From f64bd5ef8d6ceef88028022ba877c80cb583742c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2016 06:17:59 +0000 Subject: import certmonger-0.78.4-3.el7 --- diff --git a/SOURCES/0001-Stop-assuming-RSA-512-works.patch b/SOURCES/0001-Stop-assuming-RSA-512-works.patch new file mode 100644 index 0000000..463f8bc --- /dev/null +++ b/SOURCES/0001-Stop-assuming-RSA-512-works.patch @@ -0,0 +1,659 @@ +From 1c464828a5ad8f47a6acf7b6d6ec1f324fe63b51 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 12 Jan 2016 17:27:18 -0500 +Subject: [PATCH] Stop assuming RSA 512 works + +For the sake of F24, stop assuming that we'll be able to generate +512-bit RSA keys. We use certutil to do some of it, and it doesn't give +us a way to toggle support on. +--- + tests/001-keyiread-rsa/expected.out | 2 - + tests/001-keyiread-rsa/run.sh | 4 +- + tests/001-keyiread/expected.out | 2 - + tests/001-keyiread/run.sh | 4 +- + tests/002-keygen-dsa/expected.out | 6 -- + tests/002-keygen-dsa/run.sh | 4 +- + tests/002-keygen-rsa/expected.out | 6 -- + tests/002-keygen-rsa/run.sh | 4 +- + tests/002-keygen/expected.out | 18 ----- + tests/002-keygen/run.sh | 4 +- + tests/003-csrgen-rsa/expected.out | 124 ++++++++++++++-------------- + tests/003-csrgen-rsa/run.sh | 4 +- + tests/003-csrgen/expected.out | 157 +++++++++++++++++------------------- + tests/003-csrgen/run.sh | 4 +- + tests/004-selfsign-rsa/expected.out | 1 - + tests/004-selfsign-rsa/run.sh | 2 +- + tests/004-selfsign/expected.out | 1 - + tests/004-selfsign/run.sh | 2 +- + 18 files changed, 152 insertions(+), 197 deletions(-) + +diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out +index fa3493c04b26eb676700abdab7895fe0a1ee3d6d..727897d14f9a3eb8eab8c3b12964fa7d38cefdef 100644 +--- a/tests/001-keyiread-rsa/expected.out ++++ b/tests/001-keyiread-rsa/expected.out +@@ -1,10 +1,8 @@ +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). + OK (RSA:3072). + OK (RSA:4096). +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). +diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh +index b5ac7150b80af45a23a56be6a49f3884a9f5049a..c7b7768690e80a9f3fcba0e42fe4a96b60efe48c 100755 +--- a/tests/001-keyiread-rsa/run.sh ++++ b/tests/001-keyiread-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a self-signed cert. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -30,7 +30,7 @@ for size in 512 1024 1536 2048 3072 4096 ; do + $toolsdir/keyiread entry.nss.$size + done + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a key. + openssl genrsa $size > sample.$size 2> /dev/null + # Check the size of the key. +diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out +index fa3493c04b26eb676700abdab7895fe0a1ee3d6d..727897d14f9a3eb8eab8c3b12964fa7d38cefdef 100644 +--- a/tests/001-keyiread/expected.out ++++ b/tests/001-keyiread/expected.out +@@ -1,10 +1,8 @@ +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). + OK (RSA:3072). + OK (RSA:4096). +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). +diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh +index d95043d164e133ed23148719b74513d745ebec66..ce1428edd8d022d8a7f7f735154234bbdc4bf228 100755 +--- a/tests/001-keyiread/run.sh ++++ b/tests/001-keyiread/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a self-signed cert. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -30,7 +30,7 @@ for size in 512 1024 1536 2048 3072 4096 ; do + $toolsdir/keyiread entry.nss.$size + done + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a key. + openssl genrsa $size > sample.$size 2> /dev/null + # Check the size of the key. +diff --git a/tests/002-keygen-dsa/expected.out b/tests/002-keygen-dsa/expected.out +index f2a44d26286605c4186963f6c43b6dbd6e2e81cc..7445bcc2628dd78eef0cea4c90339c79fb3571cf 100644 +--- a/tests/002-keygen-dsa/expected.out ++++ b/tests/002-keygen-dsa/expected.out +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (DSA:512). + [nss:1024] + OK. + OK (DSA:1024). +@@ -20,9 +17,6 @@ OK (DSA:3072). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (DSA:512). + [openssl:1024] + OK. + OK (DSA:1024). +diff --git a/tests/002-keygen-dsa/run.sh b/tests/002-keygen-dsa/run.sh +index fad19de1d365466c0bfd739fbd8be1be9135a291..d9cff0e973bcdffcbeda4c702d3ee86b27d07e43 100755 +--- a/tests/002-keygen-dsa/run.sh ++++ b/tests/002-keygen-dsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +@@ -41,7 +41,7 @@ key_gen_type=DSA + EOF + $toolsdir/keygen entry.$size || true + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[openssl:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out +index 33f0f48ea92e0b7fa17ccc6a1938fe37d7335c8a..3e6e9f3c1b293a0a9c16085bfbf243d44e43e129 100644 +--- a/tests/002-keygen-rsa/expected.out ++++ b/tests/002-keygen-rsa/expected.out +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (RSA:512). + [nss:1024] + OK. + OK (RSA:1024). +@@ -20,9 +17,6 @@ OK (RSA:4096). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (RSA:512). + [openssl:1024] + OK. + OK (RSA:1024). +diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh +index b133edd8535db75804c82f7505e055c9b1bd0aa2..476f412753511772c506e76d8f3bb9c128b8aa1e 100755 +--- a/tests/002-keygen-rsa/run.sh ++++ b/tests/002-keygen-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +@@ -41,7 +41,7 @@ key_gen_type=RSA + EOF + $toolsdir/keygen entry.$size || true + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[openssl:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out +index f47d2d564bfd36d8d944bc388119314ee41c3722..ff56372aac282743f79699b0b381fcf198bd5db4 100644 +--- a/tests/002-keygen/expected.out ++++ b/tests/002-keygen/expected.out +@@ -1,12 +1,3 @@ +-[nss:512] +-OK. +-OK (RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-keyi512 +-keyi512 (candidate (next)) + [nss:1024] + OK. + OK (RSA:1024). +@@ -56,15 +47,6 @@ keyi4096 (candidate (next)) + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-${tmpdir}/sample.512 +-${tmpdir}/sample.512.(next).key + [openssl:1024] + OK. + OK (RSA:1024). +diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh +index a0867cf1e3fd0a9f18d275ab308ec93808936b4b..f550feebac5ed10a52500286bb8b779ed8e1526a 100755 +--- a/tests/002-keygen/run.sh ++++ b/tests/002-keygen/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +@@ -49,7 +49,7 @@ key_gen_size=$size + EOF + $toolsdir/keygen entry.$size || true + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[openssl:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out +index 7b67eab3b9e431b8d22b5a73bb6b5d2952e05d83..e058e8541c2de49fe5f446a7e3432b4138fbb876 100644 +--- a/tests/003-csrgen-rsa/expected.out ++++ b/tests/003-csrgen-rsa/expected.out +@@ -1,9 +1,5 @@ + pk12util: PKCS12 EXPORT SUCCESSFUL + MAC verified OK +-512 OK. +-Signature OK +-pk12util: PKCS12 EXPORT SUCCESSFUL +-MAC verified OK + 1024 OK. + Signature OK + pk12util: PKCS12 EXPORT SUCCESSFUL +@@ -23,70 +19,70 @@ MAC verified OK + 4096 OK. + Signature OK + The last CSR (the one with everything) was: +- 0:d=0 hl=4 l=1019 cons: SEQUENCE +- 4:d=1 hl=4 l= 933 cons: SEQUENCE ++ 0:d=0 hl=4 l=1413 cons: SEQUENCE ++ 4:d=1 hl=4 l=1133 cons: SEQUENCE + 8:d=2 hl=2 l= 1 prim: INTEGER :00 + 11:d=2 hl=2 l= 22 cons: SEQUENCE + 13:d=3 hl=2 l= 20 cons: SET + 15:d=4 hl=2 l= 18 cons: SEQUENCE + 17:d=5 hl=2 l= 3 prim: OBJECT :commonName + 22:d=5 hl=2 l= 11 prim: PRINTABLESTRING :Babs Jensen +- 35:d=2 hl=2 l= 92 cons: SEQUENCE +- 37:d=3 hl=2 l= 13 cons: SEQUENCE +- 39:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption +- 50:d=4 hl=2 l= 0 prim: NULL +- 52:d=3 hl=2 l= 75 prim: BIT STRING +- 129:d=2 hl=4 l= 808 cons: cont [ 0 ] +- 133:d=3 hl=2 l= 52 cons: SEQUENCE +- 135:d=4 hl=2 l= 9 prim: OBJECT :challengePassword +- 146:d=4 hl=2 l= 39 cons: SET +- 148:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText +- 187:d=3 hl=2 l= 61 cons: SEQUENCE +- 189:d=4 hl=2 l= 9 prim: OBJECT :friendlyName +- 200:d=4 hl=2 l= 48 cons: SET +- 202:d=5 hl=2 l= 46 prim: BMPSTRING +- 250:d=3 hl=4 l= 687 cons: SEQUENCE +- 254:d=4 hl=2 l= 9 prim: OBJECT :Extension Request +- 265:d=4 hl=4 l= 672 cons: SET +- 269:d=5 hl=4 l= 668 cons: SEQUENCE +- 273:d=6 hl=2 l= 14 cons: SEQUENCE +- 275:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage +- 280:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 283:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 +- 289:d=6 hl=4 l= 264 cons: SEQUENCE +- 293:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name +- 298:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 301:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 +- 557:d=6 hl=2 l= 32 cons: SEQUENCE +- 559:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage +- 564:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 567:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 +- 591:d=6 hl=2 l= 18 cons: SEQUENCE +- 593:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints +- 598:d=7 hl=2 l= 1 prim: BOOLEAN :255 +- 601:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 +- 611:d=6 hl=2 l= 34 cons: SEQUENCE +- 613:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +- 618:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 621:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D +- 647:d=6 hl=2 l= 32 cons: SEQUENCE +- 649:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +- 654:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 657:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D +- 681:d=6 hl=2 l= 107 cons: SEQUENCE +- 683:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access +- 693:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 696:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 +- 790:d=6 hl=2 l= 96 cons: SEQUENCE +- 792:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points +- 797:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 800:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 +- 888:d=6 hl=2 l= 51 cons: SEQUENCE +- 890:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment +- 901:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 904:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 +- 941:d=1 hl=2 l= 13 cons: SEQUENCE +- 943:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption +- 954:d=2 hl=2 l= 0 prim: NULL +- 956:d=1 hl=2 l= 65 prim: BIT STRING ++ 35:d=2 hl=4 l= 290 cons: SEQUENCE ++ 39:d=3 hl=2 l= 13 cons: SEQUENCE ++ 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption ++ 52:d=4 hl=2 l= 0 prim: NULL ++ 54:d=3 hl=4 l= 271 prim: BIT STRING ++ 329:d=2 hl=4 l= 808 cons: cont [ 0 ] ++ 333:d=3 hl=2 l= 52 cons: SEQUENCE ++ 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword ++ 346:d=4 hl=2 l= 39 cons: SET ++ 348:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText ++ 387:d=3 hl=2 l= 61 cons: SEQUENCE ++ 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName ++ 400:d=4 hl=2 l= 48 cons: SET ++ 402:d=5 hl=2 l= 46 prim: BMPSTRING ++ 450:d=3 hl=4 l= 687 cons: SEQUENCE ++ 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request ++ 465:d=4 hl=4 l= 672 cons: SET ++ 469:d=5 hl=4 l= 668 cons: SEQUENCE ++ 473:d=6 hl=2 l= 14 cons: SEQUENCE ++ 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage ++ 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 ++ 489:d=6 hl=4 l= 264 cons: SEQUENCE ++ 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name ++ 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 ++ 757:d=6 hl=2 l= 32 cons: SEQUENCE ++ 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage ++ 764:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 ++ 791:d=6 hl=2 l= 18 cons: SEQUENCE ++ 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints ++ 798:d=7 hl=2 l= 1 prim: BOOLEAN :255 ++ 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 ++ 811:d=6 hl=2 l= 34 cons: SEQUENCE ++ 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier ++ 818:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D ++ 847:d=6 hl=2 l= 32 cons: SEQUENCE ++ 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier ++ 854:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D ++ 881:d=6 hl=2 l= 107 cons: SEQUENCE ++ 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access ++ 893:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 ++ 990:d=6 hl=2 l= 96 cons: SEQUENCE ++ 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points ++ 997:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 ++ 1088:d=6 hl=2 l= 51 cons: SEQUENCE ++ 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment ++ 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 ++ 1141:d=1 hl=2 l= 13 cons: SEQUENCE ++ 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption ++ 1154:d=2 hl=2 l= 0 prim: NULL ++ 1156:d=1 hl=4 l= 257 prim: BIT STRING + Test complete (32 combinations). +diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh +index c049dd00d411706b1470a1a8a9fb8ae59c36bf8b..7f1e7b41f195b3af429c1ba7129dd00b7ca2ed9d 100755 +--- a/tests/003-csrgen-rsa/run.sh ++++ b/tests/003-csrgen-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -216,7 +216,7 @@ for nscomment in "" "certmonger generated this request" ; do + done + nscomment= + +-size=512 ++size=2048 + subject="CN=Babs Jensen" + hostname=localhost,localhost.localdomain + email=root@localhost,root@localhost.localdomain +diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out +index 7f4586cd2820be6c0a88bd6787c86a532f68643c..51083160df3dd69972292fd23d51e79714290d22 100644 +--- a/tests/003-csrgen/expected.out ++++ b/tests/003-csrgen/expected.out +@@ -1,11 +1,6 @@ + pk12util: PKCS12 EXPORT SUCCESSFUL + MAC verified OK + Signature OK +-minicert.openssl.512.pem: OK +-512 OK. +-pk12util: PKCS12 EXPORT SUCCESSFUL +-MAC verified OK +-Signature OK + minicert.openssl.1024.pem: OK + 1024 OK. + pk12util: PKCS12 EXPORT SUCCESSFUL +@@ -29,86 +24,86 @@ Signature OK + minicert.openssl.4096.pem: OK + 4096 OK. + The last CSR (the one with everything) was: +- 0:d=0 hl=4 l=1241 cons: SEQUENCE +- 4:d=1 hl=4 l=1155 cons: SEQUENCE ++ 0:d=0 hl=4 l=1635 cons: SEQUENCE ++ 4:d=1 hl=4 l=1355 cons: SEQUENCE + 8:d=2 hl=2 l= 1 prim: INTEGER :00 + 11:d=2 hl=2 l= 22 cons: SEQUENCE + 13:d=3 hl=2 l= 20 cons: SET + 15:d=4 hl=2 l= 18 cons: SEQUENCE + 17:d=5 hl=2 l= 3 prim: OBJECT :commonName + 22:d=5 hl=2 l= 11 prim: PRINTABLESTRING :Babs Jensen +- 35:d=2 hl=2 l= 92 cons: SEQUENCE +- 37:d=3 hl=2 l= 13 cons: SEQUENCE +- 39:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption +- 50:d=4 hl=2 l= 0 prim: NULL +- 52:d=3 hl=2 l= 75 prim: BIT STRING +- 129:d=2 hl=4 l=1030 cons: cont [ 0 ] +- 133:d=3 hl=2 l= 52 cons: SEQUENCE +- 135:d=4 hl=2 l= 9 prim: OBJECT :challengePassword +- 146:d=4 hl=2 l= 39 cons: SET +- 148:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText +- 187:d=3 hl=2 l= 61 cons: SEQUENCE +- 189:d=4 hl=2 l= 9 prim: OBJECT :friendlyName +- 200:d=4 hl=2 l= 48 cons: SET +- 202:d=5 hl=2 l= 46 prim: BMPSTRING +- 250:d=3 hl=4 l= 909 cons: SEQUENCE +- 254:d=4 hl=2 l= 9 prim: OBJECT :Extension Request +- 265:d=4 hl=4 l= 894 cons: SET +- 269:d=5 hl=4 l= 890 cons: SEQUENCE +- 273:d=6 hl=2 l= 14 cons: SEQUENCE +- 275:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage +- 280:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 283:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 +- 289:d=6 hl=4 l= 290 cons: SEQUENCE +- 293:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name +- 298:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 301:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 +- 583:d=6 hl=2 l= 32 cons: SEQUENCE +- 585:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage +- 590:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 593:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 +- 617:d=6 hl=2 l= 18 cons: SEQUENCE +- 619:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints +- 624:d=7 hl=2 l= 1 prim: BOOLEAN :255 +- 627:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 +- 637:d=6 hl=2 l= 34 cons: SEQUENCE +- 639:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +- 644:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 647:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D +- 673:d=6 hl=2 l= 32 cons: SEQUENCE +- 675:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +- 680:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 683:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D +- 707:d=6 hl=2 l= 107 cons: SEQUENCE +- 709:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access +- 719:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 722:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 +- 816:d=6 hl=2 l= 96 cons: SEQUENCE +- 818:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points +- 823:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 826:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 +- 914:d=6 hl=2 l= 106 cons: SEQUENCE +- 916:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL +- 921:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 924:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 +- 1022:d=6 hl=2 l= 51 cons: SEQUENCE +- 1024:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment +- 1035:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1038:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 +- 1075:d=6 hl=2 l= 18 cons: SEQUENCE +- 1077:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check +- 1088:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1091:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 +- 1095:d=6 hl=2 l= 44 cons: SEQUENCE +- 1097:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 +- 1108:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1111:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 +- 1141:d=6 hl=2 l= 20 cons: SEQUENCE +- 1143:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type +- 1154:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1157:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 +- 1163:d=1 hl=2 l= 13 cons: SEQUENCE +- 1165:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption +- 1176:d=2 hl=2 l= 0 prim: NULL +- 1178:d=1 hl=2 l= 65 prim: BIT STRING ++ 35:d=2 hl=4 l= 290 cons: SEQUENCE ++ 39:d=3 hl=2 l= 13 cons: SEQUENCE ++ 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption ++ 52:d=4 hl=2 l= 0 prim: NULL ++ 54:d=3 hl=4 l= 271 prim: BIT STRING ++ 329:d=2 hl=4 l=1030 cons: cont [ 0 ] ++ 333:d=3 hl=2 l= 52 cons: SEQUENCE ++ 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword ++ 346:d=4 hl=2 l= 39 cons: SET ++ 348:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText ++ 387:d=3 hl=2 l= 61 cons: SEQUENCE ++ 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName ++ 400:d=4 hl=2 l= 48 cons: SET ++ 402:d=5 hl=2 l= 46 prim: BMPSTRING ++ 450:d=3 hl=4 l= 909 cons: SEQUENCE ++ 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request ++ 465:d=4 hl=4 l= 894 cons: SET ++ 469:d=5 hl=4 l= 890 cons: SEQUENCE ++ 473:d=6 hl=2 l= 14 cons: SEQUENCE ++ 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage ++ 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 ++ 489:d=6 hl=4 l= 290 cons: SEQUENCE ++ 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name ++ 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 ++ 783:d=6 hl=2 l= 32 cons: SEQUENCE ++ 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage ++ 790:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 ++ 817:d=6 hl=2 l= 18 cons: SEQUENCE ++ 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints ++ 824:d=7 hl=2 l= 1 prim: BOOLEAN :255 ++ 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 ++ 837:d=6 hl=2 l= 34 cons: SEQUENCE ++ 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier ++ 844:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D ++ 873:d=6 hl=2 l= 32 cons: SEQUENCE ++ 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier ++ 880:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D ++ 907:d=6 hl=2 l= 107 cons: SEQUENCE ++ 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access ++ 919:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 ++ 1016:d=6 hl=2 l= 96 cons: SEQUENCE ++ 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points ++ 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 ++ 1114:d=6 hl=2 l= 106 cons: SEQUENCE ++ 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL ++ 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 ++ 1222:d=6 hl=2 l= 51 cons: SEQUENCE ++ 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment ++ 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 ++ 1275:d=6 hl=2 l= 18 cons: SEQUENCE ++ 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check ++ 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 ++ 1295:d=6 hl=2 l= 44 cons: SEQUENCE ++ 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 ++ 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 ++ 1341:d=6 hl=2 l= 20 cons: SEQUENCE ++ 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type ++ 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 ++ 1363:d=1 hl=2 l= 13 cons: SEQUENCE ++ 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption ++ 1376:d=2 hl=2 l= 0 prim: NULL ++ 1378:d=1 hl=4 l= 257 prim: BIT STRING + Test complete (69 combinations). +diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh +index 9a1c027fa7d9da0eec41e5e63e68b05645df9d6b..67b12064b55dd52bd64fbf1b1f9615655913c334 100755 +--- a/tests/003-csrgen/run.sh ++++ b/tests/003-csrgen/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -298,7 +298,7 @@ for ns_certtype in "" client server email objsign reserved sslca emailca objca c + done + ns_certtype= + +-size=512 ++size=2048 + subject="CN=Babs Jensen" + hostname=localhost,localhost.localdomain + email=root@localhost,root@localhost.localdomain +diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out +index c50bd2ee0c1101f2df71738d4152e4fcf3bc9591..dd5029eca4f2b6e2cd354f64cd31b843c5857385 100644 +--- a/tests/004-selfsign-rsa/expected.out ++++ b/tests/004-selfsign-rsa/expected.out +@@ -1,4 +1,3 @@ +-512 OK. + 1024 OK. + 1536 OK. + 2048 OK. +diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh +index 8788bdb02fee287299e4cc389e18c7e0eb5ca91d..6f9285b65d4205fd4f24327fea9d934afc5fd68c 100755 +--- a/tests/004-selfsign-rsa/run.sh ++++ b/tests/004-selfsign-rsa/run.sh +@@ -33,7 +33,7 @@ function setupca() { + EOF + } + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out +index c50bd2ee0c1101f2df71738d4152e4fcf3bc9591..dd5029eca4f2b6e2cd354f64cd31b843c5857385 100644 +--- a/tests/004-selfsign/expected.out ++++ b/tests/004-selfsign/expected.out +@@ -1,4 +1,3 @@ +-512 OK. + 1024 OK. + 1536 OK. + 2048 OK. +diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh +index 7b2ee438d34d539ab7063b0bd1fc004421c97999..7bb368ec39d9675bff05c837c7e9a4cf64c5b714 100755 +--- a/tests/004-selfsign/run.sh ++++ b/tests/004-selfsign/run.sh +@@ -43,7 +43,7 @@ function setupca() { + EOF + } + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +-- +2.9.0 + diff --git a/SOURCES/0002-Stop-assuming-RSA-512-works-part-two.patch b/SOURCES/0002-Stop-assuming-RSA-512-works-part-two.patch new file mode 100644 index 0000000..fe0ee2a --- /dev/null +++ b/SOURCES/0002-Stop-assuming-RSA-512-works-part-two.patch @@ -0,0 +1,56 @@ +From e7f5c8bfbcd5e1f9256fe7a256d2f5b9340003a5 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 13 Jan 2016 09:38:13 -0500 +Subject: [PATCH] Stop assuming RSA 512 works, part two + +Catch up a couple of the other valid output sets. +--- + tests/002-keygen-dsa/expected.out.2 | 6 ------ + tests/002-keygen-dsa/expected.out.3 | 6 ------ + 2 files changed, 12 deletions(-) + +diff --git a/tests/002-keygen-dsa/expected.out.2 b/tests/002-keygen-dsa/expected.out.2 +index 9275bafaabb15bfc4829860bc994880c3f8f704d..7445bcc2628dd78eef0cea4c90339c79fb3571cf 100644 +--- a/tests/002-keygen-dsa/expected.out.2 ++++ b/tests/002-keygen-dsa/expected.out.2 +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (DSA:3072). + [nss:1024] + OK. + OK (DSA:1024). +@@ -20,9 +17,6 @@ OK (DSA:3072). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (DSA:512). + [openssl:1024] + OK. + OK (DSA:1024). +diff --git a/tests/002-keygen-dsa/expected.out.3 b/tests/002-keygen-dsa/expected.out.3 +index c8547b4206435a004e0f3a64016e2fb09ff4e25a..0f563e2895a6ef6f455f83cbc235e27213db8415 100644 +--- a/tests/002-keygen-dsa/expected.out.3 ++++ b/tests/002-keygen-dsa/expected.out.3 +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (DSA:512). + [nss:1024] + OK. + OK (DSA:1016). +@@ -20,9 +17,6 @@ OK (DSA:3072). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (DSA:512). + [openssl:1024] + OK. + OK (DSA:1024). +-- +2.9.0 + diff --git a/SOURCES/0003-Add-issuer-request-option-for-specifying-issuer.patch b/SOURCES/0003-Add-issuer-request-option-for-specifying-issuer.patch new file mode 100644 index 0000000..ecd29cb --- /dev/null +++ b/SOURCES/0003-Add-issuer-request-option-for-specifying-issuer.patch @@ -0,0 +1,548 @@ +From 2187e205da4fb2fcfdc2d8b9e4a4117f849041f7 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 3 Jun 2016 10:22:23 +1000 +Subject: [PATCH] Add 'issuer' request option for specifying issuer + +FreeIPA is implementing a 'lightweight CAs' feature where a single +Dogtag instance can host multiple CAs. Add the '--issuer' / '-X' +getcert-request option for specifying a particular CA, and the +'CERTMONGER_CA_ISSUER' environment variable for passing the value to +submit helpers. Also update the 'ipa-submit' helper to set the 'ca' +argument if the environment variable is set. + +Reviewed-by: Nalin Dahyabhai +--- + doc/api.txt | 2 ++ + doc/submit.txt | 1 + + src/cadata.c | 1 + + src/getcert-request.1.in | 3 +++ + src/getcert-resubmit.1.in | 3 +++ + src/getcert-start-tracking.1.in | 3 +++ + src/getcert.c | 44 ++++++++++++++++++++++++++++++++++++----- + src/ipa.c | 25 +++++++++++++++++------ + src/store-files.c | 9 +++++++++ + src/store-int.h | 1 + + src/submit-e.c | 1 + + src/submit-e.h | 1 + + src/tdbus.h | 1 + + src/tdbush.c | 25 ++++++++++++++++++++++- + tests/028-dbus/expected.out | 1 + + 15 files changed, 109 insertions(+), 12 deletions(-) + +diff --git a/doc/api.txt b/doc/api.txt +index e11f944de5861663d742c8b91129f7b592e7f72c..31016bec004f0b7f00db4cb3baefd236d485dc85 100644 +--- a/doc/api.txt ++++ b/doc/api.txt +@@ -56,6 +56,7 @@ o object layout + {("template-crldp"),array-of-string (CRL distribution point URIs)} + {("template-ns-comment"),string (Netscape comment)} + {("template-profile"),string (certificate profile)} ++ {("template-issuer"),string (requested issuer)} + {("template-challenge-password"),string (password to add to CSR)} + {("template-challenge-password-file"),string (password file) + {("cert-presave-command"),string} +@@ -164,6 +165,7 @@ o object layout + {("template-crldp"),array-of-string (CRL distribution point URIs)} + {("template-ns-comment"),string (Netscape comment)} + {("template-profile"),string (certificate profile)} ++ {("template-issuer"),string (requested issuer)} + {("template-challenge-password"),string (password to add to CSR)} + {("template-challenge-password-file"),string (password file) + {("cert-presave-command"),string} +diff --git a/doc/submit.txt b/doc/submit.txt +index dbf5319dc29bd9adb4054d4e76e90f028bad5fa6..7444f88c078b7453ae350268482832485259348a 100644 +--- a/doc/submit.txt ++++ b/doc/submit.txt +@@ -13,6 +13,7 @@ An external CA helper has a few jobs: + * $CERTMONGER_REQ_PRINCIPAL -> Kerberos principal name subjectAltName values + * $CERTMONGER_REQ_IP_ADDRESS-> IP address subjectAltName values (since 0.78) + * $CERTMONGER_CA_PROFILE -> requested enrollment profile/template/certtype ++ * $CERTMONGER_CA_ISSUER -> requested issuer for enrollment + * $CERTMONGER_CSR -> certificate signing request + * $CERTMONGER_CERTIFICATE -> previously-issued certificate, if there is one + * $CERTMONGER_CA_NICKNAME -> nickname of CA (since 0.73) +diff --git a/src/cadata.c b/src/cadata.c +index 947b2e68d3e74abf688aebd48344bfbf964e5656..7861fe73104143d6a9135fcb50b3ead583b03bf7 100644 +--- a/src/cadata.c ++++ b/src/cadata.c +@@ -50,6 +50,7 @@ const char *attribute_map[] = { + CM_SUBMIT_REQ_EMAIL_ENV, CM_DBUS_PROP_TEMPLATE_EMAIL, + CM_SUBMIT_REQ_IP_ADDRESS_ENV, CM_DBUS_PROP_TEMPLATE_IP_ADDRESS, + CM_SUBMIT_PROFILE_ENV, CM_DBUS_PROP_TEMPLATE_PROFILE, ++ CM_SUBMIT_ISSUER_ENV, CM_DBUS_PROP_TEMPLATE_ISSUER, + NULL, + }; + +diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in +index f11f1ffa35ccb6eb3d6aeea149353f55d5266534..b6578dce4b06fd60f9e784ba5665489eb3dd3982 100644 +--- a/src/getcert-request.1.in ++++ b/src/getcert-request.1.in +@@ -87,6 +87,9 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. + \fB\-T\fR NAME + Request a certificate using the named profile, template, or certtype, + from the specified CA. ++.TP ++\fB\-X\fR NAME ++Request a certificate using the named issuer from the specified CA. + + .SH SIGNING REQUEST OPTIONS + +diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in +index ad31da9995194280d79c2ce6bb2311291d37072d..165940eab1e625ecd3db63a1cf0bd822ae6abf72 100644 +--- a/src/getcert-resubmit.1.in ++++ b/src/getcert-resubmit.1.in +@@ -48,6 +48,9 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP ++\fB\-X\fR NAME ++Request a certificate using the named issuer from the specified CA. ++.TP + \fB\-I\fR NAME + Assign the specified nickname to this task, replacing the previous nickname. + +diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in +index 6cd24e77dd578662e4b18b8ae18dd26b6faa7122..a46f53578626bc62abaeb22e77500548c34ac3c0 100644 +--- a/src/getcert-start-tracking.1.in ++++ b/src/getcert-start-tracking.1.in +@@ -85,6 +85,9 @@ useful in combination with \fB\-r\fR. + \fB\-T\fR NAME + Request a certificate using the named profile, template, or certtype, + from the specified CA. ++.TP ++\fB\-X\fR NAME ++Request a certificate using the named issuer from the specified CA. + + .SH SIGNING REQUEST OPTIONS + If and when \fIcertmonger\fR attempts to obtain a new certificate to replace +diff --git a/src/getcert.c b/src/getcert.c +index 49840dd968a75929ef55c6b77966187f0c59fa78..cfa36fb1a7ea16c9c9bacc8f40360efa594b7830 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -691,7 +691,7 @@ request(const char *argv0, int argc, const char **argv) + char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; + int keysize = 0, auto_renew = 1, verbose = 0, ku = 0, kubit, c, i, j; + char *ca = DEFAULT_CA, *subject = NULL, **eku = NULL, *oid, *id = NULL; +- char *profile = NULL, kustring[16]; ++ char *profile = NULL, *issuer = NULL, kustring[16]; + char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; +@@ -732,6 +732,7 @@ request(const char *argv0, int argc, const char **argv) + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("set requested extended key usage OID"), HELP_TYPE_EKU}, +@@ -858,6 +859,9 @@ request(const char *argv0, int argc, const char **argv) + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'X': ++ issuer = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'N': + subject = talloc_strdup(globals.tctx, poptarg); + break; +@@ -1289,6 +1293,13 @@ request(const char *argv0, int argc, const char **argv) + params[i] = ¶m[i]; + i++; + } ++ if (issuer != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = issuer; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (precommand != NULL) { + param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; + param[i].value_type = cm_tdbusm_dict_s; +@@ -1480,7 +1491,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + char *key_perms, char *cert_perms, + char *pin, char *pinfile, + char *cpass, char *cpassfile, +- char *ca, char *profile, ++ char *ca, char *profile, char *issuer, + char *precommand, char *postcommand, + char **anchor_dbs, char **anchor_files, + dbus_bool_t auto_renew_stop, int waitreq, +@@ -1644,6 +1655,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + params[i] = ¶m[i]; + i++; + } ++ if (issuer != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = issuer; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (precommand != NULL) { + param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; + param[i].value_type = cm_tdbusm_dict_s; +@@ -1726,7 +1744,7 @@ set_tracking(const char *argv0, const char *category, + char **anchor_dbs = NULL, **anchor_files = NULL; + char *id = NULL, *new_id = NULL, *new_request; + char *keyfile = NULL, *certfile = NULL, *ca = DEFAULT_CA; +- char *profile = NULL; ++ char *profile = NULL, *issuer = NULL; + char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; +@@ -1767,6 +1785,7 @@ set_tracking(const char *argv0, const char *category, + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("override requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("override requested extended key usage OID"), HELP_TYPE_EKU}, + {"principal", 'K', POPT_ARG_STRING, NULL, 'K', _("override requested principal name"), HELP_TYPE_PRINCIPAL}, +@@ -2291,7 +2310,7 @@ set_tracking(const char *argv0, const char *category, + key_perms, cert_perms, + pin, pinfile, + cpass, cpassfile, +- ca, profile, ++ ca, profile, issuer, + precommand, postcommand, + anchor_dbs, anchor_files, + (auto_renew_stop > 0), +@@ -2366,7 +2385,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + char *id = NULL, *new_id = NULL, *ca = NULL, *new_request, *nss_scheme; + char *subject = NULL, **eku = NULL, *oid = NULL; + char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; +- char *profile = NULL, kustring[16]; ++ char *profile = NULL, *issuer = NULL, kustring[16]; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; + char *keytype = NULL; +@@ -2403,6 +2422,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the current one"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("set requested extended key usage OID"), HELP_TYPE_EKU}, +@@ -2477,6 +2497,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'X': ++ issuer = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'i': + id = talloc_strdup(globals.tctx, poptarg); + break; +@@ -2838,6 +2861,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + params[i] = ¶m[i]; + i++; + } ++ if (issuer != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = issuer; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (precommand != NULL) { + param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; + param[i].value_type = cm_tdbusm_dict_s; +@@ -4647,6 +4677,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the default\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Parameters for the signing request:\n"), + N_(" -N NAME set requested subject name (default: CN=)\n"), + N_(" -U EXTUSAGE set requested extended key usage OID\n"), +@@ -4695,6 +4726,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the default\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Parameters for the signing request at renewal time:\n"), + N_(" -U EXTUSAGE override requested extended key usage OID\n"), + N_(" -u KEYUSAGE set requested key usage value\n"), +@@ -4773,6 +4805,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the current one\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Bus options:\n"), + N_(" -S connect to the certmonger service on the system bus\n"), + N_(" -s connect to the certmonger service on the session bus\n"), +@@ -4820,6 +4853,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the current one\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_(" -G TYPE type of new key to be generated\n"), + N_(" -g SIZE size of new key to be generated\n"), + N_("* Bus options:\n"), +diff --git a/src/ipa.c b/src/ipa.c +index 5236abb40246c270d1b14c5cfbc467dbd6e8f7a4..72cdda6b07ea5a4850fb404497196c46a6bbbd6d 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -332,7 +332,8 @@ cm_locate_xmlrpc_service(const char *server, + /* Make an XML-RPC request to the "cert_request" method. */ + static int + submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath, +- const char *csr, const char *reqprinc, const char *profile) ++ const char *csr, const char *reqprinc, ++ const char *profile, const char *issuer) + { + struct cm_submit_x_context *ctx; + const char *args[2]; +@@ -366,6 +367,10 @@ submit: + if (profile != NULL) { + cm_submit_x_add_named_arg_s(ctx, "profile_id", profile); + } ++ /* Add the requested CA named argument. */ ++ if (issuer != NULL) { ++ cm_submit_x_add_named_arg_s(ctx, "ca", issuer); ++ } + /* Tell the server to add entries for a principal if one + * doesn't exist yet. */ + cm_submit_x_add_named_arg_b(ctx, "add", 1); +@@ -440,12 +445,14 @@ static int + submit_or_poll(const char *uri, const char *cainfo, const char *capath, + const char *server, int ldap_uri_cmd, const char *ldap_uri, + const char *host, const char *domain, char *basedn, +- const char *csr, const char *reqprinc, const char *profile) ++ const char *csr, const char *reqprinc, ++ const char *profile, const char *issuer) + { + int i, u; + char **uris; + +- i = submit_or_poll_uri(uri, cainfo, capath, csr, reqprinc, profile); ++ i = submit_or_poll_uri(uri, cainfo, capath, csr, reqprinc, profile, ++ issuer); + if ((i == CM_SUBMIT_STATUS_UNREACHABLE) || + (i == CM_SUBMIT_STATUS_UNCONFIGURED)) { + u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri, +@@ -456,7 +463,8 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath, + continue; + } + i = submit_or_poll_uri(uris[u], cainfo, capath, +- csr, reqprinc, profile); ++ csr, reqprinc, profile, ++ issuer); + if ((i != CM_SUBMIT_STATUS_UNREACHABLE) && + (i != CM_SUBMIT_STATUS_UNCONFIGURED)) { + talloc_free(uris); +@@ -556,7 +564,7 @@ main(int argc, const char **argv) + const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile; + int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0; + const char *mode = CM_OP_SUBMIT; +- char ldn[LINE_MAX], *basedn = NULL, *profile = NULL; ++ char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL; + krb5_error_code kret; + poptContext pctx; + struct poptOption popts[] = { +@@ -571,6 +579,7 @@ main(int argc, const char **argv) + {"use-ccache-creds", 'K', POPT_ARG_NONE, NULL, 'K', "use default ccache instead of creating a new one using keytab", NULL}, + {"principal-of-request", 'P', POPT_ARG_STRING, &reqprinc, 0, "principal name in signing request", "PRINCIPAL"}, + {"profile", 'T', POPT_ARG_STRING, &profile, 0, "request enrollment using the specified profile", "NAME"}, ++ {"issuer", 'X', POPT_ARG_STRING, &issuer, 0, "request enrollment using the specified CA", "NAME"}, + {"basedn", 'b', POPT_ARG_STRING, &basedn, 0, "IPA domain LDAP base DN", "DN"}, + {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, + POPT_AUTOHELP +@@ -729,6 +738,10 @@ main(int argc, const char **argv) + (getenv(CM_SUBMIT_PROFILE_ENV) != NULL)) { + profile = strdup(getenv(CM_SUBMIT_PROFILE_ENV)); + } ++ if ((issuer == NULL) && ++ (getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) { ++ issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV)); ++ } + if ((server != NULL) && !xmlrpc_uri_cmd) { + snprintf(uri, sizeof(uri), + "https://%s/ipa/xml", server); +@@ -835,7 +848,7 @@ main(int argc, const char **argv) + return submit_or_poll(uri, cainfo, capath, + server, ldap_uri_cmd, ldap_uri, + host, domain, basedn, +- csr, reqprinc, profile); ++ csr, reqprinc, profile, issuer); + } else + if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) { + return fetch_roots(server, ldap_uri_cmd, ldap_uri, host, +diff --git a/src/store-files.c b/src/store-files.c +index 961d03b7d1724a2cdb1fc4a26d8f1e25e474824f..889829ca62a035a758288aac158cbe17b0fd9e6d 100644 +--- a/src/store-files.c ++++ b/src/store-files.c +@@ -129,6 +129,7 @@ enum cm_store_file_field { + cm_store_entry_field_template_ocsp_location, + cm_store_entry_field_template_ns_comment, + cm_store_entry_field_template_profile, ++ cm_store_entry_field_template_issuer, + cm_store_entry_field_template_no_ocsp_check, + cm_store_entry_field_template_ns_certtype, + +@@ -303,6 +304,7 @@ static struct cm_store_file_field_list { + {cm_store_entry_field_template_ns_comment, "template_ns_comment"}, + {cm_store_entry_field_template_profile, "template_profile"}, /* right */ + {cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */ ++ {cm_store_entry_field_template_issuer, "template_issuer"}, + {cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"}, + {cm_store_entry_field_template_ns_certtype, "template_ns_certtype"}, + +@@ -1127,6 +1129,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) + case cm_store_entry_field_template_profile: + ret->cm_template_profile = free_if_empty(p); + break; ++ case cm_store_entry_field_template_issuer: ++ ret->cm_template_issuer = free_if_empty(p); ++ break; + case cm_store_entry_field_template_no_ocsp_check: + ret->cm_template_no_ocsp_check = atoi(p) != 0; + talloc_free(p); +@@ -1370,6 +1375,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) + case cm_store_entry_field_template_ocsp_location: + case cm_store_entry_field_template_ns_comment: + case cm_store_entry_field_template_profile: ++ case cm_store_entry_field_template_issuer: + case cm_store_entry_field_template_no_ocsp_check: + case cm_store_entry_field_template_ns_certtype: + case cm_store_entry_field_challenge_password: +@@ -1972,6 +1978,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) + entry->cm_template_ns_comment); + cm_store_file_write_str(fp, cm_store_entry_field_template_profile, + entry->cm_template_profile); ++ cm_store_file_write_str(fp, cm_store_entry_field_template_issuer, ++ entry->cm_template_issuer); + cm_store_file_write_int(fp, cm_store_entry_field_template_no_ocsp_check, + entry->cm_template_no_ocsp_check ? 