diff --git a/SOURCES/0012-Remove-trailing-CR-LF-when-reading-passwords-from-a-.patch b/SOURCES/0012-Remove-trailing-CR-LF-when-reading-passwords-from-a-.patch new file mode 100644 index 0000000..dbca807 --- /dev/null +++ b/SOURCES/0012-Remove-trailing-CR-LF-when-reading-passwords-from-a-.patch @@ -0,0 +1,35 @@ +From a55000a067d68cbf7aaf201b73ba2eb14090f916 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 21 Feb 2018 15:28:38 -0500 +Subject: [PATCH] Remove trailing CR/LF when reading passwords from a file. + +https://bugzilla.redhat.com/show_bug.cgi?id=1547641 +--- + src/dogtag.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/dogtag.c b/src/dogtag.c +index 5b55b04d..871f3875 100644 +--- a/src/dogtag.c ++++ b/src/dogtag.c +@@ -476,9 +476,17 @@ main(int argc, const char **argv) + /* Read the client password and/or PIN, if we need to. */ + if ((pwdfile != NULL) && (pwd == NULL)) { + pwd = cm_submit_u_from_file(pwdfile); ++ if (pwd != NULL) { ++ pwd = talloc_strndup(ctx, pwd, ++ strcspn(pwd, "\r\n")); ++ } + } + if ((pinfile != NULL) && (pin == NULL)) { + pin = cm_submit_u_from_file(pinfile); ++ if (pin != NULL) { ++ pin = talloc_strndup(ctx, pin, ++ strcspn(pin, "\r\n")); ++ } + } + + /* Figure out which form and arguments to use. */ +-- +2.13.6 + diff --git a/SOURCES/0013-Disable-the-10-iterate-tests-which-randomly-fail.patch b/SOURCES/0013-Disable-the-10-iterate-tests-which-randomly-fail.patch new file mode 100644 index 0000000..b0fe84e --- /dev/null +++ b/SOURCES/0013-Disable-the-10-iterate-tests-which-randomly-fail.patch @@ -0,0 +1,35 @@ +From 80e016cc4efef1b7f9abc73e209e83bcd3fa0c6f Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 17 Jul 2018 16:22:02 -0400 +Subject: [PATCH] Disable the 10-iterate tests which randomly fail + +Sometimes the dates are off just enough to cause the comparison +to fail. +--- + tests/Makefile.am | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index f60e571..bbcd06e 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -62,8 +62,6 @@ EXTRA_DIST = \ + 008-certread/expected.out \ + 009-oiddict/run.sh \ + 009-oiddict/expected.out \ +- 010-iterate/run.sh \ +- 010-iterate/expected.out \ + 011-dbinit/expected.out \ + 011-dbinit/run.sh \ + 011-dbinit-dbm/expected.out \ +@@ -166,7 +164,6 @@ subdirs = \ + 007-certsave \ + 008-certread \ + 009-oiddict \ +- 010-iterate \ + 011-dbinit \ + 012-dbadd \ + 013-enckey \ +-- +2.13.6 + diff --git a/SOURCES/0014-MS-cert-template-add-D-Bus-property-and-storage.patch b/SOURCES/0014-MS-cert-template-add-D-Bus-property-and-storage.patch new file mode 100644 index 0000000..f4fa5c6 --- /dev/null +++ b/SOURCES/0014-MS-cert-template-add-D-Bus-property-and-storage.patch @@ -0,0 +1,198 @@ +From afe1fc05a5da349c3e24e8c96b1e185e4da53613 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 17 Aug 2017 11:38:43 +1000 +Subject: [PATCH] MS cert template: add D-Bus property and storage + +Add a D-Bus property and storage for a new template attribute, which +will hold data to be included in CSRs in the MS V2 certificate +template extension. + +The server does not validate the extension data (validation +behaviour is implemented in a subsequent commit). + +Part of: https://pagure.io/certmonger/issue/78 +--- + doc/api.txt | 2 ++ + src/store-files.c | 10 ++++++++++ + src/store-int.h | 1 + + src/tdbus.h | 1 + + src/tdbush.c | 29 ++++++++++++++++++++++++++++- + tests/028-dbus/expected.out | 1 + + 6 files changed, 43 insertions(+), 1 deletion(-) + +diff --git a/doc/api.txt b/doc/api.txt +index 31016be..83cf375 100644 +--- a/doc/api.txt ++++ b/doc/api.txt +@@ -56,6 +56,7 @@ o object layout + {("template-crldp"),array-of-string (CRL distribution point URIs)} + {("template-ns-comment"),string (Netscape comment)} + {("template-profile"),string (certificate profile)} ++ {("template-ms-certificate-template"),string (MS V2 template specifier; format: :[:] )} + {("template-issuer"),string (requested issuer)} + {("template-challenge-password"),string (password to add to CSR)} + {("template-challenge-password-file"),string (password file) +@@ -165,6 +166,7 @@ o object layout + {("template-crldp"),array-of-string (CRL distribution point URIs)} + {("template-ns-comment"),string (Netscape comment)} + {("template-profile"),string (certificate profile)} ++ {("template-ms-certificate-template"),string (MS V2 template specifier; format: :[:] )} + {("template-issuer"),string (requested issuer)} + {("template-challenge-password"),string (password to add to CSR)} + {("template-challenge-password-file"),string (password file) +diff --git a/src/store-files.c b/src/store-files.c +index 889829c..977e896 100644 +--- a/src/store-files.c ++++ b/src/store-files.c +@@ -130,6 +130,7 @@ enum cm_store_file_field { + cm_store_entry_field_template_ns_comment, + cm_store_entry_field_template_profile, + cm_store_entry_field_template_issuer, ++ cm_store_entry_field_template_certificate_template, + cm_store_entry_field_template_no_ocsp_check, + cm_store_entry_field_template_ns_certtype, + +@@ -305,6 +306,7 @@ static struct cm_store_file_field_list { + {cm_store_entry_field_template_profile, "template_profile"}, /* right */ + {cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */ + {cm_store_entry_field_template_issuer, "template_issuer"}, ++ {cm_store_entry_field_template_certificate_template, "template_certificate_template"}, + {cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"}, + {cm_store_entry_field_template_ns_certtype, "template_ns_certtype"}, + +@@ -1129,6 +1131,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) + case cm_store_entry_field_template_profile: + ret->cm_template_profile = free_if_empty(p); + break; ++ case cm_store_entry_field_template_certificate_template: ++ ret->cm_template_certificate_template = free_if_empty(p); ++ break; + case cm_store_entry_field_template_issuer: + ret->cm_template_issuer = free_if_empty(p); + break; +@@ -1375,6 +1380,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) + case cm_store_entry_field_template_ocsp_location: + case cm_store_entry_field_template_ns_comment: + case cm_store_entry_field_template_profile: ++ case cm_store_entry_field_template_certificate_template: + case cm_store_entry_field_template_issuer: + case cm_store_entry_field_template_no_ocsp_check: + case cm_store_entry_field_template_ns_certtype: +@@ -1984,6 +1990,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) + entry->cm_template_no_ocsp_check ? 