new file mode 100644
index 0000000..43ef77c
--- /dev/null
+++ b/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch
@@ -0,0 +1,31 @@
+From 657c9ab79a00a2003f7c02c535418896cacc410a Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 15 Nov 2021 09:58:40 -0500
+Subject: [PATCH] =?UTF-8?q?Fix=20implicit=20declaration=20of=20function=20?=
+ =?UTF-8?q?=E2=80=98PEM=5Fread=5Fbio=5FX509=E2=80=99?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add an include for openssl/pem.h
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/submit-n.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/submit-n.c b/src/submit-n.c
+index 3dcb820a..4f763a16 100644
+--- a/src/submit-n.c
++++ b/src/submit-n.c
+@@ -33,6 +33,7 @@
+ #include <openssl/pkcs7.h>
+ #include <openssl/stack.h>
+ #include <openssl/x509.h>
++#include <openssl/pem.h>
+ 
+ #include <cert.h>
+ #include <certdb.h>
+-- 
+2.31.1
+
diff --git a/SOURCES/0012-Remove-dependency-on-SHA-1.patch b/SOURCES/0012-Remove-dependency-on-SHA-1.patch
new file mode 100644
index 0000000..253db46
--- /dev/null
+++ b/SOURCES/0012-Remove-dependency-on-SHA-1.patch
@@ -0,0 +1,46 @@
+From 2ef0a885962ecf558a8080b19652a5bd0c11c228 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 17 Mar 2022 15:44:00 -0400
+Subject: [PATCH] Remove dependency on SHA-1
+
+---
+ tests/033-scep/run.sh  | 4 ++--
+ tests/tools/cachain.sh | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh
+index a36cd5a..baaa581 100755
+--- a/tests/033-scep/run.sh
++++ b/tests/033-scep/run.sh
+@@ -148,7 +148,7 @@ check_nonce
+ check_digest sha256
+ echo OK
+ echo "[gic, old trust root]"
+-set_digest sha1
++set_digest sha256
+ $toolsdir/scepgen ca entry > scepdata
+ if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then
+ 	echo missing gic
+@@ -158,7 +158,7 @@ check_verified
+ check_msgtype $SCEP_MSGTYPE_GETCERTINITIAL
+ check_txid
+ check_nonce
+-check_digest sha1
++check_digest sha256
+ echo OK
+ echo "[req next, no trust root]"
+ if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then
+diff --git a/tests/tools/cachain.sh b/tests/tools/cachain.sh
+index 58f0c49..93aca9b 100755
+--- a/tests/tools/cachain.sh
++++ b/tests/tools/cachain.sh
+@@ -1,5 +1,5 @@
+ #!/bin/bash -e
+-digest=sha1
++digest=sha256
+ keytype=rsa:1024
+ serial=12345678
+ cat > openssl.cnf << EOF
+-- 
+2.31.1
+
diff --git a/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch b/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch
new file mode 100644
index 0000000..a5853ea
--- /dev/null
+++ b/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch
@@ -0,0 +1,267 @@
+From bdf93378eca9d28d5b49c8170c849d2c2e6f1991 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 7 Apr 2022 16:30:40 -0400
+Subject: [PATCH] Disable DSA in the RPM spec
+
+DSA has been disabled in default crypto policy since Fedora 30
+and will cause crashes if used in FIPS mode.
+
+Refresh the 028-dbus no-DSA expected output. It was out-of-sync
+from previous changes.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2066439
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ certmonger.spec                   |   6 +-
+ tests/028-dbus/expected.out.nodsa | 135 +++---------------------------
+ 2 files changed, 15 insertions(+), 126 deletions(-)
+
+diff --git a/certmonger.spec b/certmonger.spec
+index 6715d83..9c01438 100644
+--- a/certmonger.spec
++++ b/certmonger.spec
+@@ -28,7 +28,7 @@
+ 
+ Name:		certmonger
+ Version:	0.79.14
+-Release:	1%{?dist}
++Release:	2%{?dist}
+ Summary:	Certificate status monitor and PKI enrollment client
+ 
+ Group:		System Environment/Daemons
+@@ -143,6 +143,7 @@ autoreconf -i -f
+ %if %{with xmlrpc}
+ 	--with-xmlrpc \
+ %endif
++	--disable-dsa \
+ 	--with-tmpdir=/run/certmonger --enable-pie --enable-now
+ %if %{with xmlrpc}
+ # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
+@@ -264,6 +265,9 @@ exit 0
+ %endif
+ 
+ %changelog
++* Mon Mar 28 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.15-2
++- Disable DSA. It is not allowed by default crypto policy (#2066439) 
++
+ * Tue Jun 14 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-1
+ - update to 0.79.14
+   -  Fix local CA to work under FIPS
+diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa
+index 20499bf..0e1b977 100644
+--- a/tests/028-dbus/expected.out.nodsa
++++ b/tests/028-dbus/expected.out.nodsa
+@@ -11,12 +11,14 @@ Request ID 'Buddy':
+ 	CA: local
+ 	issuer: CN=$UUID,CN=Local Signing Authority
+ 	subject: CN=localhost
++	issued: sometime
+ 	expires: sometime
+ 	dns: localhost
