From dbb10944381c3169e4d3a5879d1fc2e431bbfb93 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 29 2020 07:07:04 +0000 Subject: import certmonger-0.78.4-14.el7 --- diff --git a/SOURCES/0030-Ensure-that-files-read-in-have-a-trailing-new-line.patch b/SOURCES/0030-Ensure-that-files-read-in-have-a-trailing-new-line.patch new file mode 100644 index 0000000..7a66bd3 --- /dev/null +++ b/SOURCES/0030-Ensure-that-files-read-in-have-a-trailing-new-line.patch @@ -0,0 +1,223 @@ +From 5081b5ef7c6338ff5b19520ef828a8a1aaf7631d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 1 May 2020 16:22:20 -0400 +Subject: [PATCH] Ensure that files read in have a trailing new-line + +In SCEP when retrieving the CA chain the certificates passed in +on the command-line (RA agent and CA cert) area printed along with +the contents of what was retrieved remotely. + +If one of the filesystem certificates lacks a newline then the +output will be jumbled like: + +-----END CERTIFICATE----------BEGIN CERTIFICATE-----\n + +https://bugzilla.redhat.com/show_bug.cgi?id=1814976 +--- + src/submit-u.c | 8 +++++ + tests/039-fromfile/expected.out | 4 +++ + tests/039-fromfile/run.sh | 55 +++++++++++++++++++++++++++++++++ + tests/Makefile.am | 6 ++-- + tests/tools/Makefile.am | 6 +++- + tests/tools/fromfile.c | 52 +++++++++++++++++++++++++++++++ + 6 files changed, 128 insertions(+), 3 deletions(-) + create mode 100644 tests/039-fromfile/expected.out + create mode 100755 tests/039-fromfile/run.sh + create mode 100644 tests/tools/fromfile.c + +diff --git a/src/submit-u.c b/src/submit-u.c +index dda2edb..191526b 100644 +--- a/src/submit-u.c ++++ b/src/submit-u.c +@@ -100,6 +100,14 @@ cm_submit_u_from_file(const char *filename) + } + if (csr == NULL) { + csr = strdup(""); ++ } else { ++ int length = strlen(csr); ++ if (csr[length-1] != '\n') { ++ length += 1; ++ csr = realloc(csr, length + 1); ++ csr[length - 1] = '\n'; ++ csr[length] = '\0'; ++ } + } + return csr; + } +diff --git a/tests/039-fromfile/expected.out b/tests/039-fromfile/expected.out +new file mode 100644 +index 0000000..9191a57 +--- /dev/null ++++ b/tests/039-fromfile/expected.out +@@ -0,0 +1,4 @@ ++[trailing_nl] ++Ok ++[no_trailing_nl] ++Ok +diff --git a/tests/039-fromfile/run.sh b/tests/039-fromfile/run.sh +new file mode 100755 +index 0000000..8bae773 +--- /dev/null ++++ b/tests/039-fromfile/run.sh +@@ -0,0 +1,55 @@ ++#!/bin/bash -e ++ ++cd $tmpdir ++ ++cat > $tmpdir/trailing_nl <<- EOF ++-----BEGIN CERTIFICATE----- ++MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw ++UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk ++NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0 ++OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo ++b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0 ++NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy ++nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8 ++OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs ++jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N ++peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE ++Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd ++GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS ++FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO ++BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j ++MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ ++hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5 ++1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D ++AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2 ++rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS ++8gM= ++-----END CERTIFICATE----- ++EOF ++cat > $tmpdir/no_trailing_nl <<- EOF ++-----BEGIN CERTIFICATE----- ++MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw ++UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk ++NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0 ++OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo ++b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0 ++NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy ++nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8 ++OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs ++jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N ++peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE ++Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd ++GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS ++FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO ++BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j ++MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ ++hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5 ++1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D ++AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2 ++rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS ++8gM= ++EOF ++echo -n "-----END CERTIFICATE-----" >> $tmpdir/no_trailing_nl ++ ++$toolsdir/fromfile trailing_nl ++$toolsdir/fromfile no_trailing_nl +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 562b027..1fe7e55 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -151,7 +151,8 @@ EXTRA_DIST = \ + 037-rekey2/run.sh \ + 038-ms-v2-template/expected.out \ + 038-ms-v2-template/extract-extdata.py \ +- 038-ms-v2-template/run.sh ++ 038-ms-v2-template/run.sh \ ++ 039-fromfile/run.sh + + subdirs = \ + 001-keyiread \ +@@ -193,7 +194,8 @@ subdirs = \ + 035-json \ + 036-getcert \ + 037-rekey2 \ +- 038-ms-v2-template ++ 038-ms-v2-template \ ++ 039-fromfile + + if HAVE_DBM_NSSDB + subdirs += \ +diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am +index 9988b8c..d927e9b 100644 +--- a/tests/tools/Makefile.am ++++ b/tests/tools/Makefile.am +@@ -15,7 +15,7 @@ endif + noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \ + name2oid iterate prefs dates listnicks pem2base base2pem \ + dparse payload checksig base64 cadata citerate casave hooks \ +- libexecdir canon srv addcinfo ls json json-utf8 printenv ++ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile + noinst_LIBRARIES = libtools.a + if HAVE_OPENSSL + noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt +@@ -36,3 +36,7 @@ citerate_SOURCES = citerate.c ../../src/store-gen.c + + srv_SOURCES = srv.c ../../src/srvloc.c + srv_LDADD = $(LDADD) ++ ++fromfile_CFLAGS = $(AM_CFLAGS) ++fromfile_SOURCES = fromfile.c ++fromfile_LDADD = $(top_srcdir)/src/submit-u.c $(LDADD) $(UUID_LIBS) +diff --git a/tests/tools/fromfile.c b/tests/tools/fromfile.c +new file mode 100644 +index 0000000..c1d2694 +--- /dev/null ++++ b/tests/tools/fromfile.c +@@ -0,0 +1,52 @@ ++/* ++ * Copyright (C) 2020 Red Hat, Inc. ++ * ++ * This program is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see . ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#include "../../src/config.h" ++#include "../../src/submit-u.h" ++ ++int ++main(int argc, char **argv) ++{ ++ int i, result = 0; ++ char *cert; ++ ++ for (i = 1; i < argc; i++) { ++ printf("[%s]\n", argv[i]); ++ cert = cm_submit_u_from_file(argv[i]); ++ if (cert == NULL) { ++ printf("OOM error\n"); ++ result = 1; ++ } ++ else if (cert[strlen(cert) - 1] != '\n') { ++ printf("Missing trailing newline\n"); ++ result = 1; ++ } else { ++ printf("Ok\n"); ++ } ++ free(cert); ++ } ++ return result; ++} +-- +2.21.1 + diff --git a/SOURCES/0031-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch b/SOURCES/0031-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch new file mode 100644 index 0000000..84434af --- /dev/null +++ b/SOURCES/0031-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch @@ -0,0 +1,62 @@ +From 5c21bcbc0c189777b8cad8658c47d2cfb4cbd2e5 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 22 May 2020 12:58:44 -0400 +Subject: [PATCH] Include &message=CA-IDENT with GetCACaps and GetCACert + requests + +The guttman spec is quite unclear on this and in the GetCACaps +section doesn't mention &message at all. It only appears in the +generic GET requests section 4.1 + +The nourse spec is clearer and requires &message=CA-IDENT on +GetCACaps requests. + +AD 2012 R2 servers also require message on GetCACert requests. + +This reverts much of 60a4db5796b0575ca2cc9f1af4ecb3fdc6359242 + +https://bugzilla.redhat.com/show_bug.cgi?id=1839181 +https://pagure.io/certmonger/issue/103 +--- + src/scep.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/scep.c b/src/scep.c +index 46ab149b..6568122c 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -369,11 +369,11 @@ main(int argc, const char **argv) + break; + case op_get_ca_caps: + /* Only step: read capabilities for the daemon. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); + break; + case op_get_ca_certs: + /* First step: get the root certificate. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT "&message=%s", id); + break; + case op_get_cert_initial: + if ((racert == NULL) || (strlen(racert) == 0)) { +@@ -392,7 +392,7 @@ main(int argc, const char **argv) + goto done; + } + /* First step: read capabilities for our use. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); + } + break; + case op_pkcsreq: +@@ -412,7 +412,7 @@ main(int argc, const char **argv) + goto done; + } + /* First step: read capabilities for our use. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); + } + break; + } +-- +2.25.4 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 0417e06..47135b9 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -26,7 +26,7 @@ Name: certmonger Version: 0.78.4 -Release: 12%{?dist} +Release: 14%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -65,7 +65,8 @@ Patch0026: 0026-Document-key-cert-file-owner-and-mode-options.patch Patch0027: 0027-scep-correct-GetCAChain-to-GetCACertChain.patch Patch0028: 0028-No-message-ca-ident-from-GetCACaps-GetCACert-drop-Ge.patch Patch0029: 0029-Document-R-N-o-in-dogtag-ipa-renew-agent-submit.patch - +Patch0030: 0030-Ensure-that-files-read-in-have-a-trailing-new-line.patch +Patch0031: 0031-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch Patch1001: 1001-Remove-rekey-feature.patch Patch1002: 1002-Fix-CA-option-name-for-ipa-cert-request.patch @@ -286,6 +287,12 @@ exit 0 %endif %changelog +* Fri May 22 2020 Rob Crittenden - 0.78.4-14 +- Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1839181) + +* Fri May 1 2020 Rob Crittenden - 0.78.4-13 +- Ensure that files read in have a trailing new-line (#1814976) + * Wed Jul 31 2019 Rob Crittenden - 0.78.4-12 - Add documentation for the '-N' option to the dogtag-ipa-renew-agent-submit man page (#1651368)