1 : 0); + cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype, + entry->cm_template_ns_certtype); ++ cm_store_file_write_str(fp, cm_store_entry_field_template_certificate_template, ++ entry->cm_template_certificate_template); + + cm_store_file_write_str(fp, cm_store_entry_field_challenge_password, + entry->cm_template_challenge_password); +@@ -2745,6 +2753,8 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry) + ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile); + ret->cm_template_issuer = cm_store_maybe_strdup(ret, entry->cm_template_issuer); + ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check; ++ ret->cm_template_certificate_template = ++ cm_store_maybe_strdup(ret, entry->cm_template_certificate_template); + ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret, + entry->cm_template_ns_certtype); + +diff --git a/src/store-int.h b/src/store-int.h +index 2d3a353..98b37e6 100644 +--- a/src/store-int.h ++++ b/src/store-int.h +@@ -144,6 +144,7 @@ struct cm_store_entry { + char *cm_template_profile; + char *cm_template_issuer; + char *cm_template_ns_certtype; ++ char *cm_template_certificate_template; + unsigned int cm_template_no_ocsp_check: 1; + /* A challenge password, which may be included (in cleartext form!) in + * a CSR. */ +diff --git a/src/tdbus.h b/src/tdbus.h +index 496f2dd..7164f11 100644 +--- a/src/tdbus.h ++++ b/src/tdbus.h +@@ -110,6 +110,7 @@ + #define CM_DBUS_PROP_TEMPLATE_PROFILE "template-profile" + #define CM_DBUS_PROP_TEMPLATE_ISSUER "template-issuer" + #define CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE "template-ns-certtype" ++#define CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE "template-ms-certificate-template" + #define CM_DBUS_SIGNAL_REQUEST_CERT_SAVED "SavedCertificate" + #define CM_DBUS_PROP_CA_PRESAVE_COMMAND "ca-presave-command" + #define CM_DBUS_PROP_CA_PRESAVE_UID "ca-presave-uid" +diff --git a/src/tdbush.c b/src/tdbush.c +index 631da3e..94bf793 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -1568,6 +1568,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + new_entry->cm_template_issuer = maybe_strdup(new_entry, + param->value.s); + } ++ param = cm_tdbusm_find_dict_entry(d, ++ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE, ++ cm_tdbusm_dict_s); ++ if (param != NULL) { ++ // TODO check validity ++ new_entry->cm_template_certificate_template = maybe_strdup(new_entry, ++ param->value.s); ++ } + param = cm_tdbusm_find_dict_entry(d, + CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD, + cm_tdbusm_dict_s); +@@ -3320,6 +3328,17 @@ request_modify(DBusConnection *conn, DBusMessage *msg, + propname[n_propname++] = CM_DBUS_PROP_TEMPLATE_ISSUER; + } + } else ++ if ((param->value_type == cm_tdbusm_dict_s) && ++ (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE) == 0)) { ++ talloc_free(entry->cm_template_certificate_template); ++ // TODO check validity ++ entry->cm_template_certificate_template = ++ maybe_strdup(entry, param->value.s); ++ if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) { ++ propname[n_propname++] = ++ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; ++ } ++ } else + if ((param->value_type == cm_tdbusm_dict_s) && + (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD) == 0)) { + talloc_free(entry->cm_template_challenge_password); +@@ -6734,6 +6753,14 @@ cm_tdbush_iface_request(void) + offsetof(struct cm_store_entry, cm_template_issuer), + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL), ++ make_interface_item(cm_tdbush_interface_property, ++ make_property(CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE, ++ cm_tdbush_property_string, ++ cm_tdbush_property_readwrite, ++ cm_tdbush_property_char_p, ++ offsetof(struct cm_store_entry, cm_template_certificate_template), ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL), + make_interface_item(cm_tdbush_interface_property, + make_property(CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE, + cm_tdbush_property_string, +@@ -7179,7 +7206,7 @@ cm_tdbush_iface_request(void) + make_interface_item(cm_tdbush_interface_signal, + make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, + NULL), +- NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); ++ NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + } + return ret; + } +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index 93cc4d1..8a81a7f 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -330,6 +330,7 @@ OK + + + ++ + + + +-- +2.14.4 + diff --git a/SOURCES/0015-MS-cert-template-add-template-extension-to-CSR.patch b/SOURCES/0015-MS-cert-template-add-template-extension-to-CSR.patch new file mode 100644 index 0000000..bcb14f1 --- /dev/null +++ b/SOURCES/0015-MS-cert-template-add-template-extension-to-CSR.patch @@ -0,0 +1,135 @@ +From 616bc539e7054f7e561ca66672019f7990759811 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 17 Aug 2017 18:10:37 +1000 +Subject: [PATCH] MS cert template: add template extension to CSR + +Add the MS V2 certificate template extension to the CSR, when the +attribute is set. Failure to parse the value (as stored) merely +causes the extension to be skipped. + +Part of: https://pagure.io/certmonger/issue/78 +--- + src/certext.