+ 	principal name: host/localhost@LOCALHOST
+ 	key usage: digitalSignature,dataEncipherment
+ 	eku: id-kp-serverAuth
+ 	certificate template/profile: SomeProfileName
++	profile: SomeProfileName
+ 	pre-save command: echo Pre
+ 	post-save command: echo Post
+ 	track: yes
+@@ -33,10 +35,6 @@ CA 'IPA':
+ 	is-default: no
+ 	ca-type: EXTERNAL
+ 	helper-location: $libexecdir/ipa-submit
+-CA 'certmaster':
+-	is-default: no
+-	ca-type: EXTERNAL
+-	helper-location: $libexecdir/certmaster-submit
+ CA 'dogtag-ipa-renew-agent':
+ 	is-default: no
+ 	ca-type: EXTERNAL
+@@ -44,8 +42,8 @@ CA 'dogtag-ipa-renew-agent':
+ 
+ [[ API ]]
+ [ simpleprop.py ]
+-/org/fedorahosted/certmonger/cas/CA6
+-/org/fedorahosted/certmonger/cas/CA6
++/org/fedorahosted/certmonger/cas/CA5
++/org/fedorahosted/certmonger/cas/CA5
+ : -> : -k admin@localhost -> :
+ 0 -> 1 -> 0
+ [ walk.py ]
+@@ -181,7 +179,7 @@ OK
+ OK
+ 
+ [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
+-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
++dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
+ 
+ [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
+ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
+@@ -272,6 +270,7 @@ OK
+    <arg name="principal_names" type="as" direction="out"/>
+    <arg name="key_usage" type="x" direction="out"/>
+    <arg name="extended_key_usage" type="as" direction="out"/>
++   <arg name="not_before" type="x" direction="out"/>
+   </method>
+   <property name="issuer" type="s" access="read"/>
+   <property name="serial" type="s" access="read"/>
+@@ -433,7 +432,7 @@ Buddy
+ 
+ 
+ [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
+-(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
++(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently))
+ 
+ [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
+ recently
+@@ -507,7 +506,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
+  <node name="CA2"/>
+  <node name="CA3"/>
+  <node name="CA4"/>
+- <node name="CA5"/>
+ </node>
+ 
+ [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
+@@ -941,10 +939,10 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </node>
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
+-$tmpdir/cas/20180327134236-2
++$tmpdir/cas/20180327134236-3
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
+-certmaster
++dogtag-ipa-renew-agent
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
+ 0
+@@ -956,7 +954,7 @@ EXTERNAL
+ None
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
+-$libexecdir/certmaster-submit
++$libexecdir/dogtag-ipa-renew-agent-submit
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
+ dbus.Array([], signature=dbus.Signature('s'))
+@@ -964,116 +962,3 @@ dbus.Array([], signature=dbus.Signature('s'))
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
+ 1
+ 
+-[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
+-<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
+-"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
+-
+-<node name="/org/fedorahosted/certmonger/cas/CA5">
+- <interface name="org.freedesktop.DBus.Introspectable">
+-  <method name="Introspect">
+-   <arg name="xml_data" type="s" direction="out"/>
+-  </method>
+- </interface>
+- <interface name="org.freedesktop.DBus.Properties">
+-  <method name="Get">
+-   <arg name="interface_name" type="s" direction="in"/>
+-   <arg name="property_name" type="s" direction="in"/>
+-   <arg name="value" type="v" direction="out"/>
+-  </method>
+-  <method name="Set">
+-   <arg name="interface_name" type="s" direction="in"/>
+-   <arg name="property_name" type="s" direction="in"/>
+-   <arg name="value" type="v" direction="in"/>
+-  </method>
+-  <method name="GetAll">
+-   <arg name="interface_name" type="s" direction="in"/>
+-   <arg name="props" type="a{sv}" direction="out"/>
+-  </method>
+-  <signal name="PropertiesChanged">
+-   <arg name="interface_name" type="s"/>
+-   <arg name="changed_properties" type="a{sv}"/>
+-   <arg name="invalidated_properties" type="as"/>
+-  </signal>
+- </interface>
+- <interface name="org.fedorahosted.certmonger.ca">
+-  <method name="get_config_file_path">
+-   <arg name="path" type="s" direction="out"/>
+-  </method>
+-  <method name="get_nickname">
+-   <arg name="nickname" type="s" direction="out"/>
+-  </method>
+-  <property name="nickname" type="s" access="read"/>
+-  <property name="aka" type="s" access="read"/>
+-  <method name="get_is_default">
+-   <arg name="default" type="b" direction="out"/>
+-  </method>
+-  <property name="is-default" type="b" access="readwrite"/>
