diff --git a/.certmonger.metadata b/.certmonger.metadata new file mode 100644 index 0000000..e38fad0 --- /dev/null +++ b/.certmonger.metadata @@ -0,0 +1 @@ +277aca37d5ee3b693108ce7d9398ec3b44beb634 SOURCES/certmonger-0.78.4.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..366c9b4 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/certmonger-0.78.4.tar.gz diff --git a/SOURCES/0001-Stop-assuming-RSA-512-works.patch b/SOURCES/0001-Stop-assuming-RSA-512-works.patch new file mode 100644 index 0000000..463f8bc --- /dev/null +++ b/SOURCES/0001-Stop-assuming-RSA-512-works.patch @@ -0,0 +1,659 @@ +From 1c464828a5ad8f47a6acf7b6d6ec1f324fe63b51 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 12 Jan 2016 17:27:18 -0500 +Subject: [PATCH] Stop assuming RSA 512 works + +For the sake of F24, stop assuming that we'll be able to generate +512-bit RSA keys. We use certutil to do some of it, and it doesn't give +us a way to toggle support on. +--- + tests/001-keyiread-rsa/expected.out | 2 - + tests/001-keyiread-rsa/run.sh | 4 +- + tests/001-keyiread/expected.out | 2 - + tests/001-keyiread/run.sh | 4 +- + tests/002-keygen-dsa/expected.out | 6 -- + tests/002-keygen-dsa/run.sh | 4 +- + tests/002-keygen-rsa/expected.out | 6 -- + tests/002-keygen-rsa/run.sh | 4 +- + tests/002-keygen/expected.out | 18 ----- + tests/002-keygen/run.sh | 4 +- + tests/003-csrgen-rsa/expected.out | 124 ++++++++++++++-------------- + tests/003-csrgen-rsa/run.sh | 4 +- + tests/003-csrgen/expected.out | 157 +++++++++++++++++------------------- + tests/003-csrgen/run.sh | 4 +- + tests/004-selfsign-rsa/expected.out | 1 - + tests/004-selfsign-rsa/run.sh | 2 +- + tests/004-selfsign/expected.out | 1 - + tests/004-selfsign/run.sh | 2 +- + 18 files changed, 152 insertions(+), 197 deletions(-) + +diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out +index fa3493c04b26eb676700abdab7895fe0a1ee3d6d..727897d14f9a3eb8eab8c3b12964fa7d38cefdef 100644 +--- a/tests/001-keyiread-rsa/expected.out ++++ b/tests/001-keyiread-rsa/expected.out +@@ -1,10 +1,8 @@ +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). + OK (RSA:3072). + OK (RSA:4096). +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). +diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh +index b5ac7150b80af45a23a56be6a49f3884a9f5049a..c7b7768690e80a9f3fcba0e42fe4a96b60efe48c 100755 +--- a/tests/001-keyiread-rsa/run.sh ++++ b/tests/001-keyiread-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a self-signed cert. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -30,7 +30,7 @@ for size in 512 1024 1536 2048 3072 4096 ; do + $toolsdir/keyiread entry.nss.$size + done + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a key. + openssl genrsa $size > sample.$size 2> /dev/null + # Check the size of the key. +diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out +index fa3493c04b26eb676700abdab7895fe0a1ee3d6d..727897d14f9a3eb8eab8c3b12964fa7d38cefdef 100644 +--- a/tests/001-keyiread/expected.out ++++ b/tests/001-keyiread/expected.out +@@ -1,10 +1,8 @@ +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). + OK (RSA:3072). + OK (RSA:4096). +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). +diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh +index d95043d164e133ed23148719b74513d745ebec66..ce1428edd8d022d8a7f7f735154234bbdc4bf228 100755 +--- a/tests/001-keyiread/run.sh ++++ b/tests/001-keyiread/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a self-signed cert. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -30,7 +30,7 @@ for size in 512 1024 1536 2048 3072 4096 ; do + $toolsdir/keyiread entry.nss.$size + done + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a key. + openssl genrsa $size > sample.$size 2> /dev/null + # Check the size of the key. +diff --git a/tests/002-keygen-dsa/expected.out b/tests/002-keygen-dsa/expected.out +index f2a44d26286605c4186963f6c43b6dbd6e2e81cc..7445bcc2628dd78eef0cea4c90339c79fb3571cf 100644 +--- a/tests/002-keygen-dsa/expected.out ++++ b/tests/002-keygen-dsa/expected.out +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (DSA:512). + [nss:1024] + OK. + OK (DSA:1024). +@@ -20,9 +17,6 @@ OK (DSA:3072). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (DSA:512). + [openssl:1024] + OK. + OK (DSA:1024). +diff --git a/tests/002-keygen-dsa/run.sh b/tests/002-keygen-dsa/run.sh +index fad19de1d365466c0bfd739fbd8be1be9135a291..d9cff0e973bcdffcbeda4c702d3ee86b27d07e43 100755 +--- a/tests/002-keygen-dsa/run.sh ++++ b/tests/002-keygen-dsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +@@ -41,7 +41,7 @@ key_gen_type=DSA + EOF + $toolsdir/keygen entry.$size || true + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[openssl:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out +index 33f0f48ea92e0b7fa17ccc6a1938fe37d7335c8a..3e6e9f3c1b293a0a9c16085bfbf243d44e43e129 100644 +--- a/tests/002-keygen-rsa/expected.out ++++ b/tests/002-keygen-rsa/expected.out +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (RSA:512). + [nss:1024] + OK. + OK (RSA:1024). +@@ -20,9 +17,6 @@ OK (RSA:4096). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (RSA:512). + [openssl:1024] + OK. + OK (RSA:1024). +diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh +index b133edd8535db75804c82f7505e055c9b1bd0aa2..476f412753511772c506e76d8f3bb9c128b8aa1e 100755 +--- a/tests/002-keygen-rsa/run.sh ++++ b/tests/002-keygen-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +@@ -41,7 +41,7 @@ key_gen_type=RSA + EOF + $toolsdir/keygen entry.$size || true + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[openssl:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out +index f47d2d564bfd36d8d944bc388119314ee41c3722..ff56372aac282743f79699b0b381fcf198bd5db4 100644 +--- a/tests/002-keygen/expected.out ++++ b/tests/002-keygen/expected.out +@@ -1,12 +1,3 @@ +-[nss:512] +-OK. +-OK (RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-keyi512 +-keyi512 (candidate (next)) + [nss:1024] + OK. + OK (RSA:1024). +@@ -56,15 +47,6 @@ keyi4096 (candidate (next)) + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-${tmpdir}/sample.512 +-${tmpdir}/sample.512.(next).key + [openssl:1024] + OK. + OK (RSA:1024). +diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh +index a0867cf1e3fd0a9f18d275ab308ec93808936b4b..f550feebac5ed10a52500286bb8b779ed8e1526a 100755 +--- a/tests/002-keygen/run.sh ++++ b/tests/002-keygen/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +@@ -49,7 +49,7 @@ key_gen_size=$size + EOF + $toolsdir/keygen entry.$size || true + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[openssl:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out +index 7b67eab3b9e431b8d22b5a73bb6b5d2952e05d83..e058e8541c2de49fe5f446a7e3432b4138fbb876 100644 +--- a/tests/003-csrgen-rsa/expected.out ++++ b/tests/003-csrgen-rsa/expected.out +@@ -1,9 +1,5 @@ + pk12util: PKCS12 EXPORT SUCCESSFUL + MAC verified OK +-512 OK. +-Signature OK +-pk12util: PKCS12 EXPORT SUCCESSFUL +-MAC verified OK + 1024 OK. + Signature OK + pk12util: PKCS12 EXPORT SUCCESSFUL +@@ -23,70 +19,70 @@ MAC verified OK + 4096 OK. + Signature OK + The last CSR (the one with everything) was: +- 0:d=0 hl=4 l=1019 cons: SEQUENCE +- 4:d=1 hl=4 l= 933 cons: SEQUENCE ++ 0:d=0 hl=4 l=1413 cons: SEQUENCE ++ 4:d=1 hl=4 l=1133 cons: SEQUENCE + 8:d=2 hl=2 l= 1 prim: INTEGER :00 + 11:d=2 hl=2 l= 22 cons: SEQUENCE + 13:d=3 hl=2 l= 20 cons: SET + 15:d=4 hl=2 l= 18 cons: SEQUENCE + 17:d=5 hl=2 l= 3 prim: OBJECT :commonName + 22:d=5 hl=2 l= 11 prim: PRINTABLESTRING :Babs Jensen +- 35:d=2 hl=2 l= 92 cons: SEQUENCE +- 37:d=3 hl=2 l= 13 cons: SEQUENCE +- 39:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption +- 50:d=4 hl=2 l= 0 prim: NULL +- 52:d=3 hl=2 l= 75 prim: BIT STRING +- 129:d=2 hl=4 l= 808 cons: cont [ 0 ] +- 133:d=3 hl=2 l= 52 cons: SEQUENCE +- 135:d=4 hl=2 l= 9 prim: OBJECT :challengePassword +- 146:d=4 hl=2 l= 39 cons: SET +- 148:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText +- 187:d=3 hl=2 l= 61 cons: SEQUENCE +- 189:d=4 hl=2 l= 9 prim: OBJECT :friendlyName +- 200:d=4 hl=2 l= 48 cons: SET +- 202:d=5 hl=2 l= 46 prim: BMPSTRING +- 250:d=3 hl=4 l= 687 cons: SEQUENCE +- 254:d=4 hl=2 l= 9 prim: OBJECT :Extension Request +- 265:d=4 hl=4 l= 672 cons: SET +- 269:d=5 hl=4 l= 668 cons: SEQUENCE +- 273:d=6 hl=2 l= 14 cons: SEQUENCE +- 275:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage +- 280:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 283:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 +- 289:d=6 hl=4 l= 264 cons: SEQUENCE +- 293:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name +- 298:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 301:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 +- 557:d=6 hl=2 l= 32 cons: SEQUENCE +- 559:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage +- 564:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 567:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 +- 591:d=6 hl=2 l= 18 cons: SEQUENCE +- 593:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints +- 598:d=7 hl=2 l= 1 prim: BOOLEAN :255 +- 601:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 +- 611:d=6 hl=2 l= 34 cons: SEQUENCE +- 613:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +- 618:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 621:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D +- 647:d=6 hl=2 l= 32 cons: SEQUENCE +- 649:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +- 654:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 657:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D +- 681:d=6 hl=2 l= 107 cons: SEQUENCE +- 683:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access +- 693:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 696:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 +- 790:d=6 hl=2 l= 96 cons: SEQUENCE +- 792:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points +- 797:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 800:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 +- 888:d=6 hl=2 l= 51 cons: SEQUENCE +- 890:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment +- 901:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 904:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 +- 941:d=1 hl=2 l= 13 cons: SEQUENCE +- 943:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption +- 954:d=2 hl=2 l= 0 prim: NULL +- 956:d=1 hl=2 l= 65 prim: BIT STRING ++ 35:d=2 hl=4 l= 290 cons: SEQUENCE ++ 39:d=3 hl=2 l= 13 cons: SEQUENCE ++ 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption ++ 52:d=4 hl=2 l= 0 prim: NULL ++ 54:d=3 hl=4 l= 271 prim: BIT STRING ++ 329:d=2 hl=4 l= 808 cons: cont [ 0 ] ++ 333:d=3 hl=2 l= 52 cons: SEQUENCE ++ 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword ++ 346:d=4 hl=2 l= 39 cons: SET ++ 348:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText ++ 387:d=3 hl=2 l= 61 cons: SEQUENCE ++ 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName ++ 400:d=4 hl=2 l= 48 cons: SET ++ 402:d=5 hl=2 l= 46 prim: BMPSTRING ++ 450:d=3 hl=4 l= 687 cons: SEQUENCE ++ 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request ++ 465:d=4 hl=4 l= 672 cons: SET ++ 469:d=5 hl=4 l= 668 cons: SEQUENCE ++ 473:d=6 hl=2 l= 14 cons: SEQUENCE ++ 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage ++ 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 ++ 489:d=6 hl=4 l= 264 cons: SEQUENCE ++ 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name ++ 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 ++ 757:d=6 hl=2 l= 32 cons: SEQUENCE ++ 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage ++ 764:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 ++ 791:d=6 hl=2 l= 18 cons: SEQUENCE ++ 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints ++ 798:d=7 hl=2 l= 1 prim: BOOLEAN :255 ++ 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 ++ 811:d=6 hl=2 l= 34 cons: SEQUENCE ++ 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier ++ 818:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D ++ 847:d=6 hl=2 l= 32 cons: SEQUENCE ++ 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier ++ 854:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D ++ 881:d=6 hl=2 l= 107 cons: SEQUENCE ++ 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access ++ 893:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 ++ 990:d=6 hl=2 l= 96 cons: SEQUENCE ++ 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points ++ 997:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 ++ 1088:d=6 hl=2 l= 51 cons: SEQUENCE ++ 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment ++ 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 ++ 1141:d=1 hl=2 l= 13 cons: SEQUENCE ++ 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption ++ 1154:d=2 hl=2 l= 0 prim: NULL ++ 1156:d=1 hl=4 l= 257 prim: BIT STRING + Test complete (32 combinations). +diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh +index c049dd00d411706b1470a1a8a9fb8ae59c36bf8b..7f1e7b41f195b3af429c1ba7129dd00b7ca2ed9d 100755 +--- a/tests/003-csrgen-rsa/run.sh ++++ b/tests/003-csrgen-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -216,7 +216,7 @@ for nscomment in "" "certmonger generated this request" ; do + done + nscomment= + +-size=512 ++size=2048 + subject="CN=Babs Jensen" + hostname=localhost,localhost.localdomain + email=root@localhost,root@localhost.localdomain +diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out +index 7f4586cd2820be6c0a88bd6787c86a532f68643c..51083160df3dd69972292fd23d51e79714290d22 100644 +--- a/tests/003-csrgen/expected.out ++++ b/tests/003-csrgen/expected.out +@@ -1,11 +1,6 @@ + pk12util: PKCS12 EXPORT SUCCESSFUL + MAC verified OK + Signature OK +-minicert.openssl.512.pem: OK +-512 OK. +-pk12util: PKCS12 EXPORT SUCCESSFUL +-MAC verified OK +-Signature OK + minicert.openssl.1024.pem: OK + 1024 OK. + pk12util: PKCS12 EXPORT SUCCESSFUL +@@ -29,86 +24,86 @@ Signature OK + minicert.openssl.4096.pem: OK + 4096 OK. + The last CSR (the one with everything) was: +- 0:d=0 hl=4 l=1241 cons: SEQUENCE +- 4:d=1 hl=4 l=1155 cons: SEQUENCE ++ 0:d=0 hl=4 l=1635 cons: SEQUENCE ++ 4:d=1 hl=4 l=1355 cons: SEQUENCE + 8:d=2 hl=2 l= 1 prim: INTEGER :00 + 11:d=2 hl=2 l= 22 cons: SEQUENCE + 13:d=3 hl=2 l= 20 cons: SET + 15:d=4 hl=2 l= 18 cons: SEQUENCE + 17:d=5 hl=2 l= 3 prim: OBJECT :commonName + 22:d=5 hl=2 l= 11 prim: PRINTABLESTRING :Babs Jensen +- 35:d=2 hl=2 l= 92 cons: SEQUENCE +- 37:d=3 hl=2 l= 13 cons: SEQUENCE +- 39:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption +- 50:d=4 hl=2 l= 0 prim: NULL +- 52:d=3 hl=2 l= 75 prim: BIT STRING +- 129:d=2 hl=4 l=1030 cons: cont [ 0 ] +- 133:d=3 hl=2 l= 52 cons: SEQUENCE +- 135:d=4 hl=2 l= 9 prim: OBJECT :challengePassword +- 146:d=4 hl=2 l= 39 cons: SET +- 148:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText +- 187:d=3 hl=2 l= 61 cons: SEQUENCE +- 189:d=4 hl=2 l= 9 prim: OBJECT :friendlyName +- 200:d=4 hl=2 l= 48 cons: SET +- 202:d=5 hl=2 l= 46 prim: BMPSTRING +- 250:d=3 hl=4 l= 909 cons: SEQUENCE +- 254:d=4 hl=2 l= 9 prim: OBJECT :Extension Request +- 265:d=4 hl=4 l= 894 cons: SET +- 269:d=5 hl=4 l= 890 cons: SEQUENCE +- 273:d=6 hl=2 l= 14 cons: SEQUENCE +- 275:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage +- 280:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 283:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 +- 289:d=6 hl=4 l= 290 cons: SEQUENCE +- 293:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name +- 298:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 301:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 +- 583:d=6 hl=2 l= 32 cons: SEQUENCE +- 585:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage +- 590:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 593:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 +- 617:d=6 hl=2 l= 18 cons: SEQUENCE +- 619:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints +- 624:d=7 hl=2 l= 1 prim: BOOLEAN :255 +- 627:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 +- 637:d=6 hl=2 l= 34 cons: SEQUENCE +- 639:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +- 644:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 647:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D +- 673:d=6 hl=2 l= 32 cons: SEQUENCE +- 675:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +- 680:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 683:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D +- 707:d=6 hl=2 l= 107 cons: SEQUENCE +- 709:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access +- 719:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 722:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 +- 816:d=6 hl=2 l= 96 cons: SEQUENCE +- 818:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points +- 823:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 826:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 +- 914:d=6 hl=2 l= 106 cons: SEQUENCE +- 916:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL +- 921:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 924:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 +- 1022:d=6 hl=2 l= 51 cons: SEQUENCE +- 1024:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment +- 1035:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1038:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 +- 1075:d=6 hl=2 l= 18 cons: SEQUENCE +- 1077:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check +- 1088:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1091:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 +- 1095:d=6 hl=2 l= 44 cons: SEQUENCE +- 1097:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 +- 1108:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1111:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 +- 1141:d=6 hl=2 l= 20 cons: SEQUENCE +- 1143:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type +- 1154:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1157:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 +- 1163:d=1 hl=2 l= 13 cons: SEQUENCE +- 1165:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption +- 1176:d=2 hl=2 l= 0 prim: NULL +- 1178:d=1 hl=2 l= 65 prim: BIT STRING ++ 35:d=2 hl=4 l= 290 cons: SEQUENCE ++ 39:d=3 hl=2 l= 13 cons: SEQUENCE ++ 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption ++ 52:d=4 hl=2 l= 0 prim: NULL ++ 54:d=3 hl=4 l= 271 prim: BIT STRING ++ 329:d=2 hl=4 l=1030 cons: cont [ 0 ] ++ 333:d=3 hl=2 l= 52 cons: SEQUENCE ++ 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword ++ 346:d=4 hl=2 l= 39 cons: SET ++ 348:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText ++ 387:d=3 hl=2 l= 61 cons: SEQUENCE ++ 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName ++ 400:d=4 hl=2 l= 48 cons: SET ++ 402:d=5 hl=2 l= 46 prim: BMPSTRING ++ 450:d=3 hl=4 l= 909 cons: SEQUENCE ++ 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request ++ 465:d=4 hl=4 l= 894 cons: SET ++ 469:d=5 hl=4 l= 890 cons: SEQUENCE ++ 473:d=6 hl=2 l= 14 cons: SEQUENCE ++ 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage ++ 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 ++ 489:d=6 hl=4 l= 290 cons: SEQUENCE ++ 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name ++ 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 ++ 783:d=6 hl=2 l= 32 cons: SEQUENCE ++ 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage ++ 790:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 ++ 817:d=6 hl=2 l= 18 cons: SEQUENCE ++ 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints ++ 824:d=7 hl=2 l= 1 prim: BOOLEAN :255 ++ 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 ++ 837:d=6 hl=2 l= 34 cons: SEQUENCE ++ 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier ++ 844:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D ++ 873:d=6 hl=2 l= 32 cons: SEQUENCE ++ 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier ++ 880:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D ++ 907:d=6 hl=2 l= 107 cons: SEQUENCE ++ 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access ++ 919:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 ++ 1016:d=6 hl=2 l= 96 cons: SEQUENCE ++ 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points ++ 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 ++ 1114:d=6 hl=2 l= 106 cons: SEQUENCE ++ 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL ++ 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 ++ 1222:d=6 hl=2 l= 51 cons: SEQUENCE ++ 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment ++ 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 ++ 1275:d=6 hl=2 l= 18 cons: SEQUENCE ++ 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check ++ 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 ++ 1295:d=6 hl=2 l= 44 cons: SEQUENCE ++ 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 ++ 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 ++ 1341:d=6 hl=2 l= 20 cons: SEQUENCE ++ 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type ++ 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 ++ 1363:d=1 hl=2 l= 13 cons: SEQUENCE ++ 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption ++ 1376:d=2 hl=2 l= 0 prim: NULL ++ 1378:d=1 hl=4 l= 257 prim: BIT STRING + Test complete (69 combinations). +diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh +index 9a1c027fa7d9da0eec41e5e63e68b05645df9d6b..67b12064b55dd52bd64fbf1b1f9615655913c334 100755 +--- a/tests/003-csrgen/run.sh ++++ b/tests/003-csrgen/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -298,7 +298,7 @@ for ns_certtype in "" client server email objsign reserved sslca emailca objca c + done + ns_certtype= + +-size=512 ++size=2048 + subject="CN=Babs Jensen" + hostname=localhost,localhost.localdomain + email=root@localhost,root@localhost.localdomain +diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out +index c50bd2ee0c1101f2df71738d4152e4fcf3bc9591..dd5029eca4f2b6e2cd354f64cd31b843c5857385 100644 +--- a/tests/004-selfsign-rsa/expected.out ++++ b/tests/004-selfsign-rsa/expected.out +@@ -1,4 +1,3 @@ +-512 OK. + 1024 OK. + 1536 OK. + 2048 OK. +diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh +index 8788bdb02fee287299e4cc389e18c7e0eb5ca91d..6f9285b65d4205fd4f24327fea9d934afc5fd68c 100755 +--- a/tests/004-selfsign-rsa/run.sh ++++ b/tests/004-selfsign-rsa/run.sh +@@ -33,7 +33,7 @@ function setupca() { + EOF + } + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out +index c50bd2ee0c1101f2df71738d4152e4fcf3bc9591..dd5029eca4f2b6e2cd354f64cd31b843c5857385 100644 +--- a/tests/004-selfsign/expected.out ++++ b/tests/004-selfsign/expected.out +@@ -1,4 +1,3 @@ +-512 OK. + 1024 OK. + 1536 OK. + 2048 OK. +diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh +index 7b2ee438d34d539ab7063b0bd1fc004421c97999..7bb368ec39d9675bff05c837c7e9a4cf64c5b714 100755 +--- a/tests/004-selfsign/run.sh ++++ b/tests/004-selfsign/run.sh +@@ -43,7 +43,7 @@ function setupca() { + EOF + } + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +-- +2.9.0 + diff --git a/SOURCES/0002-Stop-assuming-RSA-512-works-part-two.patch b/SOURCES/0002-Stop-assuming-RSA-512-works-part-two.patch new file mode 100644 index 0000000..fe0ee2a --- /dev/null +++ b/SOURCES/0002-Stop-assuming-RSA-512-works-part-two.patch @@ -0,0 +1,56 @@ +From e7f5c8bfbcd5e1f9256fe7a256d2f5b9340003a5 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 13 Jan 2016 09:38:13 -0500 +Subject: [PATCH] Stop assuming RSA 512 works, part two + +Catch up a couple of the other valid output sets. +--- + tests/002-keygen-dsa/expected.out.2 | 6 ------ + tests/002-keygen-dsa/expected.out.3 | 6 ------ + 2 files changed, 12 deletions(-) + +diff --git a/tests/002-keygen-dsa/expected.out.2 b/tests/002-keygen-dsa/expected.out.2 +index 9275bafaabb15bfc4829860bc994880c3f8f704d..7445bcc2628dd78eef0cea4c90339c79fb3571cf 100644 +--- a/tests/002-keygen-dsa/expected.out.2 ++++ b/tests/002-keygen-dsa/expected.out.2 +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (DSA:3072). + [nss:1024] + OK. + OK (DSA:1024). +@@ -20,9 +17,6 @@ OK (DSA:3072). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (DSA:512). + [openssl:1024] + OK. + OK (DSA:1024). +diff --git a/tests/002-keygen-dsa/expected.out.3 b/tests/002-keygen-dsa/expected.out.3 +index c8547b4206435a004e0f3a64016e2fb09ff4e25a..0f563e2895a6ef6f455f83cbc235e27213db8415 100644 +--- a/tests/002-keygen-dsa/expected.out.3 ++++ b/tests/002-keygen-dsa/expected.out.3 +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (DSA:512). + [nss:1024] + OK. + OK (DSA:1016). +@@ -20,9 +17,6 @@ OK (DSA:3072). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (DSA:512). + [openssl:1024] + OK. + OK (DSA:1024). +-- +2.9.0 + diff --git a/SOURCES/0003-Add-issuer-request-option-for-specifying-issuer.patch b/SOURCES/0003-Add-issuer-request-option-for-specifying-issuer.patch new file mode 100644 index 0000000..ecd29cb --- /dev/null +++ b/SOURCES/0003-Add-issuer-request-option-for-specifying-issuer.patch @@ -0,0 +1,548 @@ +From 2187e205da4fb2fcfdc2d8b9e4a4117f849041f7 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 3 Jun 2016 10:22:23 +1000 +Subject: [PATCH] Add 'issuer' request option for specifying issuer + +FreeIPA is implementing a 'lightweight CAs' feature where a single +Dogtag instance can host multiple CAs. Add the '--issuer' / '-X' +getcert-request option for specifying a particular CA, and the +'CERTMONGER_CA_ISSUER' environment variable for passing the value to +submit helpers. Also update the 'ipa-submit' helper to set the 'ca' +argument if the environment variable is set. + +Reviewed-by: Nalin Dahyabhai +--- + doc/api.txt | 2 ++ + doc/submit.txt | 1 + + src/cadata.c | 1 + + src/getcert-request.1.in | 3 +++ + src/getcert-resubmit.1.in | 3 +++ + src/getcert-start-tracking.1.in | 3 +++ + src/getcert.c | 44 ++++++++++++++++++++++++++++++++++++----- + src/ipa.c | 25 +++++++++++++++++------ + src/store-files.c | 9 +++++++++ + src/store-int.h | 1 + + src/submit-e.c | 1 + + src/submit-e.h | 1 + + src/tdbus.h | 1 + + src/tdbush.c | 25 ++++++++++++++++++++++- + tests/028-dbus/expected.out | 1 + + 15 files changed, 109 insertions(+), 12 deletions(-) + +diff --git a/doc/api.txt b/doc/api.txt +index e11f944de5861663d742c8b91129f7b592e7f72c..31016bec004f0b7f00db4cb3baefd236d485dc85 100644 +--- a/doc/api.txt ++++ b/doc/api.txt +@@ -56,6 +56,7 @@ o object layout + {("template-crldp"),array-of-string (CRL distribution point URIs)} + {("template-ns-comment"),string (Netscape comment)} + {("template-profile"),string (certificate profile)} ++ {("template-issuer"),string (requested issuer)} + {("template-challenge-password"),string (password to add to CSR)} + {("template-challenge-password-file"),string (password file) + {("cert-presave-command"),string} +@@ -164,6 +165,7 @@ o object layout + {("template-crldp"),array-of-string (CRL distribution point URIs)} + {("template-ns-comment"),string (Netscape comment)} + {("template-profile"),string (certificate profile)} ++ {("template-issuer"),string (requested issuer)} + {("template-challenge-password"),string (password to add to CSR)} + {("template-challenge-password-file"),string (password file) + {("cert-presave-command"),string} +diff --git a/doc/submit.txt b/doc/submit.txt +index dbf5319dc29bd9adb4054d4e76e90f028bad5fa6..7444f88c078b7453ae350268482832485259348a 100644 +--- a/doc/submit.txt ++++ b/doc/submit.txt +@@ -13,6 +13,7 @@ An external CA helper has a few jobs: + * $CERTMONGER_REQ_PRINCIPAL -> Kerberos principal name subjectAltName values + * $CERTMONGER_REQ_IP_ADDRESS-> IP address subjectAltName values (since 0.78) + * $CERTMONGER_CA_PROFILE -> requested enrollment profile/template/certtype ++ * $CERTMONGER_CA_ISSUER -> requested issuer for enrollment + * $CERTMONGER_CSR -> certificate signing request + * $CERTMONGER_CERTIFICATE -> previously-issued certificate, if there is one + * $CERTMONGER_CA_NICKNAME -> nickname of CA (since 0.73) +diff --git a/src/cadata.c b/src/cadata.c +index 947b2e68d3e74abf688aebd48344bfbf964e5656..7861fe73104143d6a9135fcb50b3ead583b03bf7 100644 +--- a/src/cadata.c ++++ b/src/cadata.c +@@ -50,6 +50,7 @@ const char *attribute_map[] = { + CM_SUBMIT_REQ_EMAIL_ENV, CM_DBUS_PROP_TEMPLATE_EMAIL, + CM_SUBMIT_REQ_IP_ADDRESS_ENV, CM_DBUS_PROP_TEMPLATE_IP_ADDRESS, + CM_SUBMIT_PROFILE_ENV, CM_DBUS_PROP_TEMPLATE_PROFILE, ++ CM_SUBMIT_ISSUER_ENV, CM_DBUS_PROP_TEMPLATE_ISSUER, + NULL, + }; + +diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in +index f11f1ffa35ccb6eb3d6aeea149353f55d5266534..b6578dce4b06fd60f9e784ba5665489eb3dd3982 100644 +--- a/src/getcert-request.1.in ++++ b/src/getcert-request.1.in +@@ -87,6 +87,9 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. + \fB\-T\fR NAME + Request a certificate using the named profile, template, or certtype, + from the specified CA. ++.TP ++\fB\-X\fR NAME ++Request a certificate using the named issuer from the specified CA. + + .SH SIGNING REQUEST OPTIONS + +diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in +index ad31da9995194280d79c2ce6bb2311291d37072d..165940eab1e625ecd3db63a1cf0bd822ae6abf72 100644 +--- a/src/getcert-resubmit.1.in ++++ b/src/getcert-resubmit.1.in +@@ -48,6 +48,9 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP ++\fB\-X\fR NAME ++Request a certificate using the named issuer from the specified CA. ++.TP + \fB\-I\fR NAME + Assign the specified nickname to this task, replacing the previous nickname. + +diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in +index 6cd24e77dd578662e4b18b8ae18dd26b6faa7122..a46f53578626bc62abaeb22e77500548c34ac3c0 100644 +--- a/src/getcert-start-tracking.1.in ++++ b/src/getcert-start-tracking.1.in +@@ -85,6 +85,9 @@ useful in combination with \fB\-r\fR. + \fB\-T\fR NAME + Request a certificate using the named profile, template, or certtype, + from the specified CA. ++.TP ++\fB\-X\fR NAME ++Request a certificate using the named issuer from the specified CA. + + .SH SIGNING REQUEST OPTIONS + If and when \fIcertmonger\fR attempts to obtain a new certificate to replace +diff --git a/src/getcert.c b/src/getcert.c +index 49840dd968a75929ef55c6b77966187f0c59fa78..cfa36fb1a7ea16c9c9bacc8f40360efa594b7830 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -691,7 +691,7 @@ request(const char *argv0, int argc, const char **argv) + char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; + int keysize = 0, auto_renew = 1, verbose = 0, ku = 0, kubit, c, i, j; + char *ca = DEFAULT_CA, *subject = NULL, **eku = NULL, *oid, *id = NULL; +- char *profile = NULL, kustring[16]; ++ char *profile = NULL, *issuer = NULL, kustring[16]; + char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; +@@ -732,6 +732,7 @@ request(const char *argv0, int argc, const char **argv) + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("set requested extended key usage OID"), HELP_TYPE_EKU}, +@@ -858,6 +859,9 @@ request(const char *argv0, int argc, const char **argv) + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'X': ++ issuer = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'N': + subject = talloc_strdup(globals.tctx, poptarg); + break; +@@ -1289,6 +1293,13 @@ request(const char *argv0, int argc, const char **argv) + params[i] = ¶m[i]; + i++; + } ++ if (issuer != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = issuer; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (precommand != NULL) { + param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; + param[i].value_type = cm_tdbusm_dict_s; +@@ -1480,7 +1491,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + char *key_perms, char *cert_perms, + char *pin, char *pinfile, + char *cpass, char *cpassfile, +- char *ca, char *profile, ++ char *ca, char *profile, char *issuer, + char *precommand, char *postcommand, + char **anchor_dbs, char **anchor_files, + dbus_bool_t auto_renew_stop, int waitreq, +@@ -1644,6 +1655,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + params[i] = ¶m[i]; + i++; + } ++ if (issuer != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = issuer; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (precommand != NULL) { + param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; + param[i].value_type = cm_tdbusm_dict_s; +@@ -1726,7 +1744,7 @@ set_tracking(const char *argv0, const char *category, + char **anchor_dbs = NULL, **anchor_files = NULL; + char *id = NULL, *new_id = NULL, *new_request; + char *keyfile = NULL, *certfile = NULL, *ca = DEFAULT_CA; +- char *profile = NULL; ++ char *profile = NULL, *issuer = NULL; + char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; +@@ -1767,6 +1785,7 @@ set_tracking(const char *argv0, const char *category, + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("override requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("override requested extended key usage OID"), HELP_TYPE_EKU}, + {"principal", 'K', POPT_ARG_STRING, NULL, 'K', _("override requested principal name"), HELP_TYPE_PRINCIPAL}, +@@ -2291,7 +2310,7 @@ set_tracking(const char *argv0, const char *category, + key_perms, cert_perms, + pin, pinfile, + cpass, cpassfile, +- ca, profile, ++ ca, profile, issuer, + precommand, postcommand, + anchor_dbs, anchor_files, + (auto_renew_stop > 0), +@@ -2366,7 +2385,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + char *id = NULL, *new_id = NULL, *ca = NULL, *new_request, *nss_scheme; + char *subject = NULL, **eku = NULL, *oid = NULL; + char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; +- char *profile = NULL, kustring[16]; ++ char *profile = NULL, *issuer = NULL, kustring[16]; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; + char *keytype = NULL; +@@ -2403,6 +2422,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the current one"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("set requested extended key usage OID"), HELP_TYPE_EKU}, +@@ -2477,6 +2497,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'X': ++ issuer = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'i': + id = talloc_strdup(globals.tctx, poptarg); + break; +@@ -2838,6 +2861,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + params[i] = ¶m[i]; + i++; + } ++ if (issuer != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = issuer; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (precommand != NULL) { + param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; + param[i].value_type = cm_tdbusm_dict_s; +@@ -4647,6 +4677,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the default\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Parameters for the signing request:\n"), + N_(" -N NAME set requested subject name (default: CN=)\n"), + N_(" -U EXTUSAGE set requested extended key usage OID\n"), +@@ -4695,6 +4726,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the default\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Parameters for the signing request at renewal time:\n"), + N_(" -U EXTUSAGE override requested extended key usage OID\n"), + N_(" -u KEYUSAGE set requested key usage value\n"), +@@ -4773,6 +4805,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the current one\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Bus options:\n"), + N_(" -S connect to the certmonger service on the system bus\n"), + N_(" -s connect to the certmonger service on the session bus\n"), +@@ -4820,6 +4853,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the current one\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_(" -G TYPE type of new key to be generated\n"), + N_(" -g SIZE size of new key to be generated\n"), + N_("* Bus options:\n"), +diff --git a/src/ipa.c b/src/ipa.c +index 5236abb40246c270d1b14c5cfbc467dbd6e8f7a4..72cdda6b07ea5a4850fb404497196c46a6bbbd6d 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -332,7 +332,8 @@ cm_locate_xmlrpc_service(const char *server, + /* Make an XML-RPC request to the "cert_request" method. */ + static int + submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath, +- const char *csr, const char *reqprinc, const char *profile) ++ const char *csr, const char *reqprinc, ++ const char *profile, const char *issuer) + { + struct cm_submit_x_context *ctx; + const char *args[2]; +@@ -366,6 +367,10 @@ submit: + if (profile != NULL) { + cm_submit_x_add_named_arg_s(ctx, "profile_id", profile); + } ++ /* Add the requested CA named argument. */ ++ if (issuer != NULL) { ++ cm_submit_x_add_named_arg_s(ctx, "ca", issuer); ++ } + /* Tell the server to add entries for a principal if one + * doesn't exist yet. */ + cm_submit_x_add_named_arg_b(ctx, "add", 1); +@@ -440,12 +445,14 @@ static int + submit_or_poll(const char *uri, const char *cainfo, const char *capath, + const char *server, int ldap_uri_cmd, const char *ldap_uri, + const char *host, const char *domain, char *basedn, +- const char *csr, const char *reqprinc, const char *profile) ++ const char *csr, const char *reqprinc, ++ const char *profile, const char *issuer) + { + int i, u; + char **uris; + +- i = submit_or_poll_uri(uri, cainfo, capath, csr, reqprinc, profile); ++ i = submit_or_poll_uri(uri, cainfo, capath, csr, reqprinc, profile, ++ issuer); + if ((i == CM_SUBMIT_STATUS_UNREACHABLE) || + (i == CM_SUBMIT_STATUS_UNCONFIGURED)) { + u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri, +@@ -456,7 +463,8 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath, + continue; + } + i = submit_or_poll_uri(uris[u], cainfo, capath, +- csr, reqprinc, profile); ++ csr, reqprinc, profile, ++ issuer); + if ((i != CM_SUBMIT_STATUS_UNREACHABLE) && + (i != CM_SUBMIT_STATUS_UNCONFIGURED)) { + talloc_free(uris); +@@ -556,7 +564,7 @@ main(int argc, const char **argv) + const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile; + int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0; + const char *mode = CM_OP_SUBMIT; +- char ldn[LINE_MAX], *basedn = NULL, *profile = NULL; ++ char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL; + krb5_error_code kret; + poptContext pctx; + struct poptOption popts[] = { +@@ -571,6 +579,7 @@ main(int argc, const char **argv) + {"use-ccache-creds", 'K', POPT_ARG_NONE, NULL, 'K', "use default ccache instead of creating a new one using keytab", NULL}, + {"principal-of-request", 'P', POPT_ARG_STRING, &reqprinc, 0, "principal name in signing request", "PRINCIPAL"}, + {"profile", 'T', POPT_ARG_STRING, &profile, 0, "request enrollment using the specified profile", "NAME"}, ++ {"issuer", 'X', POPT_ARG_STRING, &issuer, 0, "request enrollment using the specified CA", "NAME"}, + {"basedn", 'b', POPT_ARG_STRING, &basedn, 0, "IPA domain LDAP base DN", "DN"}, + {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, + POPT_AUTOHELP +@@ -729,6 +738,10 @@ main(int argc, const char **argv) + (getenv(CM_SUBMIT_PROFILE_ENV) != NULL)) { + profile = strdup(getenv(CM_SUBMIT_PROFILE_ENV)); + } ++ if ((issuer == NULL) && ++ (getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) { ++ issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV)); ++ } + if ((server != NULL) && !xmlrpc_uri_cmd) { + snprintf(uri, sizeof(uri), + "https://%s/ipa/xml", server); +@@ -835,7 +848,7 @@ main(int argc, const char **argv) + return submit_or_poll(uri, cainfo, capath, + server, ldap_uri_cmd, ldap_uri, + host, domain, basedn, +- csr, reqprinc, profile); ++ csr, reqprinc, profile, issuer); + } else + if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) { + return fetch_roots(server, ldap_uri_cmd, ldap_uri, host, +diff --git a/src/store-files.c b/src/store-files.c +index 961d03b7d1724a2cdb1fc4a26d8f1e25e474824f..889829ca62a035a758288aac158cbe17b0fd9e6d 100644 +--- a/src/store-files.c ++++ b/src/store-files.c +@@ -129,6 +129,7 @@ enum cm_store_file_field { + cm_store_entry_field_template_ocsp_location, + cm_store_entry_field_template_ns_comment, + cm_store_entry_field_template_profile, ++ cm_store_entry_field_template_issuer, + cm_store_entry_field_template_no_ocsp_check, + cm_store_entry_field_template_ns_certtype, + +@@ -303,6 +304,7 @@ static struct cm_store_file_field_list { + {cm_store_entry_field_template_ns_comment, "template_ns_comment"}, + {cm_store_entry_field_template_profile, "template_profile"}, /* right */ + {cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */ ++ {cm_store_entry_field_template_issuer, "template_issuer"}, + {cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"}, + {cm_store_entry_field_template_ns_certtype, "template_ns_certtype"}, + +@@ -1127,6 +1129,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) + case cm_store_entry_field_template_profile: + ret->cm_template_profile = free_if_empty(p); + break; ++ case cm_store_entry_field_template_issuer: ++ ret->cm_template_issuer = free_if_empty(p); ++ break; + case cm_store_entry_field_template_no_ocsp_check: + ret->cm_template_no_ocsp_check = atoi(p) != 0; + talloc_free(p); +@@ -1370,6 +1375,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) + case cm_store_entry_field_template_ocsp_location: + case cm_store_entry_field_template_ns_comment: + case cm_store_entry_field_template_profile: ++ case cm_store_entry_field_template_issuer: + case cm_store_entry_field_template_no_ocsp_check: + case cm_store_entry_field_template_ns_certtype: + case cm_store_entry_field_challenge_password: +@@ -1972,6 +1978,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) + entry->cm_template_ns_comment); + cm_store_file_write_str(fp, cm_store_entry_field_template_profile, + entry->cm_template_profile); ++ cm_store_file_write_str(fp, cm_store_entry_field_template_issuer, ++ entry->cm_template_issuer); + cm_store_file_write_int(fp, cm_store_entry_field_template_no_ocsp_check, + entry->cm_template_no_ocsp_check ? 