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 84 insertions(+), 2 deletions(-) + +diff --git a/src/certext.c b/src/certext.c +index 64ae05a..5f8a743 100644 +--- a/src/certext.c ++++ b/src/certext.c +@@ -69,7 +69,7 @@ struct kerberos_principal_name { + struct ms_template { + SECItem id; + SECItem major; +- SECItem *minor; ++ SECItem minor; + }; + + /* KerberosString: RFC 4120, 5.2.1 */ +@@ -180,7 +180,7 @@ cm_ms_template_template[] = { + .kind = SEC_ASN1_SEQUENCE, + .offset = 0, + .sub = NULL, +- .size = sizeof(struct kerberos_principal_name), ++ .size = sizeof(struct ms_template), + }, + { + .kind = SEC_ASN1_OBJECT_ID, +@@ -1593,6 +1593,76 @@ cm_certext_build_profile(struct cm_store_entry *entry, + return item; + } + ++/* Build a Microsoft certificate template extension value. */ ++static SECItem * ++cm_certext_build_certificate_template( ++ PLArenaPool *arena, ++ char *template_spec) ++{ ++ struct ms_template template_data; ++ memset(&template_data, 0, sizeof(struct ms_template)); ++ ++ if (NULL == template_spec || *template_spec == '\0') ++ return NULL; ++ ++ /* strtok overwrites delimiters with null bytes; ++ * therefore duplicate the input string */ ++ char *template_spec_dup = PORT_ArenaStrdup(arena, template_spec); ++ if (NULL == template_spec_dup) ++ return NULL; ++ ++ int i = 0; ++ char *saveptr, *endptr; ++ for ( ++ char *part = strtok_r(template_spec_dup, ":", &saveptr); ++ part != NULL; ++ part = strtok_r(NULL, ":", &saveptr) ++ ) { ++ if (i == 0) { ++ // parse OID ++ if (SECSuccess != SEC_StringToOID(arena, &template_data.id, part, 0)) ++ return NULL; ++ } ++ else if (i == 1) { ++ // parse major version ++ long x = strtol(part, &endptr, 10); ++ if (*part == '\0' || *endptr != '\0') { ++ // string was empty or contained non-digits ++ return NULL; ++ } ++ if (SEC_ASN1EncodeInteger(arena, &template_data.major, x) ++ != &template_data.major) ++ return NULL; ++ } ++ else if (i == 2) { ++ // parse minor version ++ long x = strtol(part, &endptr, 10); ++ if (*part == '\0' || *endptr != '\0') { ++ // string was empty or contained non-digits ++ return NULL; ++ } ++ if (SEC_ASN1EncodeInteger(arena, &template_data.minor, x) ++ != &template_data.minor) ++ return NULL; ++ } ++ else { ++ // there are too many parts! ++ return NULL; ++ } ++ i++; ++ } ++ if (i < 2) { ++ // there are too few parts! (OID and major version are required) ++ return NULL; ++ } ++ ++ SECItem encoded; ++ if (SEC_ASN1EncodeItem(arena, &encoded, &template_data, ++ cm_ms_template_template) != &encoded) ++ return NULL; ++ return SECITEM_ArenaDupItem(arena, &encoded); ++} ++ + /* Build a Netscape certtype extension value. */ + static SECItem * + cm_certext_build_ns_certtype(struct cm_store_entry *entry, +@@ -1840,6 +1910,18 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, + i++; + } + } ++ if (entry->cm_template_certificate_template != NULL) { ++ oid = (SECOidData *) &oid_microsoft_certificate_template; ++ item = cm_certext_build_certificate_template( ++ arena, entry->cm_template_certificate_template); ++ if ((item != NULL) && (oid != NULL)) { ++ ext[i].id = oid->oid; ++ ext[i].critical = der_false; ++ ext[i].value = *item; ++ exts[i] = &ext[i]; ++ i++; ++ } ++ } + if (entry->cm_template_ns_certtype != NULL) { + oid = SECOID_FindOIDByTag(SEC_OID_NS_CERT_EXT_CERT_TYPE); + item = cm_certext_build_ns_certtype(entry, arena, +-- +2.14.4 + diff --git a/SOURCES/0016-MS-cert-template-add-option-to-command-line-programs.patch b/SOURCES/0016-MS-cert-template-add-option-to-command-line-programs.patch new file mode 100644 index 0000000..5270264 --- /dev/null +++ b/SOURCES/0016-MS-cert-template-add-option-to-command-line-programs.patch @@ -0,0 +1,246 @@ +From 199a97c11d4fc3a9e0f10e4eebf44f9f3841f8b1 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 18 Aug 2017 13:03:05 +1000 +Subject: [PATCH] MS cert template: add option to command line programs + +Add the --ms-template-spec command line argument for specifying the +value of the V2 Certificate Template extension. + +Part of: https://pagure.io/certmonger/issue/78 +--- + src/getcert-request.1.in | 6 ++++++ + src/getcert-resubmit.1.in | 6 ++++++ + src/getcert-start-tracking.1.in | 6 ++++++ + src/getcert.c | 46 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 64 insertions(+) + +diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in +index b6578dc..8269b78 100644 +--- a/src/getcert-request.1.in ++++ b/src/getcert-request.1.in +@@ -88,6 +88,12 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP ++\fB\-\-ms-template-spec\fR SPEC ++Include a V2 Certificate Template extension in the signing request. ++This datum includes an Object Identifier, a major version number ++(positive integer) and an optional minor version number. The format ++is: \fB:[:]\fR. ++.TP + \fB\-X\fR NAME + Request a certificate using the named issuer from the specified CA. + +diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in +index 165940e..62d5f28 100644 +--- a/src/getcert-resubmit.1.in ++++ b/src/getcert-resubmit.1.in +@@ -48,6 +48,12 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP ++\fB\-\-ms-template-spec\fR SPEC ++Include a V2 Certificate Template extension in the signing request. ++This datum includes an Object Identifier, a major version number ++(positive integer) and an optional minor version number. The format ++is: \fB:[:]\fR. ++.TP + \fB\-X\fR NAME + Request a certificate using the named issuer from the specified CA. + .TP +diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in +index a46f535..9daeed3 100644 +--- a/src/getcert-start-tracking.1.in ++++ b/src/getcert-start-tracking.1.in +@@ -86,6 +86,12 @@ useful in combination with \fB\-r\fR. + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP ++\fB\-\-ms-template-spec\fR SPEC ++Include a V2 Certificate Template extension in the signing request. ++This datum includes an Object Identifier, a major version number ++(positive integer) and an optional minor version number. The format ++is: \fB:[:]\fR. ++.TP + \fB\-X\fR NAME + Request a certificate using the named issuer from the specified CA. + +diff --git a/src/getcert.c b/src/getcert.c +index c84273a..5277a15 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -692,6 +692,7 @@ request(const char *argv0, int argc, const char **argv) + int keysize = 0, auto_renew = 1, verbose = 0, ku = 0, kubit, c, i, j; + char *ca = DEFAULT_CA, *subject = NULL, **eku = NULL, *oid, *id = NULL; + char *profile = NULL, *issuer = NULL, kustring[16]; ++ char *ms_template_spec = NULL; + char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; +@@ -732,6 +733,7 @@ request(const char *argv0, int argc, const char **argv) + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME}, + {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, +@@ -859,6 +861,9 @@ request(const char *argv0, int argc, const char **argv) + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'Y': ++ ms_template_spec = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'X': + issuer = talloc_strdup(globals.tctx, poptarg); + break; +@@ -1293,6 +1298,13 @@ request(const char *argv0, int argc, const char **argv) + params[i] = ¶m[i]; + i++; + } ++ if (ms_template_spec != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = ms_template_spec; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (issuer != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; + param[i].value_type = cm_tdbusm_dict_s; +@@ -1492,6 +1504,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + char *pin, char *pinfile, + char *cpass, char *cpassfile, + char *ca, char *profile, char *issuer, ++ char *ms_template_spec, + char *precommand, char *postcommand, + char **anchor_dbs, char **anchor_files, + dbus_bool_t auto_renew_stop, int waitreq, +@@ -1655,6 +1668,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + params[i] = ¶m[i]; + i++; + } ++ if (ms_template_spec != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = ms_template_spec; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (issuer != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; + param[i].value_type = cm_tdbusm_dict_s; +@@ -1745,6 +1765,7 @@ set_tracking(const char *argv0, const char *category, + char *id = NULL, *new_id = NULL, *new_request; + char *keyfile = NULL, *certfile = NULL, *ca = DEFAULT_CA; + char *profile = NULL, *issuer = NULL; ++ char *ms_template_spec = NULL; + char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; +@@ -1785,6 +1806,7 @@ set_tracking(const char *argv0, const char *category, + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME}, + {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("override requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("override requested extended key usage OID"), HELP_TYPE_EKU}, +@@ -1887,6 +1909,9 @@ set_tracking(const char *argv0, const char *category, + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'Y': ++ ms_template_spec = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'i': + id = talloc_strdup(globals.tctx, poptarg); + break; +@@ -2311,6 +2336,7 @@ set_tracking(const char *argv0, const char *category, + pin, pinfile, + cpass, cpassfile, + ca, profile, issuer, ++ ms_template_spec, + precommand, postcommand, + anchor_dbs, anchor_files, + (auto_renew_stop > 0), +@@ -2386,6 +2412,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + char *subject = NULL, **eku = NULL, *oid = NULL; + char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; + char *profile = NULL, *issuer = NULL, kustring[16]; ++ char *ms_template_spec = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; + char *keytype = NULL; +@@ -2422,6 +2449,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the current one"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME}, + {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, +@@ -2497,6 +2525,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'Y': ++ ms_template_spec = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'X': + issuer = talloc_strdup(globals.tctx, poptarg); + break; +@@ -2861,6 +2892,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + params[i] = ¶m[i]; + i++; + } ++ if (ms_template_spec != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = ms_template_spec; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (issuer != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; + param[i].value_type = cm_tdbusm_dict_s; +@@ -4677,6 +4715,8 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the default\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" --ms-template-spec SPEC\n"), ++ N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Parameters for the signing request:\n"), + N_(" -N NAME set requested subject name (default: CN=)\n"), +@@ -4726,6 +4766,8 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the default\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" --ms-template-spec SPEC\n"), ++ N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Parameters for the signing request at renewal time:\n"), + N_(" -U EXTUSAGE override requested extended key usage OID\n"), +@@ -4805,6 +4847,8 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the current one\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" --ms-template-spec SPEC\n"), ++ N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Bus options:\n"), + N_(" -S connect to the certmonger service on the system bus\n"), +@@ -4853,6 +4897,8 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the current