+-  <method name="get_type">
+-   <arg name="type" type="s" direction="out"/>
+-  </method>
+-  <method name="get_serial">
+-   <arg name="serial_hex" type="s" direction="out"/>
+-  </method>
+-  <method name="get_location">
+-   <arg name="path" type="s" direction="out"/>
+-  </method>
+-  <property name="external-helper" type="s" access="readwrite"/>
+-  <method name="get_issuer_names">
+-   <arg name="names" type="as" direction="out"/>
+-  </method>
+-  <method name="refresh">
+-   <arg name="working" type="b" direction="out"/>
+-  </method>
+-  <property name="ca-error" type="s" access="read"/>
+-  <property name="issuer-names" type="as" access="read"/>
+-  <property name="root-certs" type="a(ss)" access="read"/>
+-  <property name="root-other-certs" type="a(ss)" access="read"/>
+-  <property name="other-certs" type="a(ss)" access="read"/>
+-  <property name="required-enroll-attributes" type="as" access="read"/>
+-  <property name="required-renew-attributes" type="as" access="read"/>
+-  <property name="supported-profiles" type="as" access="read"/>
+-  <property name="default-profile" type="s" access="read"/>
+-  <property name="root-cert-files" type="as" access="readwrite"/>
+-  <property name="root-other-cert-files" type="as" access="readwrite"/>
+-  <property name="other-cert-files" type="as" access="readwrite"/>
+-  <property name="root-cert-nssdbs" type="as" access="readwrite"/>
+-  <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
+-  <property name="other-cert-nssdbs" type="as" access="readwrite"/>
+-  <property name="ca-presave-command" type="s" access="read"/>
+-  <property name="ca-presave-uid" type="s" access="read"/>
+-  <property name="ca-postsave-command" type="s" access="read"/>
+-  <property name="ca-postsave-uid" type="s" access="read"/>
+-  <property name="scep-cipher" type="s" access="readwrite"/>
+-  <property name="scep-digest" type="s" access="readwrite"/>
+-  <property name="scep-ca-identifier" type="s" access="readwrite"/>
+-  <property name="scep-ca-capabilities" type="as" access="read"/>
+-  <property name="scep-ra-cert" type="s" access="read"/>
+-  <property name="scep-ca-cert" type="s" access="read"/>
+-  <property name="scep-other-certs" type="s" access="read"/>
+- </interface>
+-</node>
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
+-$tmpdir/cas/20180327134236-3
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
+-dogtag-ipa-renew-agent
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
+-0
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
+-EXTERNAL
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
+-None
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
+-$libexecdir/dogtag-ipa-renew-agent-submit
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
+-dbus.Array([], signature=dbus.Signature('s'))
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
+-1
+-
+-- 
+2.31.1
+
diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec
index d40f591..4a41f2d 100644
--- a/SPECS/certmonger.spec
+++ b/SPECS/certmonger.spec
@@ -28,7 +28,7 @@
 
 Name:		certmonger
 Version:	0.79.14
-Release:	5%{?dist}
+Release:	7%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
 License:	GPLv3+
@@ -43,6 +43,10 @@ Patch0006:	0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
 Patch0007:	0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch
 Patch0008:	0008-Use-implicit-empty-FALSE-for-extensions.patch
 Patch0009:	0009-Use-extensions-template-from-NSS.patch
+Patch0010:	0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch
+Patch0011:	0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch
+Patch0012:	0012-Remove-dependency-on-SHA-1.patch
+Patch0013:	0013-Disable-DSA-in-the-RPM-spec.patch
 
 
 BuildRequires:	autoconf
@@ -156,6 +160,7 @@ autoreconf -i -f
 %if %{with xmlrpc}
     --with-xmlrpc \
 %endif
+	--disable-dsa \
 	--with-tmpdir=/run/certmonger --enable-pie --enable-now
 %if %{with xmlrpc}
 # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
@@ -273,6 +278,14 @@ exit 0
 %endif
 
 %changelog
+* Thu Apr 07 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.14-7
+- Disable DSA (#2066439)
+
+* Thu Mar 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.14-6
+- Certificate format validation when adding the SCEP server's CA
+  (#1492112)
+- Replace some SHA1 usages with SHA256 in the unit tests
+
 * Thu Oct 07 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-5
 - Certmonger SCEP renewal should not use old challenges (#1990926)
 - Certmonger certificates stuck in NEED_GUIDANCE (#2001082)