1 : 0); + cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype, +@@ -2735,6 +2743,7 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry) + ret->cm_template_ocsp_location = cm_store_maybe_strdupv(ret, entry->cm_template_ocsp_location); + ret->cm_template_ns_comment = cm_store_maybe_strdup(ret, entry->cm_template_ns_comment); + ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile); ++ ret->cm_template_issuer = cm_store_maybe_strdup(ret, entry->cm_template_issuer); + ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check; + ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret, + entry->cm_template_ns_certtype); +diff --git a/src/store-int.h b/src/store-int.h +index d7d3fc86306b103b0a90faef7396697743b9c8da..2d3a35387516c48ab81a6422e42d57d5741593f6 100644 +--- a/src/store-int.h ++++ b/src/store-int.h +@@ -142,6 +142,7 @@ struct cm_store_entry { + char **cm_template_ocsp_location; + char *cm_template_ns_comment; + char *cm_template_profile; ++ char *cm_template_issuer; + char *cm_template_ns_certtype; + unsigned int cm_template_no_ocsp_check: 1; + /* A challenge password, which may be included (in cleartext form!) in +diff --git a/src/submit-e.c b/src/submit-e.c +index 6997b436e42aa4f77c421040070ee2484467dea5..befd01e0fd00b8f9e239752ffbd80c985fae5057 100644 +--- a/src/submit-e.c ++++ b/src/submit-e.c +@@ -876,6 +876,7 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca, + maybe_setenv(CM_SUBMIT_COOKIE_ENV, entry->cm_ca_cookie); + maybe_setenv(CM_SUBMIT_CA_NICKNAME_ENV, entry->cm_ca_nickname); + maybe_setenv(CM_SUBMIT_PROFILE_ENV, entry->cm_template_profile); ++ maybe_setenv(CM_SUBMIT_ISSUER_ENV, entry->cm_template_issuer); + maybe_setenv(CM_SUBMIT_CERTIFICATE_ENV, entry->cm_cert); + /* Only pass SCEP data to the helper if we haven't used this set of + * nonced data before. It'll ask for fresh data if it needs it. */ +diff --git a/src/submit-e.h b/src/submit-e.h +index 2e325cf7d36436b89287e9933db83a6d853abfd1..0148d4da07507a000d8e6e8aca98f2ed84669eca 100644 +--- a/src/submit-e.h ++++ b/src/submit-e.h +@@ -48,6 +48,7 @@ const char *cm_submit_e_status_text(enum cm_external_status status); + #define CM_SUBMIT_COOKIE_ENV "CERTMONGER_CA_COOKIE" + #define CM_SUBMIT_CA_NICKNAME_ENV "CERTMONGER_CA_NICKNAME" + #define CM_SUBMIT_PROFILE_ENV "CERTMONGER_CA_PROFILE" ++#define CM_SUBMIT_ISSUER_ENV "CERTMONGER_CA_ISSUER" + #define CM_SUBMIT_CERTIFICATE_ENV "CERTMONGER_CERTIFICATE" + #define CM_SUBMIT_SCEP_CA_IDENTIFIER_ENV "CERTMONGER_SCEP_CA_IDENTIFIER" + #define CM_SUBMIT_SCEP_RA_CERTIFICATE_ENV "CERTMONGER_SCEP_RA_CERTIFICATE" +diff --git a/src/tdbus.h b/src/tdbus.h +index c9b3afeb59548c2dc1260cfd7c76b39327a42f89..496f2dd289a0bd9b4d66451ea5eb0acf83d0cf5f 100644 +--- a/src/tdbus.h ++++ b/src/tdbus.h +@@ -108,6 +108,7 @@ + #define CM_DBUS_PROP_TEMPLATE_FRESHEST_CRL "template-freshest-crl" + #define CM_DBUS_PROP_TEMPLATE_NS_COMMENT "template-ns-comment" + #define CM_DBUS_PROP_TEMPLATE_PROFILE "template-profile" ++#define CM_DBUS_PROP_TEMPLATE_ISSUER "template-issuer" + #define CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE "template-ns-certtype" + #define CM_DBUS_SIGNAL_REQUEST_CERT_SAVED "SavedCertificate" + #define CM_DBUS_PROP_CA_PRESAVE_COMMAND "ca-presave-command" +diff --git a/src/tdbush.c b/src/tdbush.c +index 4660f80f26669d31b2629c543384fe95bbec1ea9..05a503e06a553c566dcff5e053cbd8aa16c20f14 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -1562,6 +1562,13 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + param->value.s); + } + param = cm_tdbusm_find_dict_entry(d, ++ CM_DBUS_PROP_TEMPLATE_ISSUER, ++ cm_tdbusm_dict_s); ++ if (param != NULL) { ++ new_entry->cm_template_issuer = maybe_strdup(new_entry, ++ param->value.s); ++ } ++ param = cm_tdbusm_find_dict_entry(d, + CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD, + cm_tdbusm_dict_s); + if ((param != NULL) && +@@ -3306,6 +3313,14 @@ request_modify(DBusConnection *conn, DBusMessage *msg, + } + } else + if ((param->value_type == cm_tdbusm_dict_s) && ++ (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_ISSUER) == 0)) { ++ talloc_free(entry->cm_template_issuer); ++ entry->cm_template_issuer = maybe_strdup(entry, param->value.s); ++ if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) { ++ propname[n_propname++] = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ } ++ } else ++ if ((param->value_type == cm_tdbusm_dict_s) && + (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD) == 0)) { + talloc_free(entry->cm_template_challenge_password); + entry->cm_template_challenge_password = maybe_strdup(entry, +@@ -6712,6 +6727,14 @@ cm_tdbush_iface_request(void) + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL), + make_interface_item(cm_tdbush_interface_property, ++ make_property(CM_DBUS_PROP_TEMPLATE_ISSUER, ++ cm_tdbush_property_string, ++ cm_tdbush_property_readwrite, ++ cm_tdbush_property_char_p, ++ offsetof(struct cm_store_entry, cm_template_issuer), ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL), ++ make_interface_item(cm_tdbush_interface_property, + make_property(CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE, + cm_tdbush_property_string, + cm_tdbush_property_readwrite, +@@ -7156,7 +7179,7 @@ cm_tdbush_iface_request(void) + make_interface_item(cm_tdbush_interface_signal, + make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, + NULL), +- NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); ++ NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + } + return ret; + } +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index ba55dd5ce97c74475dbebb761c41dd2e64e64365..b2660317b3102373f2a5a877a7224f727929412c 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -328,6 +328,7 @@ OK + + + ++ + + + +-- +2.9.0 + diff --git a/SOURCES/0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch b/SOURCES/0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch new file mode 100644 index 0000000..14448f5 --- /dev/null +++ b/SOURCES/0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch @@ -0,0 +1,44 @@ +From f78836266df6fdbdc321e002dc7ae2229866e621 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 14 Jun 2016 15:56:30 -0400 +Subject: [PATCH] Documentation: mark $CERTMONGER_CA_ISSUER as 0.79 + +In documentation that now mentions that we set $CERTMONGER_CA_ISSUER for +helpers, list 0.79 as the first version where we started doing so. +--- + doc/helpers.txt | 5 +++++ + doc/submit.txt | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/doc/helpers.txt b/doc/helpers.txt +index 9d43e2390122c67719d549387b070879bf7e1f2d..975a741eeb76ef6d9005a05e5283ab92a1ccd399 100644 +--- a/doc/helpers.txt ++++ b/doc/helpers.txt +@@ -103,6 +103,11 @@ helper is called. + * CERTMONGER_REQ_IP_ADDRESS + Any iPAddress subject alt name values from the request. + ++ These are also present starting with version 0.79: ++ ++ * CERTMONGER_CA_ISSUER ++ The requested issuer for enrollment. ++ + The helper is expected to use this information, along with whatever + credentials it has or is passed on the command line, to send the signing + request to the CA. +diff --git a/doc/submit.txt b/doc/submit.txt +index 7444f88c078b7453ae350268482832485259348a..b1742c3f2e54adcaa60f58371c9ff1fded0d30b0 100644 +--- a/doc/submit.txt ++++ b/doc/submit.txt +@@ -13,7 +13,7 @@ An external CA helper has a few jobs: + * $CERTMONGER_REQ_PRINCIPAL -> Kerberos principal name subjectAltName values + * $CERTMONGER_REQ_IP_ADDRESS-> IP address subjectAltName values (since 0.78) + * $CERTMONGER_CA_PROFILE -> requested enrollment profile/template/certtype +- * $CERTMONGER_CA_ISSUER -> requested issuer for enrollment ++ * $CERTMONGER_CA_ISSUER -> requested issuer for enrollment (since 0.79) + * $CERTMONGER_CSR -> certificate signing request + * $CERTMONGER_CERTIFICATE -> previously-issued certificate, if there is one + * $CERTMONGER_CA_NICKNAME -> nickname of CA (since 0.73) +-- +2.9.0 + diff --git a/SOURCES/0005-Comment-whitespace-fixup.patch b/SOURCES/0005-Comment-whitespace-fixup.patch new file mode 100644 index 0000000..28bd346 --- /dev/null +++ b/SOURCES/0005-Comment-whitespace-fixup.patch @@ -0,0 +1,39 @@ +From 77977396865f4099dff7143c703301ccea52a276 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 14 Jun 2016 15:57:16 -0400 +Subject: [PATCH] Comment/whitespace fixup + +--- + src/ipa.c | 2 +- + src/tdbush.