1 : 0); + cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype, +@@ -2735,6 +2743,7 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry) + ret->cm_template_ocsp_location = cm_store_maybe_strdupv(ret, entry->cm_template_ocsp_location); + ret->cm_template_ns_comment = cm_store_maybe_strdup(ret, entry->cm_template_ns_comment); + ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile); ++ ret->cm_template_issuer = cm_store_maybe_strdup(ret, entry->cm_template_issuer); + ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check; + ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret, + entry->cm_template_ns_certtype); +diff --git a/src/store-int.h b/src/store-int.h +index d7d3fc86306b103b0a90faef7396697743b9c8da..2d3a35387516c48ab81a6422e42d57d5741593f6 100644 +--- a/src/store-int.h ++++ b/src/store-int.h +@@ -142,6 +142,7 @@ struct cm_store_entry { + char **cm_template_ocsp_location; + char *cm_template_ns_comment; + char *cm_template_profile; ++ char *cm_template_issuer; + char *cm_template_ns_certtype; + unsigned int cm_template_no_ocsp_check: 1; + /* A challenge password, which may be included (in cleartext form!) in +diff --git a/src/submit-e.c b/src/submit-e.c +index 6997b436e42aa4f77c421040070ee2484467dea5..befd01e0fd00b8f9e239752ffbd80c985fae5057 100644 +--- a/src/submit-e.c ++++ b/src/submit-e.c +@@ -876,6 +876,7 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca, + maybe_setenv(CM_SUBMIT_COOKIE_ENV, entry->cm_ca_cookie); + maybe_setenv(CM_SUBMIT_CA_NICKNAME_ENV, entry->cm_ca_nickname); + maybe_setenv(CM_SUBMIT_PROFILE_ENV, entry->cm_template_profile); ++ maybe_setenv(CM_SUBMIT_ISSUER_ENV, entry->cm_template_issuer); + maybe_setenv(CM_SUBMIT_CERTIFICATE_ENV, entry->cm_cert); + /* Only pass SCEP data to the helper if we haven't used this set of + * nonced data before. It'll ask for fresh data if it needs it. */ +diff --git a/src/submit-e.h b/src/submit-e.h +index 2e325cf7d36436b89287e9933db83a6d853abfd1..0148d4da07507a000d8e6e8aca98f2ed84669eca 100644 +--- a/src/submit-e.h ++++ b/src/submit-e.h +@@ -48,6 +48,7 @@ const char *cm_submit_e_status_text(enum cm_external_status status); + #define CM_SUBMIT_COOKIE_ENV "CERTMONGER_CA_COOKIE" + #define CM_SUBMIT_CA_NICKNAME_ENV "CERTMONGER_CA_NICKNAME" + #define CM_SUBMIT_PROFILE_ENV "CERTMONGER_CA_PROFILE" ++#define CM_SUBMIT_ISSUER_ENV "CERTMONGER_CA_ISSUER" + #define CM_SUBMIT_CERTIFICATE_ENV "CERTMONGER_CERTIFICATE" + #define CM_SUBMIT_SCEP_CA_IDENTIFIER_ENV "CERTMONGER_SCEP_CA_IDENTIFIER" + #define CM_SUBMIT_SCEP_RA_CERTIFICATE_ENV "CERTMONGER_SCEP_RA_CERTIFICATE" +diff --git a/src/tdbus.h b/src/tdbus.h +index c9b3afeb59548c2dc1260cfd7c76b39327a42f89..496f2dd289a0bd9b4d66451ea5eb0acf83d0cf5f 100644 +--- a/src/tdbus.h ++++ b/src/tdbus.h +@@ -108,6 +108,7 @@ + #define CM_DBUS_PROP_TEMPLATE_FRESHEST_CRL "template-freshest-crl" + #define CM_DBUS_PROP_TEMPLATE_NS_COMMENT "template-ns-comment" + #define CM_DBUS_PROP_TEMPLATE_PROFILE "template-profile" ++#define CM_DBUS_PROP_TEMPLATE_ISSUER "template-issuer" + #define CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE "template-ns-certtype" + #define CM_DBUS_SIGNAL_REQUEST_CERT_SAVED "SavedCertificate" + #define CM_DBUS_PROP_CA_PRESAVE_COMMAND "ca-presave-command" +diff --git a/src/tdbush.c b/src/tdbush.c +index 4660f80f26669d31b2629c543384fe95bbec1ea9..05a503e06a553c566dcff5e053cbd8aa16c20f14 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -1562,6 +1562,13 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + param->value.s); + } + param = cm_tdbusm_find_dict_entry(d, ++ CM_DBUS_PROP_TEMPLATE_ISSUER, ++ cm_tdbusm_dict_s); ++ if (param != NULL) { ++ new_entry->cm_template_issuer = maybe_strdup(new_entry, ++ param->value.s); ++ } ++ param = cm_tdbusm_find_dict_entry(d, + CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD, + cm_tdbusm_dict_s); + if ((param != NULL) && +@@ -3306,6 +3313,14 @@ request_modify(DBusConnection *conn, DBusMessage *msg, + } + } else + if ((param->value_type == cm_tdbusm_dict_s) && ++ (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_ISSUER) == 0)) { ++ talloc_free(entry->cm_template_issuer); ++ entry->cm_template_issuer = maybe_strdup(entry, param->value.s); ++ if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) { ++ propname[n_propname++] = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ } ++ } else ++ if ((param->value_type == cm_tdbusm_dict_s) && + (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD) == 0)) { + talloc_free(entry->cm_template_challenge_password); + entry->cm_template_challenge_password = maybe_strdup(entry, +@@ -6712,6 +6727,14 @@ cm_tdbush_iface_request(void) + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL), + make_interface_item(cm_tdbush_interface_property, ++ make_property(CM_DBUS_PROP_TEMPLATE_ISSUER, ++ cm_tdbush_property_string, ++ cm_tdbush_property_readwrite, ++ cm_tdbush_property_char_p, ++ offsetof(struct cm_store_entry, cm_template_issuer), ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL), ++ make_interface_item(cm_tdbush_interface_property, + make_property(CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE, + cm_tdbush_property_string, + cm_tdbush_property_readwrite, +@@ -7156,7 +7179,7 @@ cm_tdbush_iface_request(void) + make_interface_item(cm_tdbush_interface_signal, + make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, + NULL), +- NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); ++ NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + } + return ret; + } +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index ba55dd5ce97c74475dbebb761c41dd2e64e64365..b2660317b3102373f2a5a877a7224f727929412c 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -328,6 +328,7 @@ OK + + + ++ + + + +-- +2.9.0 + diff --git a/SOURCES/0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch b/SOURCES/0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch new file mode 100644 index 0000000..14448f5 --- /dev/null +++ b/SOURCES/0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch @@ -0,0 +1,44 @@ +From f78836266df6fdbdc321e002dc7ae2229866e621 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 14 Jun 2016 15:56:30 -0400 +Subject: [PATCH] Documentation: mark $CERTMONGER_CA_ISSUER as 0.79 + +In documentation that now mentions that we set $CERTMONGER_CA_ISSUER for +helpers, list 0.79 as the first version where we started doing so. +--- + doc/helpers.txt | 5 +++++ + doc/submit.txt | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/doc/helpers.txt b/doc/helpers.txt +index 9d43e2390122c67719d549387b070879bf7e1f2d..975a741eeb76ef6d9005a05e5283ab92a1ccd399 100644 +--- a/doc/helpers.txt ++++ b/doc/helpers.txt +@@ -103,6 +103,11 @@ helper is called. + * CERTMONGER_REQ_IP_ADDRESS + Any iPAddress subject alt name values from the request. + ++ These are also present starting with version 0.79: ++ ++ * CERTMONGER_CA_ISSUER ++ The requested issuer for enrollment. ++ + The helper is expected to use this information, along with whatever + credentials it has or is passed on the command line, to send the signing + request to the CA. +diff --git a/doc/submit.txt b/doc/submit.txt +index 7444f88c078b7453ae350268482832485259348a..b1742c3f2e54adcaa60f58371c9ff1fded0d30b0 100644 +--- a/doc/submit.txt ++++ b/doc/submit.txt +@@ -13,7 +13,7 @@ An external CA helper has a few jobs: + * $CERTMONGER_REQ_PRINCIPAL -> Kerberos principal name subjectAltName values + * $CERTMONGER_REQ_IP_ADDRESS-> IP address subjectAltName values (since 0.78) + * $CERTMONGER_CA_PROFILE -> requested enrollment profile/template/certtype +- * $CERTMONGER_CA_ISSUER -> requested issuer for enrollment ++ * $CERTMONGER_CA_ISSUER -> requested issuer for enrollment (since 0.79) + * $CERTMONGER_CSR -> certificate signing request + * $CERTMONGER_CERTIFICATE -> previously-issued certificate, if there is one + * $CERTMONGER_CA_NICKNAME -> nickname of CA (since 0.73) +-- +2.9.0 + diff --git a/SOURCES/0005-Comment-whitespace-fixup.patch b/SOURCES/0005-Comment-whitespace-fixup.patch new file mode 100644 index 0000000..28bd346 --- /dev/null +++ b/SOURCES/0005-Comment-whitespace-fixup.patch @@ -0,0 +1,39 @@ +From 77977396865f4099dff7143c703301ccea52a276 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 14 Jun 2016 15:57:16 -0400 +Subject: [PATCH] Comment/whitespace fixup + +--- + src/ipa.c | 2 +- + src/tdbush.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/ipa.c b/src/ipa.c +index 72cdda6b07ea5a4850fb404497196c46a6bbbd6d..f2736c6f37948df902b65157480fc0c29ec58c3e 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -367,7 +367,7 @@ submit: + if (profile != NULL) { + cm_submit_x_add_named_arg_s(ctx, "profile_id", profile); + } +- /* Add the requested CA named argument. */ ++ /* Add the requested CA issuer named argument. */ + if (issuer != NULL) { + cm_submit_x_add_named_arg_s(ctx, "ca", issuer); + } +diff --git a/src/tdbush.c b/src/tdbush.c +index 05a503e06a553c566dcff5e053cbd8aa16c20f14..631da3ed2bbb1f6828d576760299ad51d7e41923 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -1566,7 +1566,7 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + cm_tdbusm_dict_s); + if (param != NULL) { + new_entry->cm_template_issuer = maybe_strdup(new_entry, +- param->value.s); ++ param->value.s); + } + param = cm_tdbusm_find_dict_entry(d, + CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD, +-- +2.9.0 + diff --git a/SOURCES/0006-ipa-submit-Retry-without-ca-on-OptionError.patch b/SOURCES/0006-ipa-submit-Retry-without-ca-on-OptionError.patch new file mode 100644 index 0000000..b089001 --- /dev/null +++ b/SOURCES/0006-ipa-submit-Retry-without-ca-on-OptionError.patch @@ -0,0 +1,35 @@ +From 301e56c06192649bc33ddbda77ac55c0fb69f2a0 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 14 Jun 2016 15:59:10 -0400 +Subject: [PATCH] ipa-submit: Retry without "ca" on OptionError + +Add a fallback for when the IPA server returns error 3005 ("OptionError") +when we've tried to use the "ca" named argument in a request. As we did +with "profile_id" earlier, take a guess that it didn't understand the +most recently-added option that we're setting, and retry without it set. +--- + src/ipa.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/ipa.c b/src/ipa.c +index f2736c6f37948df902b65157480fc0c29ec58c3e..f8abe609a603b614067e56ebe9935472b647ed99 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -387,6 +387,14 @@ submit: + switch (i / 1000) { + case 2: /* authorization error - permanent */ + case 3: /* invocation error - permanent */ ++ if ((i == 3005) && (issuer != NULL)) { ++ /* Most likely the server didn't understand the ++ * "ca" argument. At least, at this ++ * point. Randomly dropping arguments is not ++ * really an extensible solution, though. */ ++ issuer = NULL; ++ goto submit; ++ } + if ((i == 3005) && (profile != NULL)) { + /* Most likely the server didn't understand the + * "profile_id" argument. At least, at this +-- +2.9.0 + diff --git a/SOURCES/0007-getcert-fix-a-potential-out-of-bounds.patch b/SOURCES/0007-getcert-fix-a-potential-out-of-bounds.patch new file mode 100644 index 0000000..91a78d6 --- /dev/null +++ b/SOURCES/0007-getcert-fix-a-potential-out-of-bounds.patch @@ -0,0 +1,41 @@ +From ef0f3c32888165c1a39b078f23ce7e1fc57fec66 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 15 Jun 2016 15:56:38 -0400 +Subject: [PATCH] getcert: fix a potential out-of-bounds + +In getcert, fix a potential out-of-bounds write while gathering +parameters to send to the daemon as part of an "add_request" API +request, present since 20a6536febf0815d0b3d301133820a46fdd6ef21. +--- + src/getcert.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/getcert.c b/src/getcert.c +index cfa36fb1a7ea16c9c9bacc8f40360efa594b7830..c84273a9bfc8730422f18ade87ce174fbbc44634 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -1499,8 +1499,8 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + { + DBusMessage *req, *rep; + int i; +- struct cm_tdbusm_dict param[25]; +- const struct cm_tdbusm_dict *params[26]; ++ struct cm_tdbusm_dict param[26]; ++ const struct cm_tdbusm_dict *params[27]; + dbus_bool_t b; + const char *capath; + char *p; +@@ -1738,8 +1738,8 @@ set_tracking(const char *argv0, const char *category, + enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS; + DBusMessage *req, *rep; + const char *request, *capath; +- struct cm_tdbusm_dict param[25]; +- const struct cm_tdbusm_dict *params[26]; ++ struct cm_tdbusm_dict param[26]; ++ const struct cm_tdbusm_dict *params[27]; + char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL; + char **anchor_dbs = NULL, **anchor_files = NULL; + char *id = NULL, *new_id = NULL, *new_request; +-- +2.9.0 + diff --git a/SOURCES/0008-Document-the-X-option-in-the-ipa-submit-man-page.patch b/SOURCES/0008-Document-the-X-option-in-the-ipa-submit-man-page.patch new file mode 100644 index 0000000..33d08cb --- /dev/null +++ b/SOURCES/0008-Document-the-X-option-in-the-ipa-submit-man-page.patch @@ -0,0 +1,32 @@ +From 3a734708fb96d0fed7850a5615782e27a039cda1 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 15 Jun 2016 17:20:52 -0400 +Subject: [PATCH] Document the -X option in the ipa-submit man page + +Add documentation for the new -X option to certmonger-ipa-submit(8). +--- + src/certmonger-ipa-submit.8.in | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/certmonger-ipa-submit.8.in b/src/certmonger-ipa-submit.8.in +index 62b6991c7e1e13ed02cb04a76e9446b69a01093d..2a986c63f97c117175f84007cb54b63b8e221cf7 100644 +--- a/src/certmonger-ipa-submit.8.in ++++ b/src/certmonger-ipa-submit.8.in +@@ -28,6 +28,14 @@ LDAP server's directory tree, where $BASE defaults to the value of the + Identifies the principal name of the service for which the certificate