diff --git a/SOURCES/0032-Don-t-report-a-spurious-error-if-no-SCEP-pkiMessage-.patch b/SOURCES/0032-Don-t-report-a-spurious-error-if-no-SCEP-pkiMessage-.patch new file mode 100644 index 0000000..1d6d29d --- /dev/null +++ b/SOURCES/0032-Don-t-report-a-spurious-error-if-no-SCEP-pkiMessage-.patch @@ -0,0 +1,72 @@ +From b37b8b0979a665fba897bb251d4b206c29936320 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 11 Jun 2021 11:06:48 -0400 +Subject: [PATCH] Don't report a spurious error if no SCEP pkiMessage is ready + yet + +On a brand new request in the state op_pkcsreq there will be no +pkiMessage to send yet because there is no CSR yet. + +It correctly detects this state but also displays the message: + + Error reading request. Expected PKCS7 data containing a + PKCSReq pkiMessage, got nothing. + +This is confusing if the request eventually succeeds. + +It really only needs to report this if it is passed in a file name +to read the message from, otherwise silently return +CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES. + +The same issue existed in the op_get_cert_initial state. + +https://bugzilla.redhat.com/show_bug.cgi?id=1253009 +--- + src/scep.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/scep.c b/src/scep.c +index bf181bf..09bdb28 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -375,12 +375,14 @@ main(int argc, const char **argv) + if ((message == NULL) || (strlen(message) == 0)) { + if (poptPeekArg(pctx) != NULL) { + message = cm_submit_u_from_file(poptGetArg(pctx)); ++ if ((message == NULL) || (strlen(message) == 0)) { ++ printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n")); ++ return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; ++ } ++ } else { ++ return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; + } + } +- if ((message == NULL) || (strlen(message) == 0)) { +- printf(_("Error reading request, expected PKCS7 data.\n")); +- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; +- } + /* First step: read capabilities for our use. */ + params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); + } +@@ -394,12 +396,14 @@ main(int argc, const char **argv) + if ((message == NULL) || (strlen(message) == 0)) { + if (poptPeekArg(pctx) != NULL) { + message = cm_submit_u_from_file(poptGetArg(pctx)); ++ if ((message == NULL) || (strlen(message) == 0)) { ++ printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n")); ++ return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; ++ } ++ } else { ++ return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; + } + } +- if ((message == NULL) || (strlen(message) == 0)) { +- printf(_("Error reading request, expected PKCS7 data.\n")); +- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; +- } + /* First step: read capabilities for our use. */ + params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); + } +-- +2.26.3 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 47135b9..3b4f8c3 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -26,7 +26,7 @@ Name: certmonger Version: 0.78.4 -Release: 14%{?dist} +Release: 15%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -67,6 +67,7 @@ Patch0028: 0028-No-message-ca-ident-from-GetCACaps-GetCACert-drop-Ge.patch Patch0029: 0029-Document-R-N-o-in-dogtag-ipa-renew-agent-submit.patch Patch0030: 0030-Ensure-that-files-read-in-have-a-trailing-new-line.patch Patch0031: 0031-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch +Patch0032: 0032-Don-t-report-a-spurious-error-if-no-SCEP-pkiMessage-.patch Patch1001: 1001-Remove-rekey-feature.patch Patch1002: 1002-Fix-CA-option-name-for-ipa-cert-request.patch @@ -287,6 +288,9 @@ exit 0 %endif %changelog +* Wed Jun 09 2021 Rob Crittenden - 0.78.4-15 +- Don't report spurious error if no SCEP pkiMessage is ready yet (#1969854) + * Fri May 22 2020 Rob Crittenden - 0.78.4-14 - Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1839181)