one\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" --ms-template-spec SPEC\n"), ++ N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_(" -G TYPE type of new key to be generated\n"), + N_(" -g SIZE size of new key to be generated\n"), +-- +1.8.3.1 + diff --git a/SOURCES/0017-MS-cert-template-validate-argument.patch b/SOURCES/0017-MS-cert-template-validate-argument.patch new file mode 100644 index 0000000..cf4d2f6 --- /dev/null +++ b/SOURCES/0017-MS-cert-template-validate-argument.patch @@ -0,0 +1,143 @@ +From 481fb8581fdf891b768eeb0bc88855c27689722b Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 18 Aug 2017 16:17:49 +1000 +Subject: [PATCH] MS cert template: validate argument + +Update the server to validate the MS V2 certificate template option +argument when adding or updating a request. + +Fixes: https://pagure.io/certmonger/issue/78 +--- + src/Makefile.am | 4 +++- + src/certext.c | 13 +++++++++++++ + src/certext.h | 5 +++++ + src/tdbush.c | 25 +++++++++++++++++++++++-- + 4 files changed, 44 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 479903c..213bfa9 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -186,7 +186,7 @@ tdbusm_check_SOURCES = tdbusm-check.c tm.c tm.h + tdbusm_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(POPT_LIBS) + serial_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LTLIBICONV) + nl_check_LDADD = libcm.a $(CERTMONGER_LIBS) +-submit_x_CFLAGS = $(AM_CFLAGS) -DCM_SUBMIT_X_MAIN ++submit_x_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) -DCM_SUBMIT_X_MAIN + submit_x_SOURCES = submit-x.c submit-x.h submit-u.c submit-u.h log.c log.h \ + tm.c tm.h + submit_x_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \ +@@ -205,12 +205,14 @@ pkglibexec_PROGRAMS += local-submit + pkglibexec_PROGRAMS += scep-submit + endif + noinst_PROGRAMS += submit-h submit-d ++ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) + ipa_submit_SOURCES = ipa.c srvloc.c srvloc.h store.h store-gen.c \ + submit-x.c submit-x.h submit-u.c submit-u.h \ + submit-e.h util.c util.h log.c log.h tm.c tm.h + ipa_submit_LDADD = $(XMLRPC_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \ + $(GMP_LIBS) $(IDN_LIBS) $(OPENSSL_LIBS) $(UUID_LIBS) \ + $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS) ++certmaster_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) + certmaster_submit_SOURCES = certmaster.c submit-x.c submit-x.h \ + submit-e.h submit-u.c submit-u.h util.c util.h log.c log.h \ + tm.c tm.h +diff --git a/src/certext.c b/src/certext.c +index 5f8a743..587496f 100644 +--- a/src/certext.c ++++ b/src/certext.c +@@ -1663,6 +1663,19 @@ cm_certext_build_certificate_template( + return SECITEM_ArenaDupItem(arena, &encoded); + } + ++/* Validate a V2 template spec */ ++PRBool cm_ms_template_valid(char *template_spec) { ++ PLArenaPool *arena = PORT_NewArena(sizeof(double)); ++ if (arena == NULL) ++ return PR_FALSE; ++ SECItem *result = ++ cm_certext_build_certificate_template(arena, template_spec); ++ PORT_FreeArena(arena, PR_FALSE); ++ // *result has been freed, but we don't read it; ++ // we only need to know whether the parse succeeded ++ return result != NULL; ++} ++ + /* Build a Netscape certtype extension value. */ + static SECItem * + cm_certext_build_ns_certtype(struct cm_store_entry *entry, +diff --git a/src/certext.h b/src/certext.h +index 530ece4..5e95835 100644 +--- a/src/certext.h ++++ b/src/certext.h +@@ -15,6 +15,8 @@ + * along with this program. If not, see . + */ + ++#include ++ + #ifndef cmcertext_h + #define cmcertext_h + +@@ -25,4 +27,7 @@ void cm_certext_build_csr_extensions(struct cm_store_entry *entry, + struct NSSInitContextStr *ctx, + unsigned char **encoded, size_t *length); + ++/* Validate a V2 template spec */ ++PRBool cm_ms_template_valid(char *template_spec); ++ + #endif +diff --git a/src/tdbush.c b/src/tdbush.c +index 9e2a372..04fe57e 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -32,6 +32,7 @@ + + #include "log.h" + #include "cm.h" ++#include "certext.h" + #include "prefs.h" + #include "store.h" + #include "store-int.h" +@@ -1572,7 +1573,18 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE, + cm_tdbusm_dict_s); + if (param != NULL) { +- // TODO check validity ++ if (param->value.s != NULL ++ && strlen(param->value.s) > 0 ++ && !cm_ms_template_valid(param->value.s)) { ++ cm_log(1, "Invalid V2 certificate template specifier: %s", param->value.s); ++ ret = send_internal_base_bad_arg_error( ++ conn, msg, ++ _("Invalid V2 certificate template specifier: %s"), ++ param->value.s, ++ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE); ++ talloc_free(parent); ++ return ret; ++ } + new_entry->cm_template_certificate_template = maybe_strdup(new_entry, + param->value.s); + } +@@ -3330,8 +3342,17 @@ request_modify(DBusConnection *conn, DBusMessage *msg, + } else + if ((param->value_type == cm_tdbusm_dict_s) && + (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE) == 0)) { ++ if (param->value.s != NULL ++ && strlen(param->value.s) > 0 ++ && !cm_ms_template_valid(param->value.s)) { ++ cm_log(1, "Invalid V2 certificate template specifier: %s", param->value.s); ++ return send_internal_base_bad_arg_error( ++ conn, msg, ++ _("Invalid V2 certificate template specifier: %s"), ++ param->value.s, ++ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE); ++ } + talloc_free(entry->cm_template_certificate_template); +- // TODO check validity + entry->cm_template_certificate_template = + maybe_strdup(entry, param->value.s); + if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) { +-- +2.14.4 + diff --git a/SOURCES/0018-MS-cert-template-add-tests.patch b/SOURCES/0018-MS-cert-template-add-tests.patch new file mode 100644 index 0000000..22da5ab --- /dev/null +++ b/SOURCES/0018-MS-cert-template-add-tests.patch @@ -0,0 +1,165 @@ +From c33a8fe36d340447641d4dc623c98d2bf9a2d650 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 24 Aug 2017 13:37:36 +1000 +Subject: [PATCH] MS cert template: add tests + +Part of: https://pagure.io/certmonger/issue/78 +--- + tests/038-ms-v2-template/expected.out | 19 ++++++++++ + tests/038-ms-v2-template/extract-extdata.py | 29 ++++++++++++++++ + tests/038-ms-v2-template/run.sh | 54 +++++++++++++++++++++++++++++ + tests/Makefile.am | 8 +++-- + 4 files changed, 108 insertions(+), 2 deletions(-) + create mode 100644 tests/038-ms-v2-template/expected.out + create mode 100755 tests/038-ms-v2-template/extract-extdata.py + create mode 100755 tests/038-ms-v2-template/run.sh + +diff --git a/tests/038-ms-v2-template/expected.out b/tests/038-ms-v2-template/expected.out +new file mode 100644 +index 0000000..7338a5f +--- /dev/null ++++ b/tests/038-ms-v2-template/expected.out +@@ -0,0 +1,19 @@ ++[key] ++OK. ++[csr : bogus oid] ++extension not present ++[csr : bogus major version] ++extension not present ++[csr : missing major version] ++extension not present ++[csr : too many parts] ++extension not present ++[csr : oid, major version] ++ 0:d=0 hl=2 l= 8 cons: SEQUENCE ++ 2:d=1 hl=2 l= 3 prim: OBJECT :1.2.3.4 ++ 7:d=1 hl=2 l= 1 prim: INTEGER :2A ++[csr : oid, major version, minor version] ++ 0:d=0 hl=2 l= 11 cons: SEQUENCE ++ 2:d=1 hl=2 l= 3 prim: OBJECT :1.2.3.4 ++ 7:d=1 hl=2 l= 1 prim: INTEGER :2A ++ 10:d=1 hl=2 l= 1 prim: INTEGER :11 +diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py +new file mode 100755 +index 0000000..cd96f99 +--- /dev/null ++++ b/tests/038-ms-v2-template/extract-extdata.py +@@ -0,0 +1,29 @@ ++#!/bin/python2 ++ ++# Given `openssl asn1parse` output of a CSR, look for the V2 Template ++# extension and output its data if found. Nonzero exit status if ++# not found. ++ ++import binascii ++import re ++import sys ++ ++STATE_SEARCH, STATE_FOUND, STATE_DONE = range(3) ++ ++state = STATE_SEARCH ++ ++for line in sys.stdin: ++ if state == STATE_SEARCH and ':1.3.6.1.4.1.311.21.7' in line: ++ state = STATE_FOUND ++ continue ++ ++ # look for first OCTET STRING once we're in STATE_FOUND ++ # ++ if state == STATE_FOUND and 'OCTET STRING' in line: ++ result = re.search(r'\[HEX DUMP\]:(\w*)', line) ++ sys.stdout.write(binascii.unhexlify(result.group(1))) ++ state = STATE_DONE ++ break ++ ++if state != STATE_DONE: ++ sys.exit(1) +diff --git a/tests/038-ms-v2-template/run.sh b/tests/038-ms-v2-template/run.sh +new file mode 100755 +index 0000000..0eeb7f9 +--- /dev/null ++++ b/tests/038-ms-v2-template/run.sh +@@ -0,0 +1,54 @@ ++#!/bin/bash -e ++ ++srcdir=$PWD ++cd $tmpdir ++ ++mkconfig() { ++ cat > request <<- EOF ++ key_storage_type=FILE ++ key_storage_location=$tmpdir/key ++ cert_storage_type=FILE ++ cert_storage_location=$tmpdir/cert ++ template_subject=CN=MS V2 Certificate Template test ++ EOF ++} ++ ++echo "[key]" ++mkconfig ++$toolsdir/keygen request ++ ++echo "[csr : bogus oid]" ++mkconfig ++echo "template_certificate_template=NotAnOid:42" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py || echo "extension not present" ++ ++echo "[csr : bogus major version]" ++mkconfig ++echo "template_certificate_template=1.2.3.4:wat" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py || echo "extension not present" ++ ++echo "[csr : missing major version]" ++mkconfig ++echo "template_certificate_template=1.2.3.4" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py || echo "extension not present" ++ ++echo "[csr : too many parts]" ++mkconfig ++echo "template_certificate_template=1.2.3.4:1:1:1" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py || echo "extension not present" ++ ++echo "[csr : oid, major version]" ++mkconfig ++echo "template_certificate_template=1.2.3.4:42" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py | openssl asn1parse -inform DER ++ ++echo "[csr : oid, major version, minor version]" ++mkconfig ++echo "template_certificate_template=1.2.3.4:42:17" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py | openssl asn1parse -inform DER +diff --git a/tests/Makefile.am b/tests/Makefile.am +index bbcd06e..562b027 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -148,7 +148,10 @@ EXTRA_DIST = \ + 036-getcert/expected.out \ + 036-getcert/run.sh \ + 037-rekey2/expected.out \ +- 037-rekey2/run.sh ++ 037-rekey2/run.sh \ ++ 038-ms-v2-template/expected.out \ ++ 038-ms-v2-template/extract-extdata.py \ ++ 038-ms-v2-template/run.sh + + subdirs = \ + 001-keyiread \ +@@ -189,7 +192,8 @@ subdirs = \ + 034-perms \ + 035-json \ + 036-getcert \ +- 037-rekey2 ++ 037-rekey2 \ ++ 038-ms-v2-template + + if HAVE_DBM_NSSDB + subdirs += \ +-- +2.14.4 + diff --git a/SOURCES/0019-Fix-C99-build-error-on-EL7-systems.patch b/SOURCES/0019-Fix-C99-build-error-on-EL7-systems.patch new file mode 100644 index 0000000..6f711a9 --- /dev/null +++ b/SOURCES/0019-Fix-C99-build-error-on-EL7-systems.patch @@ -0,0 +1,37 @@ +From f1c410e315ebf70cc18296c959f40c8870d1a105 Mon Sep 17 00:00:00 2001 +From: Trevor Vaughan +Date: Fri, 23 Feb 2018 16:10:29 -0500 +Subject: [PATCH] Fix C99 build error on EL7 systems + +Needed for testing #89 +--- + src/certext.