is being + issued. This setting is required by IPA and must always be specified. + .TP ++\fB\-X\fR issuer ++Requests that the certificate be processed by the specified certificate issuer. ++By default, if this flag is not specified, and the \fBCERTMONGER_CA_ISSUER\fR ++variable is set in the environment, then the value of the environment variable ++will be used. This setting is optional, and if a server returns error 3005, ++indicating that it does not understand multiple profiles, the request will be ++re-submitted without specifying an issuer name. ++.TP + \fB\-T\fR profile + Requests that the certificate be processed using the specified certificate profile. + By default, if this flag is not specified, and the \fBCERTMONGER_CA_PROFILE\fR +-- +2.9.0 + diff --git a/SOURCES/0009-Fix-a-flakiness-in-the-028-dbus-test.patch b/SOURCES/0009-Fix-a-flakiness-in-the-028-dbus-test.patch new file mode 100644 index 0000000..35b3adb --- /dev/null +++ b/SOURCES/0009-Fix-a-flakiness-in-the-028-dbus-test.patch @@ -0,0 +1,59 @@ +From 4f72c02d0f432519f9d5606bd99007fd685482a7 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 29 Jun 2016 17:37:09 -0400 +Subject: [PATCH] Fix a flakiness in the 028-dbus test + +When walking all of the exposed APIs from python, we were calling the +'resubmit' method on a certificate, and not waiting for the churn in +state that doing so would create to settle down before continuing. + +This meant that the test script might have exited before the certmonger +process that was waiting on it finished saving the new certificate that +it obtained from resubmitting the rquest, so the process wouldn't +reliably log that it had obtained a new certificate. + +Spotted by Jan Cholasta. +--- + tests/028-dbus/expected.out | 1 + + tests/028-dbus/walk.py | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index b2660317b3102373f2a5a877a7224f727929412c..93cc4d184524c4b1aeba02a650c94d832462c236 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -1,4 +1,5 @@ + Certificate in file "${tmpdir}/test.crt" issued by CA and saved. ++Certificate in file "${tmpdir}/test.crt" issued by CA and saved. + [[ getcert ]] + State MONITORING, stuck: no. + Number of certificates and requests being tracked: 1. +diff --git a/tests/028-dbus/walk.py b/tests/028-dbus/walk.py +index 0bf54b477220aef901340c1d24100391348226a7..f60ca934fd934e21cec027bad5c53e0f12ccb36d 100644 +--- a/tests/028-dbus/walk.py ++++ b/tests/028-dbus/walk.py +@@ -3,6 +3,7 @@ import dbus + import xml.etree.ElementTree + import os + import sys ++import time + + bus = dbus.SessionBus() + +@@ -110,6 +111,13 @@ def examine_method(objpath, interface, method, idata): + # We're in FIXME territory. + print('FIXME: need support for "%s"' % method) + return False ++ # If we caused things to start churning, wait for them to settle. ++ if method == 'resubmit': ++ props = dbus.Interface(o, 'org.freedesktop.DBus.Properties') ++ prop = props.Get(interface, 'status') ++ while prop != 'MONITORING': ++ time.sleep(1) ++ prop = props.Get(interface, 'status') + return True + + def iget(child, proxy, interface, prop): +-- +2.7.4 + diff --git a/SOURCES/0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch b/SOURCES/0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch new file mode 100644 index 0000000..1c5f0cb --- /dev/null +++ b/SOURCES/0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch @@ -0,0 +1,29 @@ +From c4b456b2c7515fd896d2806d70f3ebc86c7a85ac Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 5 Mar 2018 10:18:38 -0500 +Subject: [PATCH] Set all bits to 1 in local CA Basic Constraint to set TRUE + +This was previously using the value of 1 which OpenSSL didn't +have an issue with but NSS is stricter when it comes to DER +encoding. Section 11.1 in X.690 requires that DER boolean set +all bits to 1 to indicate TRUE. +--- + src/local.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/local.c b/src/local.c +index 8450c9b5..48a9e360 100644 +--- a/src/local.c ++++ b/src/local.c +@@ -85,7 +85,7 @@ set_ca_extensions(void *parent, X509_REQ *req, EVP_PKEY *key) + exts = sk_X509_EXTENSION_new(NULL); + + memset(&basic, 0, sizeof(basic)); +- basic.ca = 1; ++ basic.ca = 255; // set all bits for TRUE + X509V3_add1_i2d(&exts, NID_basic_constraints, &basic, TRUE, 0); + + len = i2d_PUBKEY(key, NULL); +-- +2.13.6 + diff --git a/SOURCES/0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch b/SOURCES/0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch new file mode 100644 index 0000000..38e9115 --- /dev/null +++ b/SOURCES/0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch @@ -0,0 +1,38 @@ +From 42586b51e34519f18fadef2ad3c9c9d77fde0409 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 5 Mar 2018 15:54:10 -0400 +Subject: [PATCH] Fix conversions of bit lengths to byte lengths + +Fix a number of places where we weren't correctly converting from length +in bits to length in bytes, and one in the self-tests where the newest +version of NSS complains if the size of a signature was too large +because it was not converted at all. + +Based on upstream change dd537bcc644dea163b4c8f3de08d73a60876449d +--- + tests/tools/checksig.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/tools/checksig.c b/tests/tools/checksig.c +index e690911..ab8bb11 100644 +--- a/tests/tools/checksig.c ++++ b/tests/tools/checksig.c +@@ -18,6 +18,7 @@ + #include "../../src/config.h" + + #include ++#include + #include + #include + #include +@@ -101,6 +102,7 @@ main(int argc, char **argv) + printf("error finding public key\n"); + return 1; + } ++ signed_data.signature.len = howmany(signed_data.signature.len, 8); + if (VFY_VerifyDataWithAlgorithmID(signed_data.data.data, + signed_data.data.len, + pubkey, +-- +1.8.3.1 + diff --git a/SOURCES/0012-Remove-trailing-CR-LF-when-reading-passwords-from-a-.patch b/SOURCES/0012-Remove-trailing-CR-LF-when-reading-passwords-from-a-.patch new file mode 100644 index 0000000..dbca807 --- /dev/null +++ b/SOURCES/0012-Remove-trailing-CR-LF-when-reading-passwords-from-a-.patch @@ -0,0 +1,35 @@ +From a55000a067d68cbf7aaf201b73ba2eb14090f916 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 21 Feb 2018 15:28:38 -0500 +Subject: [PATCH] Remove trailing CR/LF when reading passwords from a file. + +https://bugzilla.redhat.com/show_bug.cgi?id=1547641 +--- + src/dogtag.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/dogtag.c b/src/dogtag.c +index 5b55b04d..871f3875 100644 +--- a/src/dogtag.c ++++ b/src/dogtag.c +@@ -476,9 +476,17 @@ main(int argc, const char **argv) + /* Read the client password and/or PIN, if we need to. */ + if ((pwdfile != NULL) && (pwd == NULL)) { + pwd = cm_submit_u_from_file(pwdfile); ++ if (pwd != NULL) { ++ pwd = talloc_strndup(ctx, pwd, ++ strcspn(pwd, "\r\n")); ++ } + } + if ((pinfile != NULL) && (pin == NULL)) { + pin = cm_submit_u_from_file(pinfile); ++ if (pin != NULL) { ++ pin = talloc_strndup(ctx, pin, ++ strcspn(pin, "\r\n")); ++ } + } + + /* Figure out which form and arguments to use. */ +-- +2.13.6 + diff --git a/SOURCES/0013-Disable-the-10-iterate-tests-which-randomly-fail.patch b/SOURCES/0013-Disable-the-10-iterate-tests-which-randomly-fail.patch new file mode 100644 index 0000000..b0fe84e --- /dev/null +++ b/SOURCES/0013-Disable-the-10-iterate-tests-which-randomly-fail.patch @@ -0,0 +1,35 @@ +From 80e016cc4efef1b7f9abc73e209e83bcd3fa0c6f Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 17 Jul 2018 16:22:02 -0400 +Subject: [PATCH] Disable the 10-iterate tests which randomly fail + +Sometimes the dates are off just enough to cause the comparison +to fail. +--- + tests/Makefile.am | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index f60e571..bbcd06e 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -62,8 +62,6 @@ EXTRA_DIST = \ + 008-certread/expected.out \ + 009-oiddict/run.sh \ + 009-oiddict/expected.out \ +- 010-iterate/run.sh \ +- 010-iterate/expected.out \ + 011-dbinit/expected.out \ + 011-dbinit/run.sh \ + 011-dbinit-dbm/expected.out \ +@@ -166,7 +164,6 @@ subdirs = \ + 007-certsave \ + 008-certread \ + 009-oiddict \ +- 010-iterate \ + 011-dbinit \ + 012-dbadd \ + 013-enckey \ +-- +2.13.6 + diff --git a/SOURCES/0014-MS-cert-template-add-D-Bus-property-and-storage.patch b/SOURCES/0014-MS-cert-template-add-D-Bus-property-and-storage.patch new file mode 100644 index 0000000..f4fa5c6 --- /dev/null +++ b/SOURCES/0014-MS-cert-template-add-D-Bus-property-and-storage.patch @@ -0,0 +1,198 @@ +From afe1fc05a5da349c3e24e8c96b1e185e4da53613 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 17 Aug 2017 11:38:43 +1000 +Subject: [PATCH] MS cert template: add D-Bus property and storage + +Add a D-Bus property and storage for a new template attribute, which +will hold data to be included in CSRs in the MS V2 certificate +template extension. + +The server does not validate the extension data (validation +behaviour is implemented in a subsequent commit). + +Part of: https://pagure.io/certmonger/issue/78 +--- + doc/api.txt | 2 ++ + src/store-files.c | 10 ++++++++++ + src/store-int.h | 1 + + src/tdbus.h | 1 + + src/tdbush.c | 29 ++++++++++++++++++++++++++++- + tests/028-dbus/expected.out | 1 + + 6 files changed, 43 insertions(+), 1 deletion(-) + +diff --git a/doc/api.txt b/doc/api.txt +index 31016be..83cf375 100644 +--- a/doc/api.txt ++++ b/doc/api.txt +@@ -56,6 +56,7 @@ o object layout + {("template-crldp"),array-of-string (CRL distribution point URIs)} + {("template-ns-comment"),string (Netscape comment)} + {("template-profile"),string (certificate profile)} ++ {("template-ms-certificate-template"),string (MS V2 template specifier; format: :[:] )} + {("template-issuer"),string (requested issuer)} + {("template-challenge-password"),string (password to add to CSR)} + {("template-challenge-password-file"),string (password file) +@@ -165,6 +166,7 @@ o object layout + {("template-crldp"),array-of-string (CRL distribution point URIs)} + {("template-ns-comment"),string (Netscape comment)} + {("template-profile"),string (certificate profile)} ++ {("template-ms-certificate-template"),string (MS V2 template specifier; format: :[:] )} + {("template-issuer"),string (requested issuer)} + {("template-challenge-password"),string (password to add to CSR)} + {("template-challenge-password-file"),string (password file) +diff --git a/src/store-files.c b/src/store-files.c +index 889829c..977e896 100644 +--- a/src/store-files.c ++++ b/src/store-files.c +@@ -130,6 +130,7 @@ enum cm_store_file_field { + cm_store_entry_field_template_ns_comment, + cm_store_entry_field_template_profile, + cm_store_entry_field_template_issuer, ++ cm_store_entry_field_template_certificate_template, + cm_store_entry_field_template_no_ocsp_check, + cm_store_entry_field_template_ns_certtype, + +@@ -305,6 +306,7 @@ static struct cm_store_file_field_list { + {cm_store_entry_field_template_profile, "template_profile"}, /* right */ + {cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */ + {cm_store_entry_field_template_issuer, "template_issuer"}, ++ {cm_store_entry_field_template_certificate_template, "template_certificate_template"}, + {cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"}, + {cm_store_entry_field_template_ns_certtype, "template_ns_certtype"}, + +@@ -1129,6 +1131,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) + case cm_store_entry_field_template_profile: + ret->cm_template_profile = free_if_empty(p); + break; ++ case cm_store_entry_field_template_certificate_template: ++ ret->cm_template_certificate_template = free_if_empty(p); ++ break; + case cm_store_entry_field_template_issuer: + ret->cm_template_issuer = free_if_empty(p); + break; +@@ -1375,6 +1380,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) + case cm_store_entry_field_template_ocsp_location: + case cm_store_entry_field_template_ns_comment: + case cm_store_entry_field_template_profile: ++ case cm_store_entry_field_template_certificate_template: + case cm_store_entry_field_template_issuer: + case cm_store_entry_field_template_no_ocsp_check: + case cm_store_entry_field_template_ns_certtype: +@@ -1984,6 +1990,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) + entry->cm_template_no_ocsp_check ? 