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/ipa.c b/src/ipa.c +index 72cdda6b07ea5a4850fb404497196c46a6bbbd6d..f2736c6f37948df902b65157480fc0c29ec58c3e 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -367,7 +367,7 @@ submit: + if (profile != NULL) { + cm_submit_x_add_named_arg_s(ctx, "profile_id", profile); + } +- /* Add the requested CA named argument. */ ++ /* Add the requested CA issuer named argument. */ + if (issuer != NULL) { + cm_submit_x_add_named_arg_s(ctx, "ca", issuer); + } +diff --git a/src/tdbush.c b/src/tdbush.c +index 05a503e06a553c566dcff5e053cbd8aa16c20f14..631da3ed2bbb1f6828d576760299ad51d7e41923 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -1566,7 +1566,7 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + cm_tdbusm_dict_s); + if (param != NULL) { + new_entry->cm_template_issuer = maybe_strdup(new_entry, +- param->value.s); ++ param->value.s); + } + param = cm_tdbusm_find_dict_entry(d, + CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD, +-- +2.9.0 + diff --git a/SOURCES/0006-ipa-submit-Retry-without-ca-on-OptionError.patch b/SOURCES/0006-ipa-submit-Retry-without-ca-on-OptionError.patch new file mode 100644 index 0000000..b089001 --- /dev/null +++ b/SOURCES/0006-ipa-submit-Retry-without-ca-on-OptionError.patch @@ -0,0 +1,35 @@ +From 301e56c06192649bc33ddbda77ac55c0fb69f2a0 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 14 Jun 2016 15:59:10 -0400 +Subject: [PATCH] ipa-submit: Retry without "ca" on OptionError + +Add a fallback for when the IPA server returns error 3005 ("OptionError") +when we've tried to use the "ca" named argument in a request. As we did +with "profile_id" earlier, take a guess that it didn't understand the +most recently-added option that we're setting, and retry without it set. +--- + src/ipa.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/ipa.c b/src/ipa.c +index f2736c6f37948df902b65157480fc0c29ec58c3e..f8abe609a603b614067e56ebe9935472b647ed99 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -387,6 +387,14 @@ submit: + switch (i / 1000) { + case 2: /* authorization error - permanent */ + case 3: /* invocation error - permanent */ ++ if ((i == 3005) && (issuer != NULL)) { ++ /* Most likely the server didn't understand the ++ * "ca" argument. At least, at this ++ * point. Randomly dropping arguments is not ++ * really an extensible solution, though. */ ++ issuer = NULL; ++ goto submit; ++ } + if ((i == 3005) && (profile != NULL)) { + /* Most likely the server didn't understand the + * "profile_id" argument. At least, at this +-- +2.9.0 + diff --git a/SOURCES/0007-getcert-fix-a-potential-out-of-bounds.patch b/SOURCES/0007-getcert-fix-a-potential-out-of-bounds.patch new file mode 100644 index 0000000..91a78d6 --- /dev/null +++ b/SOURCES/0007-getcert-fix-a-potential-out-of-bounds.patch @@ -0,0 +1,41 @@ +From ef0f3c32888165c1a39b078f23ce7e1fc57fec66 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 15 Jun 2016 15:56:38 -0400 +Subject: [PATCH] getcert: fix a potential out-of-bounds + +In getcert, fix a potential out-of-bounds write while gathering +parameters to send to the daemon as part of an "add_request" API +request, present since 20a6536febf0815d0b3d301133820a46fdd6ef21. +--- + src/getcert.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/getcert.c b/src/getcert.c +index cfa36fb1a7ea16c9c9bacc8f40360efa594b7830..c84273a9bfc8730422f18ade87ce174fbbc44634 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -1499,8 +1499,8 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + { + DBusMessage *req, *rep; + int i; +- struct cm_tdbusm_dict param[25]; +- const struct cm_tdbusm_dict *params[26]; ++ struct cm_tdbusm_dict param[26]; ++ const struct cm_tdbusm_dict *params[27]; + dbus_bool_t b; + const char *capath; + char *p; +@@ -1738,8 +1738,8 @@ set_tracking(const char *argv0, const char *category, + enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS; + DBusMessage *req, *rep; + const char *request, *capath; +- struct cm_tdbusm_dict param[25]; +- const struct cm_tdbusm_dict *params[26]; ++ struct cm_tdbusm_dict param[26]; ++ const struct cm_tdbusm_dict *params[27]; + char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL; + char **anchor_dbs = NULL, **anchor_files = NULL; + char *id = NULL, *new_id = NULL, *new_request; +-- +2.9.0 + diff --git a/SOURCES/0008-Document-the-X-option-in-the-ipa-submit-man-page.patch b/SOURCES/0008-Document-the-X-option-in-the-ipa-submit-man-page.patch new file mode 100644 index 0000000..33d08cb --- /dev/null +++ b/SOURCES/0008-Document-the-X-option-in-the-ipa-submit-man-page.patch @@ -0,0 +1,32 @@ +From 3a734708fb96d0fed7850a5615782e27a039cda1 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 15 Jun 2016 17:20:52 -0400 +Subject: [PATCH] Document the -X option in the ipa-submit man page + +Add documentation for the new -X option to certmonger-ipa-submit(8). +--- + src/certmonger-ipa-submit.8.in | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/certmonger-ipa-submit.8.in b/src/certmonger-ipa-submit.8.in +index 62b6991c7e1e13ed02cb04a76e9446b69a01093d..2a986c63f97c117175f84007cb54b63b8e221cf7 100644 +--- a/src/certmonger-ipa-submit.8.in ++++ b/src/certmonger-ipa-submit.8.in +@@ -28,6 +28,14 @@ LDAP server's directory tree, where $BASE defaults to the value of the + Identifies the principal name of the service for which the certificate is being + issued. This setting is required by IPA and must always be specified. + .TP ++\fB\-X\fR issuer ++Requests that the certificate be processed by the specified certificate issuer. ++By default, if this flag is not specified, and the \fBCERTMONGER_CA_ISSUER\fR ++variable is set in the environment, then the value of the environment variable ++will be used. This setting is optional, and if a server returns error 3005, ++indicating that it does not understand multiple profiles, the request will be ++re-submitted without specifying an issuer name. ++.TP + \fB\-T\fR profile + Requests that the certificate be processed using the specified certificate profile. + By default, if this flag is not specified, and the \fBCERTMONGER_CA_PROFILE\fR +-- +2.9.0 + diff --git a/SOURCES/0009-Fix-a-flakiness-in-the-028-dbus-test.patch b/SOURCES/0009-Fix-a-flakiness-in-the-028-dbus-test.patch new file mode 100644 index 0000000..35b3adb --- /dev/null +++ b/SOURCES/0009-Fix-a-flakiness-in-the-028-dbus-test.patch @@ -0,0 +1,59 @@ +From 4f72c02d0f432519f9d5606bd99007fd685482a7 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 29 Jun 2016 17:37:09 -0400 +Subject: [PATCH] Fix a flakiness in the 028-dbus test + +When walking all of the exposed APIs from python, we were calling the +'resubmit' method on a certificate, and not waiting for the churn in +state that doing so would create to settle down before continuing. + +This meant that the test script might have exited before the certmonger +process that was waiting on it finished saving the new certificate that +it obtained from resubmitting the rquest, so the process wouldn't +reliably log that it had obtained a new certificate. + +Spotted by Jan Cholasta. +--- + tests/028-dbus/expected.out | 1 + + tests/028-dbus/walk.py | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index b2660317b3102373f2a5a877a7224f727929412c..93cc4d184524c4b1aeba02a650c94d832462c236 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -1,4 +1,5 @@ + Certificate in file "${tmpdir}/test.crt" issued by CA and saved. ++Certificate in file "${tmpdir}/test.crt" issued by CA and saved. + [[ getcert ]] + State MONITORING, stuck: no. + Number of certificates and requests being tracked: 1. +diff --git a/tests/028-dbus/walk.py b/tests/028-dbus/walk.py +index 0bf54b477220aef901340c1d24100391348226a7..f60ca934fd934e21cec027bad5c53e0f12ccb36d 100644 +--- a/tests/028-dbus/walk.py ++++ b/tests/028-dbus/walk.py +@@ -3,6 +3,7 @@ import dbus + import xml.etree.ElementTree + import os + import sys ++import time + + bus = dbus.SessionBus() + +@@ -110,6 +111,13 @@ def examine_method(objpath, interface, method, idata): + # We're in FIXME territory. + print('FIXME: need support for "%s"' % method) + return False ++ # If we caused things to start churning, wait for them to settle. ++ if method == 