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/certext.c b/src/certext.c +index 587496f..c44c8bb 100644 +--- a/src/certext.c ++++ b/src/certext.c +@@ -1,6 +1,6 @@ + /* + * Copyright (C) 2009,2011,2012,2013,2014,2015 Red Hat, Inc. +- * ++ * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or +@@ -1612,9 +1612,9 @@ cm_certext_build_certificate_template( + return NULL; + + int i = 0; +- char *saveptr, *endptr; ++ char *saveptr, *endptr, *part; + for ( +- char *part = strtok_r(template_spec_dup, ":", &saveptr); ++ part = strtok_r(template_spec_dup, ":", &saveptr); + part != NULL; + part = strtok_r(NULL, ":", &saveptr) + ) { +-- +1.8.3.1 + diff --git a/SOURCES/1001-Remove-rekey-feature.patch b/SOURCES/1001-Remove-rekey-feature.patch index dba4798..525ab6b 100644 --- a/SOURCES/1001-Remove-rekey-feature.patch +++ b/SOURCES/1001-Remove-rekey-feature.patch @@ -1,4 +1,4 @@ -From c47a439f510adffe4e2225408261d0e93059e077 Mon Sep 17 00:00:00 2001 +From 3c763332adc224d0e325502cb3e5b97d4155bb0c Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 7 Aug 2015 13:40:41 +0200 Subject: [PATCH] Remove rekey feature @@ -20,7 +20,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1250397 12 files changed, 23 insertions(+), 113 deletions(-) diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in -index 7319c6a42c090420eb035515d94fd0640d990dda..31203c37fde407d2306de9d7f5aba9d3541eaaa3 100644 +index 7319c6a..31203c3 100644 --- a/src/certmonger-scep-submit.8.in +++ b/src/certmonger-scep-submit.8.in @@ -80,14 +80,6 @@ When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to @@ -39,7 +39,7 @@ index 7319c6a42c090420eb035515d94fd0640d990dda..31203c37fde407d2306de9d7f5aba9d3 Increases the logging level. Use twice for more logging. This option is mainly useful for troubleshooting. diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in -index 241f48b07b5045708aa118663b569d5ac3947782..e1220f134c30e760af73fb0abc88a498e94f23d2 100644 +index 241f48b..e1220f1 100644 --- a/src/certmonger.conf.5.in +++ b/src/certmonger.conf.5.in @@ -72,25 +72,6 @@ These are the trust attributes which are applied to certificates which are not @@ -69,7 +69,7 @@ index 241f48b07b5045708aa118663b569d5ac3947782..e1220f134c30e760af73fb0abc88a498 Within the \fIselfsign\fR section, these variables and values are recognized: diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in -index f07b9002a206526ea7f0334f5ba0071d8fffd3ae..64f0f5e80cd0fa3ae01fcf27828f97935dfb99c7 100644 +index f07b900..64f0f5e 100644 --- a/src/getcert-add-scep-ca.1.in +++ b/src/getcert-add-scep-ca.1.in @@ -46,14 +46,6 @@ A CA identifier value which will passed to the server when the @@ -88,10 +88,10 @@ index f07b9002a206526ea7f0334f5ba0071d8fffd3ae..64f0f5e80cd0fa3ae01fcf27828f9793 Be verbose about errors. Normally, the details of an error received from the daemon will be suppressed if the client can make a diagnostic suggestion. diff --git a/src/getcert.c b/src/getcert.c -index c84273a9bfc8730422f18ade87ce174fbbc44634..dcdbdd455dd8c61c1aeaad6a5c7feef21b56feab 100644 +index 26a88f3..966ff41 100644 --- a/src/getcert.c +++ b/src/getcert.c -@@ -4625,7 +4625,6 @@ static struct { +@@ -4663,7 +4663,6 @@ static struct { {"start-tracking", start_tracking}, {"stop-tracking", stop_tracking}, {"resubmit", resubmit}, @@ -99,7 +99,7 @@ index c84273a9bfc8730422f18ade87ce174fbbc44634..dcdbdd455dd8c61c1aeaad6a5c7feef2 {"refresh", refresh}, {"list", list}, {"status", status}, -@@ -5041,8 +5040,6 @@ help(const char *twopartcmd, const char *category) +@@ -5087,8 +5086,6 @@ help(const char *twopartcmd, const char *category) N_("stop monitoring a certificate\n")}, {"resubmit", resubmit_help, N_("resubmit an in-progress enrollment request, or start a new one\n")}, @@ -109,7 +109,7 @@ index c84273a9bfc8730422f18ade87ce174fbbc44634..dcdbdd455dd8c61c1aeaad6a5c7feef2 N_("check on the status of an in-progress enrollment request\n")}, {"list", list_help, diff --git a/src/prefs.c b/src/prefs.c -index ab363bbc2c08f834e7fc1bede8f1cf2c50229f1c..0a8e166ce30f3b0288cd7430568ae18d0e5ab914 100644 +index ab363bb..0a8e166 100644 --- a/src/prefs.c +++ b/src/prefs.c @@ -545,36 +545,11 @@ cm_prefs_nss_other_trust(void) @@ -151,7 +151,7 @@ index ab363bbc2c08f834e7fc1bede8f1cf2c50229f1c..0a8e166ce30f3b0288cd7430568ae18d + return -1; } diff --git a/src/scep.c b/src/scep.c -index d3bbc050947a1a0472187503110682c9028f9c6f..11f9ae3cc193981d3c2bf986a4a5c4c7d81506f5 100644 +index d3bbc05..11f9ae3 100644 --- a/src/scep.c +++ b/src/scep.c @@ -231,7 +231,6 @@ main(int argc, const char **argv) @@ -181,7 +181,7 @@ index d3bbc050947a1a0472187503110682c9028f9c6f..11f9ae3cc193981d3c2bf986a4a5c4c7 } else if (strcasecmp(mode, CM_OP_FETCH_SCEP_CA_CERTS) == 0) { diff --git a/src/submit-e.c b/src/submit-e.c -index befd01e0fd00b8f9e239752ffbd80c985fae5057..af05efeb762933e31fecc67b1204001b7e81c697 100644 +index befd01e..af05efe 100644 --- a/src/submit-e.c +++ b/src/submit-e.c @@ -446,12 +446,6 @@ cm_submit_e_need_scep_messages(struct cm_submit_state *state) @@ -198,13 +198,14 @@ index befd01e0fd00b8f9e239752ffbd80c985fae5057..af05efeb762933e31fecc67b1204001b } diff --git a/src/tdbush.c b/src/tdbush.c -index 631da3ed2bbb1f6828d576760299ad51d7e41923..aec5e9d0a36a7cb5c035e1aefda04c2b32b1e100 100644 +index 7fb3d16..04fe57e 100644 --- a/src/tdbush.c +++ b/src/tdbush.c -@@ -7117,14 +7117,6 @@ cm_tdbush_iface_request(void) +@@ -7164,14 +7164,6 @@ cm_tdbush_iface_request(void) + cm_tdbush_method_arg_out, NULL))), NULL), - make_interface_item(cm_tdbush_interface_method, +- make_interface_item(cm_tdbush_interface_method, - make_method("rekey", - request_rekey, - make_method_arg("working", @@ -212,21 +213,20 @@ index 631da3ed2bbb1f6828d576760299ad51d7e41923..aec5e9d0a36a7cb5c035e1aefda04c2b - cm_tdbush_method_arg_out, - NULL), - NULL), -- make_interface_item(cm_tdbush_interface_method, + make_interface_item(cm_tdbush_interface_method, make_method("resubmit", request_resubmit, - make_method_arg("working", -@@ -7179,7 +7171,7 @@ cm_tdbush_iface_request(void) +@@ -7227,7 +7219,7 @@ cm_tdbush_iface_request(void) make_interface_item(cm_tdbush_interface_signal, make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, NULL), -- NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); -+ NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); +- NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); ++ NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); } return