1 : 0); + cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype, + entry->cm_template_ns_certtype); ++ cm_store_file_write_str(fp, cm_store_entry_field_template_certificate_template, ++ entry->cm_template_certificate_template); + + cm_store_file_write_str(fp, cm_store_entry_field_challenge_password, + entry->cm_template_challenge_password); +@@ -2745,6 +2753,8 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry) + ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile); + ret->cm_template_issuer = cm_store_maybe_strdup(ret, entry->cm_template_issuer); + ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check; ++ ret->cm_template_certificate_template = ++ cm_store_maybe_strdup(ret, entry->cm_template_certificate_template); + ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret, + entry->cm_template_ns_certtype); + +diff --git a/src/store-int.h b/src/store-int.h +index 2d3a353..98b37e6 100644 +--- a/src/store-int.h ++++ b/src/store-int.h +@@ -144,6 +144,7 @@ struct cm_store_entry { + char *cm_template_profile; + char *cm_template_issuer; + char *cm_template_ns_certtype; ++ char *cm_template_certificate_template; + unsigned int cm_template_no_ocsp_check: 1; + /* A challenge password, which may be included (in cleartext form!) in + * a CSR. */ +diff --git a/src/tdbus.h b/src/tdbus.h +index 496f2dd..7164f11 100644 +--- a/src/tdbus.h ++++ b/src/tdbus.h +@@ -110,6 +110,7 @@ + #define CM_DBUS_PROP_TEMPLATE_PROFILE "template-profile" + #define CM_DBUS_PROP_TEMPLATE_ISSUER "template-issuer" + #define CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE "template-ns-certtype" ++#define CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE "template-ms-certificate-template" + #define CM_DBUS_SIGNAL_REQUEST_CERT_SAVED "SavedCertificate" + #define CM_DBUS_PROP_CA_PRESAVE_COMMAND "ca-presave-command" + #define CM_DBUS_PROP_CA_PRESAVE_UID "ca-presave-uid" +diff --git a/src/tdbush.c b/src/tdbush.c +index 631da3e..94bf793 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -1568,6 +1568,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + new_entry->cm_template_issuer = maybe_strdup(new_entry, + param->value.s); + } ++ param = cm_tdbusm_find_dict_entry(d, ++ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE, ++ cm_tdbusm_dict_s); ++ if (param != NULL) { ++ // TODO check validity ++ new_entry->cm_template_certificate_template = maybe_strdup(new_entry, ++ param->value.s); ++ } + param = cm_tdbusm_find_dict_entry(d, + CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD, + cm_tdbusm_dict_s); +@@ -3320,6 +3328,17 @@ request_modify(DBusConnection *conn, DBusMessage *msg, + propname[n_propname++] = CM_DBUS_PROP_TEMPLATE_ISSUER; + } + } else ++ if ((param->value_type == cm_tdbusm_dict_s) && ++ (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE) == 0)) { ++ talloc_free(entry->cm_template_certificate_template); ++ // TODO check validity ++ entry->cm_template_certificate_template = ++ maybe_strdup(entry, param->value.s); ++ if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) { ++ propname[n_propname++] = ++ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; ++ } ++ } else + if ((param->value_type == cm_tdbusm_dict_s) && + (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD) == 0)) { + talloc_free(entry->cm_template_challenge_password); +@@ -6734,6 +6753,14 @@ cm_tdbush_iface_request(void) + offsetof(struct cm_store_entry, cm_template_issuer), + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL), ++ make_interface_item(cm_tdbush_interface_property, ++ make_property(CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE, ++ cm_tdbush_property_string, ++ cm_tdbush_property_readwrite, ++ cm_tdbush_property_char_p, ++ offsetof(struct cm_store_entry, cm_template_certificate_template), ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL), + make_interface_item(cm_tdbush_interface_property, + make_property(CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE, + cm_tdbush_property_string, +@@ -7179,7 +7206,7 @@ cm_tdbush_iface_request(void) + make_interface_item(cm_tdbush_interface_signal, + make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, + NULL), +- NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); ++ NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + } + return ret; + } +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index 93cc4d1..8a81a7f 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -330,6 +330,7 @@ OK + + + ++ + + + +-- +2.14.4 + diff --git a/SOURCES/0015-MS-cert-template-add-template-extension-to-CSR.patch b/SOURCES/0015-MS-cert-template-add-template-extension-to-CSR.patch new file mode 100644 index 0000000..bcb14f1 --- /dev/null +++ b/SOURCES/0015-MS-cert-template-add-template-extension-to-CSR.patch @@ -0,0 +1,135 @@ +From 616bc539e7054f7e561ca66672019f7990759811 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 17 Aug 2017 18:10:37 +1000 +Subject: [PATCH] MS cert template: add template extension to CSR + +Add the MS V2 certificate template extension to the CSR, when the +attribute is set. Failure to parse the value (as stored) merely +causes the extension to be skipped. + +Part of: https://pagure.io/certmonger/issue/78 +--- + src/certext.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 84 insertions(+), 2 deletions(-) + +diff --git a/src/certext.c b/src/certext.c +index 64ae05a..5f8a743 100644 +--- a/src/certext.c ++++ b/src/certext.c +@@ -69,7 +69,7 @@ struct kerberos_principal_name { + struct ms_template { + SECItem id; + SECItem major; +- SECItem *minor; ++ SECItem minor; + }; + + /* KerberosString: RFC 4120, 5.2.1 */ +@@ -180,7 +180,7 @@ cm_ms_template_template[] = { + .kind = SEC_ASN1_SEQUENCE, + .offset = 0, + .sub = NULL, +- .size = sizeof(struct kerberos_principal_name), ++ .size = sizeof(struct ms_template), + }, + { + .kind = SEC_ASN1_OBJECT_ID, +@@ -1593,6 +1593,76 @@ cm_certext_build_profile(struct cm_store_entry *entry, + return item; + } + ++/* Build a Microsoft certificate template extension value. */ ++static SECItem * ++cm_certext_build_certificate_template( ++ PLArenaPool *arena, ++ char *template_spec) ++{ ++ struct ms_template template_data; ++ memset(&template_data, 0, sizeof(struct ms_template)); ++ ++ if (NULL == template_spec || *template_spec == '\0') ++ return NULL; ++ ++ /* strtok overwrites delimiters with null bytes; ++ * therefore duplicate the input string */ ++ char *template_spec_dup = PORT_ArenaStrdup(arena, template_spec); ++ if (NULL == template_spec_dup) ++ return NULL; ++ ++ int i = 0; ++ char *saveptr, *endptr; ++ for ( ++ char *part = strtok_r(template_spec_dup, ":", &saveptr); ++ part != NULL; ++ part = strtok_r(NULL, ":", &saveptr) ++ ) { ++ if (i == 0) { ++ // parse OID ++ if (SECSuccess != SEC_StringToOID(arena, &template_data.id, part, 0)) ++ return NULL; ++ } ++ else if (i == 1) { ++ // parse major version ++ long x = strtol(part, &endptr, 10); ++ if (*part == '\0' || *endptr != '\0') { ++ // string was empty or contained non-digits ++ return NULL; ++ } ++ if (SEC_ASN1EncodeInteger(arena, &template_data.major, x) ++ != &template_data.major) ++ return NULL; ++ } ++ else if (i == 2) { ++ // parse minor version ++ long x = strtol(part, &endptr, 10); ++ if (*part == '\0' || *endptr != '\0') { ++ // string was empty or contained non-digits ++ return NULL; ++ } ++ if (SEC_ASN1EncodeInteger(arena, &template_data.minor, x) ++ != &template_data.minor) ++ return NULL; ++ } ++ else { ++ // there are too many parts! ++ return NULL; ++ } ++ i++; ++ } ++ if (i < 2) { ++ // there are too few parts! (OID and major version are required) ++ return NULL; ++ } ++ ++ SECItem encoded; ++ if (SEC_ASN1EncodeItem(arena, &encoded, &template_data, ++ cm_ms_template_template) != &encoded) ++ return NULL; ++ return SECITEM_ArenaDupItem(arena, &encoded); ++} ++ + /* Build a Netscape certtype extension value. */ + static SECItem * + cm_certext_build_ns_certtype(struct cm_store_entry *entry, +@@ -1840,6 +1910,18 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, + i++; + } + } ++ if (entry->cm_template_certificate_template != NULL) { ++ oid = (SECOidData *) &oid_microsoft_certificate_template; ++ item = cm_certext_build_certificate_template( ++ arena, entry->cm_template_certificate_template); ++ if ((item != NULL) && (oid != NULL)) { ++ ext[i].id = oid->oid; ++ ext[i].critical = der_false; ++ ext[i].value = *item; ++ exts[i] = &ext[i]; ++ i++; ++ } ++ } + if (entry->cm_template_ns_certtype != NULL) { + oid = SECOID_FindOIDByTag(SEC_OID_NS_CERT_EXT_CERT_TYPE); + item = cm_certext_build_ns_certtype(entry, arena, +-- +2.14.4 + diff --git a/SOURCES/0016-MS-cert-template-add-option-to-command-line-programs.patch b/SOURCES/0016-MS-cert-template-add-option-to-command-line-programs.patch new file mode 100644 index 0000000..5270264 --- /dev/null +++ b/SOURCES/0016-MS-cert-template-add-option-to-command-line-programs.patch @@ -0,0 +1,246 @@ +From 199a97c11d4fc3a9e0f10e4eebf44f9f3841f8b1 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 18 Aug 2017 13:03:05 +1000 +Subject: [PATCH] MS cert template: add option to command line programs + +Add the --ms-template-spec command line argument for specifying the +value of the V2 Certificate Template extension. + +Part of: https://pagure.io/certmonger/issue/78 +--- + src/getcert-request.1.in | 6 ++++++ + src/getcert-resubmit.1.in | 6 ++++++ + src/getcert-start-tracking.1.in | 6 ++++++ + src/getcert.c | 46 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 64 insertions(+) + +diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in +index b6578dc..8269b78 100644 +--- a/src/getcert-request.1.in ++++ b/src/getcert-request.1.in +@@ -88,6 +88,12 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP ++\fB\-\-ms-template-spec\fR SPEC ++Include a V2 Certificate Template extension in the signing request. ++This datum includes an Object Identifier, a major version number ++(positive integer) and an optional minor version number. The format ++is: \fB:[:]\fR. ++.TP + \fB\-X\fR NAME + Request a certificate using the named issuer from the specified CA. + +diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in +index 165940e..62d5f28 100644 +--- a/src/getcert-resubmit.1.in ++++ b/src/getcert-resubmit.1.in +@@ -48,6 +48,12 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP ++\fB\-\-ms-template-spec\fR SPEC ++Include a V2 Certificate Template extension in the signing request. ++This datum includes an Object Identifier, a major version number ++(positive integer) and an optional minor version number. The format ++is: \fB:[:]\fR. ++.TP + \fB\-X\fR NAME + Request a certificate using the named issuer from the specified CA. + .TP +diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in +index a46f535..9daeed3 100644 +--- a/src/getcert-start-tracking.1.in ++++ b/src/getcert-start-tracking.1.in +@@ -86,6 +86,12 @@ useful in combination with \fB\-r\fR. + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP ++\fB\-\-ms-template-spec\fR SPEC ++Include a V2 Certificate Template extension in the signing request. ++This datum includes an Object Identifier, a major version number ++(positive integer) and an optional minor version number. The format ++is: \fB:[:]\fR. ++.TP + \fB\-X\fR NAME + Request a certificate using the named issuer from the specified CA. + +diff --git a/src/getcert.c b/src/getcert.c +index c84273a..5277a15 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -692,6 +692,7 @@ request(const char *argv0, int argc, const char **argv) + int keysize = 0, auto_renew = 1, verbose = 0, ku = 0, kubit, c, i, j; + char *ca = DEFAULT_CA, *subject = NULL, **eku = NULL, *oid, *id = NULL; + char *profile = NULL, *issuer = NULL, kustring[16]; ++ char *ms_template_spec = NULL; + char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; +@@ -732,6 +733,7 @@ request(const char *argv0, int argc, const char **argv) + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME}, + {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, +@@ -859,6 +861,9 @@ request(const char *argv0, int argc, const char **argv) + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'Y': ++ ms_template_spec = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'X': + issuer = talloc_strdup(globals.tctx, poptarg); + break; +@@ -1293,6 +1298,13 @@ request(const char *argv0, int argc, const char **argv) + params[i] = ¶m[i]; + i++; + } ++ if (ms_template_spec != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = ms_template_spec; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (issuer != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; + param[i].value_type = cm_tdbusm_dict_s; +@@ -1492,6 +1504,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + char *pin, char *pinfile, + char *cpass, char *cpassfile, + char *ca, char *profile, char *issuer, ++ char *ms_template_spec, + char *precommand, char *postcommand, + char **anchor_dbs, char **anchor_files, + dbus_bool_t auto_renew_stop, int waitreq, +@@ -1655,6 +1668,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + params[i] = ¶m[i]; + i++; + } ++ if (ms_template_spec != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = ms_template_spec; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (issuer != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; + param[i].value_type = cm_tdbusm_dict_s; +@@ -1745,6 +1765,7 @@ set_tracking(const char *argv0, const char *category, + char *id = NULL, *new_id = NULL, *new_request; + char *keyfile = NULL, *certfile = NULL, *ca = DEFAULT_CA; + char *profile = NULL, *issuer = NULL; ++ char *ms_template_spec = NULL; + char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; +@@ -1785,6 +1806,7 @@ set_tracking(const char *argv0, const char *category, + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME}, + {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("override requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("override requested extended key usage OID"), HELP_TYPE_EKU}, +@@ -1887,6 +1909,9 @@ set_tracking(const char *argv0, const char *category, + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'Y': ++ ms_template_spec = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'i': + id = talloc_strdup(globals.tctx, poptarg); + break; +@@ -2311,6 +2336,7 @@ set_tracking(const char *argv0, const char *category, + pin, pinfile, + cpass, cpassfile, + ca, profile, issuer, ++ ms_template_spec, + precommand, postcommand, + anchor_dbs, anchor_files, + (auto_renew_stop > 0), +@@ -2386,6 +2412,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + char *subject = NULL, **eku = NULL, *oid = NULL; + char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; + char *profile = NULL, *issuer = NULL, kustring[16]; ++ char *ms_template_spec = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; + char *keytype = NULL; +@@ -2422,6 +2449,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the current one"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME}, + {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, +@@ -2497,6 +2525,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'Y': ++ ms_template_spec = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'X': + issuer = talloc_strdup(globals.tctx, poptarg); + break; +@@ -2861,6 +2892,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + params[i] = ¶m[i]; + i++; + } ++ if (ms_template_spec != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = ms_template_spec; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (issuer != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; + param[i].value_type = cm_tdbusm_dict_s; +@@ -4677,6 +4715,8 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the default\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" --ms-template-spec SPEC\n"), ++ N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Parameters for the signing request:\n"), + N_(" -N NAME set requested subject name (default: CN=)\n"), +@@ -4726,6 +4766,8 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the default\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" --ms-template-spec SPEC\n"), ++ N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Parameters for the signing request at renewal time:\n"), + N_(" -U EXTUSAGE override requested extended key usage OID\n"), +@@ -4805,6 +4847,8 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the current one\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" --ms-template-spec SPEC\n"), ++ N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Bus options:\n"), + N_(" -S connect to the certmonger service on the system bus\n"), +@@ -4853,6 +4897,8 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the current one\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" --ms-template-spec SPEC\n"), ++ N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_(" -G TYPE type of new key to be generated\n"), + N_(" -g SIZE size of new key to be generated\n"), +-- +1.8.3.1 + diff --git a/SOURCES/0017-MS-cert-template-validate-argument.patch b/SOURCES/0017-MS-cert-template-validate-argument.patch new file mode 100644 index 0000000..cf4d2f6 --- /dev/null +++ b/SOURCES/0017-MS-cert-template-validate-argument.patch @@ -0,0 +1,143 @@ +From 481fb8581fdf891b768eeb0bc88855c27689722b Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 18 Aug 2017 16:17:49 +1000 +Subject: [PATCH] MS cert template: validate argument + +Update the server to validate the MS V2 certificate template option +argument when adding or updating a request. + +Fixes: https://pagure.io/certmonger/issue/78 +--- + src/Makefile.am | 4 +++- + src/certext.c | 13 +++++++++++++ + src/certext.h | 5 +++++ + src/tdbush.c | 25 +++++++++++++++++++++++-- + 4 files changed, 44 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 479903c..213bfa9 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -186,7 +186,7 @@ tdbusm_check_SOURCES = tdbusm-check.c tm.c tm.h + tdbusm_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(POPT_LIBS) + serial_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LTLIBICONV) + nl_check_LDADD = libcm.a $(CERTMONGER_LIBS) +-submit_x_CFLAGS = $(AM_CFLAGS) -DCM_SUBMIT_X_MAIN ++submit_x_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) -DCM_SUBMIT_X_MAIN + submit_x_SOURCES = submit-x.c submit-x.h submit-u.c submit-u.h log.c log.h \ + tm.c tm.h + submit_x_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \ +@@ -205,12 +205,14 @@ pkglibexec_PROGRAMS += local-submit + pkglibexec_PROGRAMS += scep-submit + endif + noinst_PROGRAMS += submit-h submit-d ++ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) + ipa_submit_SOURCES = ipa.c srvloc.c srvloc.h store.h store-gen.c \ + submit-x.c submit-x.h submit-u.c submit-u.h \ + submit-e.h util.c util.h log.c log.h tm.c tm.h + ipa_submit_LDADD = $(XMLRPC_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \ + $(GMP_LIBS) $(IDN_LIBS) $(OPENSSL_LIBS) $(UUID_LIBS) \ + $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS) ++certmaster_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) + certmaster_submit_SOURCES = certmaster.c submit-x.c submit-x.h \ + submit-e.h submit-u.c submit-u.h util.c util.h log.c log.h \ + tm.c tm.h +diff --git a/src/certext.c b/src/certext.c +index 5f8a743..587496f 100644 +--- a/src/certext.c ++++ b/src/certext.c +@@ -1663,6 +1663,19 @@ cm_certext_build_certificate_template( + return SECITEM_ArenaDupItem(arena, &encoded); + } + ++/* Validate a V2 template spec */ ++PRBool cm_ms_template_valid(char *template_spec) { ++ PLArenaPool *arena = PORT_NewArena(sizeof(double)); ++ if (arena == NULL) ++ return PR_FALSE; ++ SECItem *result = ++ cm_certext_build_certificate_template(arena, template_spec); ++ PORT_FreeArena(arena, PR_FALSE); ++ // *result has been freed, but we don't read it; ++ // we only need to know whether the parse succeeded ++ return result != NULL; ++} ++ + /* Build a Netscape certtype extension value. */ + static SECItem * + cm_certext_build_ns_certtype(struct cm_store_entry *entry, +diff --git a/src/certext.h b/src/certext.h +index 530ece4..5e95835 100644 +--- a/src/certext.h ++++ b/src/certext.h +@@ -15,6 +15,8 @@ + * along with this program. If not, see . + */ + ++#include ++ + #ifndef cmcertext_h + #define cmcertext_h + +@@ -25,4 +27,7 @@ void cm_certext_build_csr_extensions(struct cm_store_entry *entry, + struct NSSInitContextStr *ctx, + unsigned char **encoded, size_t *length); + ++/* Validate a V2 template spec */ ++PRBool cm_ms_template_valid(char *template_spec); ++ + #endif +diff --git a/src/tdbush.c b/src/tdbush.c +index 9e2a372..04fe57e 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -32,6 +32,7 @@ + + #include "log.h" + #include "cm.h" ++#include "certext.h" + #include "prefs.h" + #include "store.h" + #include "store-int.h" +@@ -1572,7 +1573,18 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE, + cm_tdbusm_dict_s); + if (param != NULL) { +- // TODO check validity ++ if (param->value.s != NULL ++ && strlen(param->value.s) > 0 ++ && !cm_ms_template_valid(param->value.s)) { ++ cm_log(1, "Invalid V2 certificate template specifier: %s", param->value.s); ++ ret = send_internal_base_bad_arg_error( ++ conn, msg, ++ _("Invalid V2 certificate template specifier: %s"), ++ param->value.s, ++ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE); ++ talloc_free(parent); ++ return ret; ++ } + new_entry->cm_template_certificate_template = maybe_strdup(new_entry, + param->value.s); + } +@@ -3330,8 +3342,17 @@ request_modify(DBusConnection *conn, DBusMessage *msg, + } else + if ((param->value_type == cm_tdbusm_dict_s) && + (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE) == 0)) { ++ if (param->value.s != NULL ++ && strlen(param->value.s) > 0 ++ && !cm_ms_template_valid(param->value.s)) { ++ cm_log(1, "Invalid V2 certificate template specifier: %s", param->value.s); ++ return send_internal_base_bad_arg_error( ++ conn, msg, ++ _("Invalid V2 certificate template specifier: %s"), ++ param->value.s, ++ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE); ++ } + talloc_free(entry->cm_template_certificate_template); +- // TODO check validity + entry->cm_template_certificate_template = + maybe_strdup(entry, param->value.s); + if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) { +-- +2.14.4 + diff --git a/SOURCES/0018-MS-cert-template-add-tests.patch b/SOURCES/0018-MS-cert-template-add-tests.patch new file mode 100644 index 0000000..22da5ab --- /dev/null +++ b/SOURCES/0018-MS-cert-template-add-tests.patch @@ -0,0 +1,165 @@ +From c33a8fe36d340447641d4dc623c98d2bf9a2d650 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 24 Aug 2017 13:37:36 +1000 +Subject: [PATCH] MS cert template: add tests + +Part of: https://pagure.io/certmonger/issue/78 +--- + tests/038-ms-v2-template/expected.out | 19 ++++++++++ + tests/038-ms-v2-template/extract-extdata.py | 29 ++++++++++++++++ + tests/038-ms-v2-template/run.sh | 54 +++++++++++++++++++++++++++++ + tests/Makefile.am | 8 +++-- + 4 files changed, 108 insertions(+), 2 deletions(-) + create mode 100644 tests/038-ms-v2-template/expected.out + create mode 100755 tests/038-ms-v2-template/extract-extdata.py + create mode 100755 tests/038-ms-v2-template/run.sh + +diff --git a/tests/038-ms-v2-template/expected.out b/tests/038-ms-v2-template/expected.out +new file mode 100644 +index 0000000..7338a5f +--- /dev/null ++++ b/tests/038-ms-v2-template/expected.out +@@ -0,0 +1,19 @@ ++[key] ++OK. ++[csr : bogus oid] ++extension not present ++[csr : bogus major version] ++extension not present ++[csr : missing major version] ++extension not present ++[csr : too many parts] ++extension not present ++[csr : oid, major version] ++ 0:d=0 hl=2 l= 8 cons: SEQUENCE ++ 2:d=1 hl=2 l= 3 prim: OBJECT :1.2.3.4 ++ 7:d=1 hl=2 l= 1 prim: INTEGER :2A ++[csr : oid, major version, minor version] ++ 0:d=0 hl=2 l= 11 cons: SEQUENCE ++ 2:d=1 hl=2 l= 3 prim: OBJECT :1.2.3.4 ++ 7:d=1 hl=2 l= 1 prim: INTEGER :2A ++ 10:d=1 hl=2 l= 1 prim: INTEGER :11 +diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py +new file mode 100755 +index 0000000..cd96f99 +--- /dev/null ++++ b/tests/038-ms-v2-template/extract-extdata.py +@@ -0,0 +1,29 @@ ++#!/bin/python2 ++ ++# Given `openssl asn1parse` output of a CSR, look for the V2 Template ++# extension and output its data if found. Nonzero exit status if ++# not found. ++ ++import binascii ++import re ++import sys ++ ++STATE_SEARCH, STATE_FOUND, STATE_DONE = range(3) ++ ++state = STATE_SEARCH ++ ++for line in sys.stdin: ++ if state == STATE_SEARCH and ':1.3.6.1.4.1.311.21.7' in line: ++ state = STATE_FOUND ++ continue ++ ++ # look for first OCTET STRING once we're in STATE_FOUND ++ # ++ if state == STATE_FOUND and 'OCTET STRING' in line: ++ result = re.search(r'\[HEX DUMP\]:(\w*)', line) ++ sys.stdout.write(binascii.unhexlify(result.group(1))) ++ state = STATE_DONE ++ break ++ ++if state != STATE_DONE: ++ sys.exit(1) +diff --git a/tests/038-ms-v2-template/run.sh b/tests/038-ms-v2-template/run.sh +new file mode 100755 +index 0000000..0eeb7f9 +--- /dev/null ++++ b/tests/038-ms-v2-template/run.sh +@@ -0,0 +1,54 @@ ++#!/bin/bash -e ++ ++srcdir=$PWD ++cd $tmpdir ++ ++mkconfig() { ++ cat > request <<- EOF ++ key_storage_type=FILE ++ key_storage_location=$tmpdir/key ++ cert_storage_type=FILE ++ cert_storage_location=$tmpdir/cert ++ template_subject=CN=MS V2 Certificate Template test ++ EOF ++} ++ ++echo "[key]" ++mkconfig ++$toolsdir/keygen request ++ ++echo "[csr : bogus oid]" ++mkconfig ++echo "template_certificate_template=NotAnOid:42" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py || echo "extension not present" ++ ++echo "[csr : bogus major version]" ++mkconfig ++echo "template_certificate_template=1.2.3.4:wat" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py || echo "extension not present" ++ ++echo "[csr : missing major version]" ++mkconfig ++echo "template_certificate_template=1.2.3.4" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py || echo "extension not present" ++ ++echo "[csr : too many parts]" ++mkconfig ++echo "template_certificate_template=1.2.3.4:1:1:1" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py || echo "extension not present" ++ ++echo "[csr : oid, major version]" ++mkconfig ++echo "template_certificate_template=1.2.3.4:42" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py | openssl asn1parse -inform DER ++ ++echo "[csr : oid, major version, minor version]" ++mkconfig ++echo "template_certificate_template=1.2.3.4:42:17" >> request ++$toolsdir/csrgen request | openssl asn1parse \ ++ | $srcdir/extract-extdata.py | openssl asn1parse -inform DER +diff --git a/tests/Makefile.am b/tests/Makefile.am +index bbcd06e..562b027 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -148,7 +148,10 @@ EXTRA_DIST = \ + 036-getcert/expected.out \ + 036-getcert/run.sh \ + 037-rekey2/expected.out \ +- 037-rekey2/run.sh ++ 037-rekey2/run.sh \ ++ 038-ms-v2-template/expected.out \ ++ 038-ms-v2-template/extract-extdata.py \ ++ 038-ms-v2-template/run.sh + + subdirs = \ + 001-keyiread \ +@@ -189,7 +192,8 @@ subdirs = \ + 034-perms \ + 035-json \ + 036-getcert \ +- 037-rekey2 ++ 037-rekey2 \ ++ 038-ms-v2-template + + if HAVE_DBM_NSSDB + subdirs += \ +-- +2.14.4 + diff --git a/SOURCES/0019-Fix-C99-build-error-on-EL7-systems.patch b/SOURCES/0019-Fix-C99-build-error-on-EL7-systems.patch new file mode 100644 index 0000000..6f711a9 --- /dev/null +++ b/SOURCES/0019-Fix-C99-build-error-on-EL7-systems.patch @@ -0,0 +1,37 @@ +From f1c410e315ebf70cc18296c959f40c8870d1a105 Mon Sep 17 00:00:00 2001 +From: Trevor Vaughan +Date: Fri, 23 Feb 2018 16:10:29 -0500 +Subject: [PATCH] Fix C99 build error on EL7 systems + +Needed for testing #89 +--- + src/certext.