'resubmit': ++ props = dbus.Interface(o, 'org.freedesktop.DBus.Properties') ++ prop = props.Get(interface, 'status') ++ while prop != 'MONITORING': ++ time.sleep(1) ++ prop = props.Get(interface, 'status') + return True + + def iget(child, proxy, interface, prop): +-- +2.7.4 + diff --git a/SOURCES/1001-Remove-rekey-feature.patch b/SOURCES/1001-Remove-rekey-feature.patch index 11a60be..dba4798 100644 --- a/SOURCES/1001-Remove-rekey-feature.patch +++ b/SOURCES/1001-Remove-rekey-feature.patch @@ -1,4 +1,4 @@ -From f85876b61af0716c00a255be42c7b62fc3c83e3f Mon Sep 17 00:00:00 2001 +From c47a439f510adffe4e2225408261d0e93059e077 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 7 Aug 2015 13:40:41 +0200 Subject: [PATCH] Remove rekey feature @@ -88,10 +88,10 @@ index f07b9002a206526ea7f0334f5ba0071d8fffd3ae..64f0f5e80cd0fa3ae01fcf27828f9793 Be verbose about errors. Normally, the details of an error received from the daemon will be suppressed if the client can make a diagnostic suggestion. diff --git a/src/getcert.c b/src/getcert.c -index 49840dd968a75929ef55c6b77966187f0c59fa78..1b7d5fc27c970178e310e9bb7e9abde3f6b7bbce 100644 +index c84273a9bfc8730422f18ade87ce174fbbc44634..dcdbdd455dd8c61c1aeaad6a5c7feef21b56feab 100644 --- a/src/getcert.c +++ b/src/getcert.c -@@ -4595,7 +4595,6 @@ static struct { +@@ -4625,7 +4625,6 @@ static struct { {"start-tracking", start_tracking}, {"stop-tracking", stop_tracking}, {"resubmit", resubmit}, @@ -99,7 +99,7 @@ index 49840dd968a75929ef55c6b77966187f0c59fa78..1b7d5fc27c970178e310e9bb7e9abde3 {"refresh", refresh}, {"list", list}, {"status", status}, -@@ -5007,8 +5006,6 @@ help(const char *twopartcmd, const char *category) +@@ -5041,8 +5040,6 @@ help(const char *twopartcmd, const char *category) N_("stop monitoring a certificate\n")}, {"resubmit", resubmit_help, N_("resubmit an in-progress enrollment request, or start a new one\n")}, @@ -181,7 +181,7 @@ index d3bbc050947a1a0472187503110682c9028f9c6f..11f9ae3cc193981d3c2bf986a4a5c4c7 } else if (strcasecmp(mode, CM_OP_FETCH_SCEP_CA_CERTS) == 0) { diff --git a/src/submit-e.c b/src/submit-e.c -index 6997b436e42aa4f77c421040070ee2484467dea5..4d434f3ef1c87f9b5288a80d66006ea7baa9f643 100644 +index befd01e0fd00b8f9e239752ffbd80c985fae5057..af05efeb762933e31fecc67b1204001b7e81c697 100644 --- a/src/submit-e.c +++ b/src/submit-e.c @@ -446,12 +446,6 @@ cm_submit_e_need_scep_messages(struct cm_submit_state *state) @@ -198,10 +198,10 @@ index 6997b436e42aa4f77c421040070ee2484467dea5..4d434f3ef1c87f9b5288a80d66006ea7 } diff --git a/src/tdbush.c b/src/tdbush.c -index 4660f80f26669d31b2629c543384fe95bbec1ea9..9a03674d7ba313129083f6f606e86ca4b3933186 100644 +index 631da3ed2bbb1f6828d576760299ad51d7e41923..aec5e9d0a36a7cb5c035e1aefda04c2b32b1e100 100644 --- a/src/tdbush.c +++ b/src/tdbush.c -@@ -7094,14 +7094,6 @@ cm_tdbush_iface_request(void) +@@ -7117,14 +7117,6 @@ cm_tdbush_iface_request(void) NULL))), NULL), make_interface_item(cm_tdbush_interface_method, @@ -216,12 +216,12 @@ index 4660f80f26669d31b2629c543384fe95bbec1ea9..9a03674d7ba313129083f6f606e86ca4 make_method("resubmit", request_resubmit, make_method_arg("working", -@@ -7156,7 +7148,7 @@ cm_tdbush_iface_request(void) +@@ -7179,7 +7171,7 @@ cm_tdbush_iface_request(void) make_interface_item(cm_tdbush_interface_signal, make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, NULL), -- NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); -+ NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); +- NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); ++ NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); } return ret; } @@ -255,10 +255,10 @@ index bd57a01ba8725418978259018441f6a9a6672758..85d07b3baef83dbafd39c03888881cb6 [Enroll until we notice we have no specified CA.] diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out -index ba55dd5ce97c74475dbebb761c41dd2e64e64365..d8fb98bcf9950c9c21c48feac303dc0b46189ab7 100644 +index 93cc4d184524c4b1aeba02a650c94d832462c236..26850efaedb966cd94ecd0db42d6adb378b47f37 100644 --- a/tests/028-dbus/expected.out +++ b/tests/028-dbus/expected.out -@@ -401,9 +401,6 @@ OK +@@ -403,9 +403,6 @@ OK @@ -268,7 +268,7 @@ index ba55dd5ce97c74475dbebb761c41dd2e64e64365..d8fb98bcf9950c9c21c48feac303dc0b -@@ -481,9 +478,6 @@ recently +@@ -483,9 +480,6 @@ recently 1 on /org/fedorahosted/certmonger/requests/Request2 After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1) @@ -370,5 +370,5 @@ index bd8cca7c3eedb5a02249f450451b651bb270ec24..62a1c746f86bb53fe79d1226ab919482 -STOP- Test complete. -- -2.4.3 +2.7.4 diff --git a/SOURCES/1002-Fix-CA-option-name-for-ipa-cert-request.patch b/SOURCES/1002-Fix-CA-option-name-for-ipa-cert-request.patch new file mode 100644 index 0000000..7788e9b --- /dev/null +++ b/SOURCES/1002-Fix-CA-option-name-for-ipa-cert-request.patch @@ -0,0 +1,38 @@ +From 6aca3545c847673a7bc3d5120378f896dc420a15 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 18 Aug 2016 18:25:49 +1000 +Subject: [PATCH] Fix CA option name for ipa cert-request + +The cert-request option for specifying the issuer is 'cacn', but +certmonger is sending 'ca'. Use the correct option name. + +Part of: https://fedorahosted.org/certmonger/ticket/51 +--- + src/ipa.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/ipa.c b/src/ipa.c +index f8abe609a603b614067e56ebe9935472b647ed99..13ea4cadf108a86687ab3f689b1a4dd92e5f8339 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -369,7 +369,7 @@ submit: + } + /* Add the requested CA issuer named argument. */ + if (issuer != NULL) { +- cm_submit_x_add_named_arg_s(ctx, "ca", issuer); ++ cm_submit_x_add_named_arg_s(ctx, "cacn", issuer); + } + /* Tell the server to add entries for a principal if one + * doesn't exist yet. */ +@@ -389,7 +389,7 @@ submit: + case 3: /* invocation error - permanent */ + if ((i == 3005) && (issuer != NULL)) { + /* Most likely the server didn't understand the +- * "ca" argument. At least, at this ++ * "cacn" argument. At least, at this + * point. Randomly dropping arguments is not + * really an extensible solution, though. */ + issuer = NULL; +-- +2.7.4 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 6195f1a..55b2f29 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -26,7 +26,7 @@ Name: certmonger Version: 0.78.4 -Release: 1%{?dist} +Release: 3%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -36,7 +36,18 @@ Source0: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.g Source1: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz.sig BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) +Patch0001: 0001-Stop-assuming-RSA-512-works.patch +Patch0002: 0002-Stop-assuming-RSA-512-works-part-two.patch +Patch0003: 0003-Add-issuer-request-option-for-specifying-issuer.patch +Patch0004: 0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch +Patch0005: 0005-Comment-whitespace-fixup.patch +Patch0006: 0006-ipa-submit-Retry-without-ca-on-OptionError.patch +Patch0007: 0007-getcert-fix-a-potential-out-of-bounds.patch +Patch0008: 0008-Document-the-X-option-in-the-ipa-submit-man-page.patch +Patch0009: 0009-Fix-a-flakiness-in-the-028-dbus-test.patch + Patch1001: 1001-Remove-rekey-feature.patch +Patch1002: 1002-Fix-CA-option-name-for-ipa-cert-request.patch BuildRequires: openldap-devel BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel @@ -245,6 +256,24 @@ exit 0 %endif %changelog +* Tue Sep 6 2016 Jan Cholasta - 0.78.4-3 +- Resolves: #1367683 getcert request command fails to use Sub CA using -X + argument + - Fix CA option name for ipa cert-request + +* Fri Jul 1 2016 Jan Cholasta - 0.78.4-2 +- Resolves: #1345755 Support for specifying IPA lightweight CA + - Add 'issuer' request option for specifying issuer + - Documentation: mark $CERTMONGER_CA_ISSUER as 0.79 + - Comment/whitespace fixup + - ipa-submit: Retry without "ca" on OptionError + - getcert: fix a potential out-of-bounds + - Document the -X option in the ipa-submit man page +- Resolves: #1351052 certmonger build for RHEL 7.3 failure + - Stop assuming RSA 512 works + - Stop assuming RSA 512 works, part two + - Fix a flakiness in the 028-dbus test + * Mon Aug 10 2015 Jan Cholasta - 0.78.4-1 - Resolves: #1249753 challenge password not added in csr using start-tracking - Resolves: #1250397 Remove certmonger rekey feature in 7.2