ret; } diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out -index bd57a01ba8725418978259018441f6a9a6672758..85d07b3baef83dbafd39c03888881cb665518733 100644 +index bd57a01..85d07b3 100644 --- a/tests/010-iterate/expected.out +++ b/tests/010-iterate/expected.out @@ -398,19 +398,15 @@ HAVE_CSR @@ -255,10 +255,10 @@ index bd57a01ba8725418978259018441f6a9a6672758..85d07b3baef83dbafd39c03888881cb6 [Enroll until we notice we have no specified CA.] diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out -index 93cc4d184524c4b1aeba02a650c94d832462c236..26850efaedb966cd94ecd0db42d6adb378b47f37 100644 +index 8a81a7f..4c33e9a 100644 --- a/tests/028-dbus/expected.out +++ b/tests/028-dbus/expected.out -@@ -403,9 +403,6 @@ OK +@@ -404,9 +404,6 @@ OK @@ -268,7 +268,7 @@ index 93cc4d184524c4b1aeba02a650c94d832462c236..26850efaedb966cd94ecd0db42d6adb3 -@@ -483,9 +480,6 @@ recently +@@ -484,9 +481,6 @@ recently 1 on /org/fedorahosted/certmonger/requests/Request2 After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1) @@ -279,7 +279,7 @@ index 93cc4d184524c4b1aeba02a650c94d832462c236..26850efaedb966cd94ecd0db42d6adb3 1 diff --git a/tests/036-getcert/expected.out b/tests/036-getcert/expected.out -index c1a13c8e058e39285ee842b173356002da2fd0e6..b6d1eaf7c733e04d5b928e7a59edeca43a27a5ef 100644 +index c1a13c8..b6d1eaf 100644 --- a/tests/036-getcert/expected.out +++ b/tests/036-getcert/expected.out @@ -11,20 +11,21 @@ certs:1 @@ -349,7 +349,7 @@ index c1a13c8e058e39285ee842b173356002da2fd0e6..b6d1eaf7c733e04d5b928e7a59edeca4 cert:1 key:1 diff --git a/tests/037-rekey2/expected.out b/tests/037-rekey2/expected.out -index bd8cca7c3eedb5a02249f450451b651bb270ec24..62a1c746f86bb53fe79d1226ab9194825f7642d8 100644 +index bd8cca7..62a1c74 100644 --- a/tests/037-rekey2/expected.out +++ b/tests/037-rekey2/expected.out @@ -112,7 +112,7 @@ MONITORING @@ -370,5 +370,5 @@ index bd8cca7c3eedb5a02249f450451b651bb270ec24..62a1c746f86bb53fe79d1226ab919482 -STOP- Test complete. -- -2.7.4 +2.14.4 diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index bb359aa..f817f50 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -26,14 +26,14 @@ Name: certmonger Version: 0.78.4 -Release: 3%{?dist}.1 +Release: 10%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons License: GPLv3+ -URL: http://certmonger.fedorahosted.org -Source0: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz -Source1: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz.sig +URL: https://pagure.io/certmonger/ +Source0: https://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz +Source1: https://releases.pagure.org/released/certmonger/certmonger-%{version}.tar.gz.sig BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Patch0001: 0001-Stop-assuming-RSA-512-works.patch @@ -47,6 +47,14 @@ Patch0008: 0008-Document-the-X-option-in-the-ipa-submit-man-page.patch Patch0009: 0009-Fix-a-flakiness-in-the-028-dbus-test.patch Patch0010: 0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch Patch0011: 0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch +Patch0012: 0012-Remove-trailing-CR-LF-when-reading-passwords-from-a-.patch +Patch0013: 0013-Disable-the-10-iterate-tests-which-randomly-fail.patch +Patch0014: 0014-MS-cert-template-add-D-Bus-property-and-storage.patch +Patch0015: 0015-MS-cert-template-add-template-extension-to-CSR.patch +Patch0016: 0016-MS-cert-template-add-option-to-command-line-programs.patch +Patch0017: 0017-MS-cert-template-validate-argument.patch +Patch0018: 0018-MS-cert-template-add-tests.patch +Patch0019: 0019-Fix-C99-build-error-on-EL7-systems.patch Patch1001: 1001-Remove-rekey-feature.patch Patch1002: 1002-Fix-CA-option-name-for-ipa-cert-request.patch @@ -90,10 +98,18 @@ BuildRequires: /usr/bin/which BuildRequires: dbus-python # for popt or popt-devel, depending on the build environment BuildRequires: /usr/include/popt.h +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: pkgconfig +BuildRequires: libtool +BuildRequires: gettext-devel # we need a running system bus Requires: dbus +# for killall in post script +Requires: psmisc + %if %{systemd} BuildRequires: systemd-units Requires(post): systemd-units @@ -136,6 +152,7 @@ sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in %endif %build +autoreconf -i -f %configure \ %if %{systemd} --enable-systemd \ @@ -258,10 +275,34 @@ exit 0 %endif %changelog -* Tue Mar 27 2018 Rob Crittenden - 0.78.4-3.1 -- Use required DER encoding when setting CA basic constraint (#1560961) +* Fri Aug 24 2018 Rob Crittenden - 0.78.4-10 +- Backport patches to add support for the MS Certificate Template V2 + extension (#1622184) + +* Mon Aug 13 2018 Rob Crittenden - 0.78.4-9 +- Remove patch to pass _PROXY, _proxy, LANG and LC_* environment + variables to helpers. The root cause was a bug in IPA (#1596161) + +* Tue Jul 17 2018 Rob Crittenden - 0.78.4-8 +- Disable iterate-10 test which fails intermitently (#1596161) +- Add BuildRequires for running autoreconf + +* Tue Jul 17 2018 Rob Crittenden - 0.78.4-7 +- Pass _PROXY, _proxy, LANG and LC_* environment variables to + helpers (#1596161) + +* Tue May 29 2018 Rob Crittenden - 0.78.4-6 +- Remove reference to unused patch + +* Mon May 21 2018 Rob Crittenden - 0.78.4-5 +- Add Requires on psmsic for killall in post script (#1458890) +- upstream project migrated from fedorahosted.org to pagure.io (#1501723) +- Strip CR/LF from passwords read from a file (#1545935) + +* Mon Mar 5 2018 Rob Crittenden - 0.78.4-4 +- Use required DER encoding when setting CA basic constraint (#1551635) - NSS 3.34 more strictly enforces length checking when verifying signatures - (#1560960) + (#1551702) * Tue Sep 6 2016 Jan Cholasta - 0.78.4-3 - Resolves: #1367683 getcert request command fails to use Sub CA using -X