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/certext.c b/src/certext.c +index 587496f..c44c8bb 100644 +--- a/src/certext.c ++++ b/src/certext.c +@@ -1,6 +1,6 @@ + /* + * Copyright (C) 2009,2011,2012,2013,2014,2015 Red Hat, Inc. +- * ++ * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or +@@ -1612,9 +1612,9 @@ cm_certext_build_certificate_template( + return NULL; + + int i = 0; +- char *saveptr, *endptr; ++ char *saveptr, *endptr, *part; + for ( +- char *part = strtok_r(template_spec_dup, ":", &saveptr); ++ part = strtok_r(template_spec_dup, ":", &saveptr); + part != NULL; + part = strtok_r(NULL, ":", &saveptr) + ) { +-- +1.8.3.1 + diff --git a/SOURCES/0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch b/SOURCES/0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch new file mode 100644 index 0000000..593d4fb --- /dev/null +++ b/SOURCES/0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch @@ -0,0 +1,104 @@ +From 3364f76f5984ff4cbc8e7a1a455cedfa228adc4b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 2 Apr 2018 13:26:39 -0400 +Subject: [PATCH 20/25] If stderr is not a tty log to syslog so the helpers can + log + +All the helpers were configured to use the log method cm_log_stderr +which when exececuted as a helper from the certmonger daemon would +log nowhere. + +If stderr is detected as a tty (e.g. the helper is run directly on +the cli) then logging will go there. Otherwise it will log to +syslog (honoring the log level). +--- + src/certmaster.c | 5 ++++- + src/dogtag.c | 5 ++++- + src/ipa.c | 5 ++++- + src/local.c | 5 ++++- + src/scep.c | 5 ++++- + 5 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/src/certmaster.c b/src/certmaster.c +index 64662fa..dc68ecd 100644 +--- a/src/certmaster.c ++++ b/src/certmaster.c +@@ -86,7 +86,10 @@ main(int argc, const char **argv) + bindtextdomain(PACKAGE, MYLOCALEDIR); + #endif + +- cm_log_set_method(cm_log_stderr); ++ if (isatty(STDERR_FILENO)) ++ cm_log_set_method(cm_log_stderr); ++ else ++ cm_log_set_method(cm_log_syslog); + pctx = poptGetContext(argv[0], argc, argv, popts, 0); + if (pctx == NULL) { + return CM_SUBMIT_STATUS_UNCONFIGURED; +diff --git a/src/dogtag.c b/src/dogtag.c +index 0247cf2..3780a2d 100644 +--- a/src/dogtag.c ++++ b/src/dogtag.c +@@ -296,7 +296,10 @@ main(int argc, const char **argv) + } + + umask(S_IRWXG | S_IRWXO); +- cm_log_set_method(cm_log_stderr); ++ if (isatty(STDERR_FILENO)) ++ cm_log_set_method(cm_log_stderr); ++ else ++ cm_log_set_method(cm_log_syslog); + cm_log_set_level(verbose); + + nctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION, +diff --git a/src/ipa.c b/src/ipa.c +index 13ea4ca..1279d1c 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -671,7 +671,10 @@ main(int argc, const char **argv) + } + + umask(S_IRWXG | S_IRWXO); +- cm_log_set_method(cm_log_stderr); ++ if (isatty(STDERR_FILENO)) ++ cm_log_set_method(cm_log_stderr); ++ else ++ cm_log_set_method(cm_log_syslog); + cm_log_set_level(verbose); + + /* Start backfilling defaults, both hard-coded and from the IPA +diff --git a/src/local.c b/src/local.c +index 74aee63..004add3 100644 +--- a/src/local.c ++++ b/src/local.c +@@ -484,7 +484,10 @@ main(int argc, const char **argv) + + umask(S_IRWXG | S_IRWXO); + +- cm_log_set_method(cm_log_stderr); ++ if (isatty(STDERR_FILENO)) ++ cm_log_set_method(cm_log_stderr); ++ else ++ cm_log_set_method(cm_log_syslog); + cm_log_set_level(verbose); + + if (localdir == NULL) { +diff --git a/src/scep.c b/src/scep.c +index 11f9ae3..0dbdcd7 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -332,7 +332,10 @@ main(int argc, const char **argv) + } + + umask(S_IRWXG | S_IRWXO); +- cm_log_set_method(cm_log_stderr); ++ if (isatty(STDERR_FILENO)) ++ cm_log_set_method(cm_log_stderr); ++ else ++ cm_log_set_method(cm_log_syslog); + cm_log_set_level(verbose); + + ctx = talloc_new(NULL); +-- +1.8.3.1 + diff --git a/SOURCES/0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch b/SOURCES/0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch new file mode 100644 index 0000000..b1ba4b0 --- /dev/null +++ b/SOURCES/0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch @@ -0,0 +1,42 @@ +From 6627c9d346b887016afa92664f690a0310d4ce00 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 2 Apr 2018 13:31:32 -0400 +Subject: [PATCH 21/25] On PKCS#7 verify failures log the PKCS#7 file, fix + variable used + +results was being used in place of results2. + +In practice it would be the result of GetCACaps which means it would +log _something_, just not the failed PKCS#7 file. +--- + src/scep.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/scep.c b/src/scep.c +index 0dbdcd7..5dd362d 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -920,15 +920,18 @@ main(int argc, const char **argv) + if (i != 0) { + printf(_("Error: failed to verify signature on " + "server response.\n")); ++ cm_log(1, "Error: failed to verify signature on " ++ "server response.\n"); + while ((error = ERR_get_error()) != 0) { + memset(buf, '\0', sizeof(buf)); + ERR_error_string_n(error, buf, sizeof(buf)); + cm_log(1, "%s\n", buf); + } +- s = cm_store_base64_from_bin(ctx, (unsigned char *) results, +- results_length); ++ s = cm_store_base64_from_bin(ctx, (unsigned char *) results2, ++ results_length2); + s = cm_submit_u_pem_from_base64("PKCS7", 0, s); + fprintf(stderr, "%s", s); ++ cm_log(1, "%s", s); + free(s); + return CM_SUBMIT_STATUS_UNREACHABLE; + } +-- +1.8.3.1 + diff --git a/SOURCES/0022-Allow-configuration-of-client-SCEP-algorithms.patch b/SOURCES/0022-Allow-configuration-of-client-SCEP-algorithms.patch new file mode 100644 index 0000000..af0d4bd --- /dev/null +++ b/SOURCES/0022-Allow-configuration-of-client-SCEP-algorithms.patch @@ -0,0 +1,561 @@ +From 3523ad7b8b2349ed4ee301b992797902b7288028 Mon Sep 17 00:00:00 2001 +From: Trevor Vaughan +Date: Fri, 23 Feb 2018 16:11:35 -0500 +Subject: [PATCH 22/25] Allow configuration of client SCEP algorithms + +* Allow users to set `scep_cipher` and `scep_digest` in their CA +configuration. These settings are authoritative and will override +anything from the server. This was added to support connections to +systems, such as Dogtag, that do not provide a CA capabilities string +and, therefore, are prone to causing incorrect ciphers to be used on the +client side. + +* In accordance with the latest SCEP Draft RFC, the default cipher has +been changed to AES-256 and the default digest has been changed to +SHA-256. These were chosen as reasonable defaults for most users and +systems. + +* To ease the determination of which configuration file controls what +CA, the output of `getcert list-cas -v` was updated to print a +`config-path` entry which will list the specific configuration +associated with a given CA. + +Closes #89 +--- + src/getcert.c | 6 ++ + src/prefs.h | 5 ++ + src/scepgen-o.c | 182 ++++++++++++++++++++++++++++++++++++++++++------------ + src/store-files.c | 22 +++++++ + src/store-int.h | 4 ++ + src/tdbus.h | 2 + + src/tdbush.c | 149 +++++++++++++++++++++++++++++++++++++++++++- + 7 files changed, 331 insertions(+), 39 deletions(-) + +diff --git a/src/getcert.c b/src/getcert.c +index 35fd0d6..724d125 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -4157,6 +4157,12 @@ list_cas(const char *argv0, int argc, const char **argv) + if ((s != NULL) && (strlen(s) > 0)) { + printf(_("\tpost-save command: %s\n"), s); + } ++ if (verbose > 0) { ++ printf(_("\tconfig-path: %s\n"), ++ query_rep_s(bus, cas[i], CM_DBUS_CA_INTERFACE, ++ "get_config_file_path", ++ verbose, globals.tctx)); ++ } + } + return 0; + } +diff --git a/src/prefs.h b/src/prefs.h +index 231aea7..349ec64 100644 +--- a/src/prefs.h ++++ b/src/prefs.h +@@ -20,9 +20,12 @@ + + enum cm_prefs_cipher { + cm_prefs_aes128, ++ cm_prefs_aes192, + cm_prefs_aes256, + cm_prefs_des3, + cm_prefs_des, ++ /* This is for the selection logic */ ++ cm_prefs_nocipher, + }; + + enum cm_prefs_digest { +@@ -31,6 +34,8 @@ enum cm_prefs_digest { + cm_prefs_sha512, + cm_prefs_sha1, + cm_prefs_md5, ++ /* This is for the selection logic */ ++ cm_prefs_nodigest, + }; + + enum cm_notification_method; +diff --git a/src/scepgen-o.c b/src/scepgen-o.c +index d11e3de..07c2b8b 100644 +--- a/src/scepgen-o.c ++++ b/src/scepgen-o.c +@@ -433,49 +433,155 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + free(pem); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } +- cipher = cm_prefs_des; +- for (i = 0; +- (ca->cm_ca_capabilities != NULL) && +- (ca->cm_ca_capabilities[i] != NULL); +- i++) { +- capability = ca->cm_ca_capabilities[i]; +- if (strcmp(capability, "DES3") == 0) { +- cm_log(1, "Server supports DES3, using that.\n"); ++ ++ char* scep_cipher = ca->cm_ca_scep_cipher; ++ if (scep_cipher != NULL) { ++ /* Force the cipher to whatever is in the configuration */ ++ if (strcmp(scep_cipher, "AES256") == 0) { ++ cipher = cm_prefs_aes256; ++ } ++ else if (strcmp(scep_cipher, "AES192") == 0) { ++ cipher = cm_prefs_aes192; ++ } ++ else if (strcmp(scep_cipher, "AES128") == 0) { ++ cipher = cm_prefs_aes128; ++ } ++ else if (strcmp(scep_cipher, "DES3") == 0) { + cipher = cm_prefs_des3; +- break; +- } +- } +- if (cipher == cm_prefs_des) { +- cm_log(1, "Server does not support DES3, using DES.\n"); +- } +- pref_digest = cm_prefs_preferred_digest(); +- digest = cm_prefs_md5; +- for (i = 0; +- (ca->cm_ca_capabilities != NULL) && +- (ca->cm_ca_capabilities[i] != NULL); +- i++) { +- capability = ca->cm_ca_capabilities[i]; +- if ((pref_digest == cm_prefs_sha1) && +- (strcmp(capability, "SHA-1") == 0)) { +- cm_log(1, "Server supports SHA-1, using that.\n"); +- digest = cm_prefs_sha1; +- break; + } +- if ((pref_digest == cm_prefs_sha256) && +- (strcmp(capability, "SHA-256") == 0)) { +- cm_log(1, "Server supports SHA-256, using that.\n"); +- digest = cm_prefs_sha256; +- break; ++ else if (strcmp(scep_cipher, "DES") == 0) { ++ cipher = cm_prefs_des; + } +- if ((pref_digest == cm_prefs_sha512) && +- (strcmp(capability, "SHA-512") == 0)) { +- cm_log(1, "Server supports SHA-512, using that.\n"); +- digest = cm_prefs_sha512; +- break; ++ else { ++ cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher); ++ _exit(1); ++ } ++ ++ cm_log(1, "SCEP cipher authoritatively set to: '%s'\n", scep_cipher); ++ } ++ else { ++ cipher = cm_prefs_nocipher; ++ for (i = 0; ++ (ca->cm_ca_capabilities != NULL) && ++ (ca->cm_ca_capabilities[i] != NULL); ++ i++) { ++ capability = ca->cm_ca_capabilities[i]; ++ if ((strcmp(capability, "AES-256") == 0) || ++ (strcmp(capability, "AES256") == 0)) { ++ cm_log(1, "Server supports AES256, using that.\n"); ++ cipher = cm_prefs_aes256; ++ break; ++ } ++ if ((strcmp(capability, "AES-192") == 0) || ++ (strcmp(capability, "AES192") == 0)) { ++ cm_log(1, "Server supports AES192, using that.\n"); ++ cipher = cm_prefs_aes192; ++ break; ++ } ++ if ((strcmp(capability, "AES-128") == 0) || ++ (strcmp(capability, "AES128") == 0)) { ++ cm_log(1, "Server supports AES128, using that.\n"); ++ cipher = cm_prefs_aes128; ++ break; ++ } ++ if (strcmp(capability, "AES") == 0) { ++ cm_log(1, "Server supports AES, using AES256.\n"); ++ cipher = cm_prefs_aes256; ++ break; ++ } ++ if (strcmp(capability, "DES3") == 0) { ++ cm_log(1, "Server supports DES3, using that.\n"); ++ cipher = cm_prefs_des3; ++ break; ++ } ++ /* This remains for backward compatibility */ ++ if (strcmp(capability, "DES") == 0) { ++ cm_log(1, "Server supports DES, using that.\n"); ++ cipher = cm_prefs_des; ++ break; ++ } ++ } ++ if (cipher == cm_prefs_nocipher) { ++ /* Per the latest Draft RFC */ ++ cm_log(1, "Could not determine supported CA capabilities, using AES256.\n"); ++ cipher = cm_prefs_aes256; + } + } +- if (digest == cm_prefs_md5) { +- cm_log(1, "Server does not support better digests, using MD5.\n"); ++ ++ char* scep_digest = ca->cm_ca_scep_digest; ++ if (scep_digest != NULL) { ++ /* Force the digest to whatever is in the configuration */ ++ if (strcmp(scep_digest, "SHA512") == 0) { ++ digest = cm_prefs_sha512; ++ } ++ else if (strcmp(scep_digest, "SHA384") == 0) { ++ digest = cm_prefs_sha384; ++ } ++ else if (strcmp(scep_digest, "SHA256") == 0) { ++ digest = cm_prefs_sha256; ++ } ++ else if (strcmp(scep_digest, "SHA1") == 0) { ++ digest = cm_prefs_sha1; ++ } ++ else if (strcmp(scep_digest, "MD5") == 0) { ++ digest = cm_prefs_md5; ++ } ++ else { ++ cm_log(1, "Option 'scep_digest' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_digest); ++ _exit(1); ++ } ++ ++ cm_log(1, "SCEP digest authoritatively set to: '%s'\n", scep_digest); ++ } ++ else { ++ pref_digest = cm_prefs_preferred_digest(); ++ digest = cm_prefs_nodigest; ++ for (i = 0; ++ (ca->cm_ca_capabilities != NULL) && ++ (ca->cm_ca_capabilities[i] != NULL); ++ i++) { ++ capability = ca->cm_ca_capabilities[i]; ++ if ((pref_digest == cm_prefs_sha512) && ++ ((strcmp(capability, "SHA-512") == 0) || ++ (strcmp(capability, "SHA512") == 0))) { ++ cm_log(1, "Server supports SHA-512, using that.\n"); ++ digest = cm_prefs_sha512; ++ break; ++ } ++ if ((pref_digest == cm_prefs_sha384) && ++ ((strcmp(capability, "SHA-384") == 0) || ++ (strcmp(capability, "SHA384") == 0))) { ++ cm_log(1, "Server supports SHA-384, using that.\n"); ++ digest = cm_prefs_sha384; ++ break; ++ } ++ if ((pref_digest == cm_prefs_sha256) && ++ ((strcmp(capability, "SHA-256") == 0) || ++ (strcmp(capability, "SHA256") == 0))) { ++ cm_log(1, "Server supports SHA-256, using that.\n"); ++ digest = cm_prefs_sha256; ++ break; ++ } ++ if ((pref_digest == cm_prefs_sha1) && ++ ((strcmp(capability, "SHA-1") == 0) || ++ (strcmp(capability, "SHA1") == 0))) { ++ cm_log(1, "Server supports SHA-1, using that.\n"); ++ digest = cm_prefs_sha1; ++ break; ++ } ++ /* This remains for backward compatibility */ ++ if ((pref_digest == cm_prefs_sha1) && ++ (strcmp(capability, "MD5") == 0)) { ++ cm_log(1, "Server supports MD5, using that.\n"); ++ digest = cm_prefs_md5; ++ break; ++ } ++ } ++ if (digest == cm_prefs_nodigest) { ++ /* Per the latest Draft RFC */ ++ cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n"); ++ digest = cm_prefs_sha256; ++ } + } + if (old_cert != NULL) { + if (cm_pkcs7_envelope_ias(ca->cm_ca_encryption_cert, cipher, +diff --git a/src/store-files.c b/src/store-files.c +index 977e896..c7195c4 100644 +--- a/src/store-files.c ++++ b/src/store-files.c +@@ -206,6 +206,8 @@ enum cm_store_file_field { + cm_store_ca_field_other_cert_nssdbs, + + cm_store_ca_field_capabilities, ++ cm_store_ca_field_scep_cipher, ++ cm_store_ca_field_scep_digest, + cm_store_ca_field_scep_ca_identifier, + cm_store_ca_field_encryption_cert, + cm_store_ca_field_encryption_issuer_cert, +@@ -385,6 +387,8 @@ static struct cm_store_file_field_list { + {cm_store_ca_field_other_cert_nssdbs, "ca_other_cert_dbs"}, + + {cm_store_ca_field_capabilities, "ca_capabilities"}, ++ {cm_store_ca_field_scep_cipher, "scep_cipher"}, ++ {cm_store_ca_field_scep_digest, "scep_digest"}, + {cm_store_ca_field_scep_ca_identifier, "scep_ca_identifier"}, + {cm_store_ca_field_encryption_cert, "ca_encryption_cert"}, + {cm_store_ca_field_encryption_issuer_cert, "ca_encryption_issuer_cert"}, +@@ -725,6 +729,8 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) + case cm_store_ca_field_other_root_cert_nssdbs: + case cm_store_ca_field_other_cert_nssdbs: + case cm_store_ca_field_capabilities: ++ case cm_store_ca_field_scep_cipher: ++ case cm_store_ca_field_scep_digest: + case cm_store_ca_field_scep_ca_identifier: + case cm_store_ca_field_encryption_cert: + case cm_store_ca_field_encryption_issuer_cert: +@@ -1523,6 +1529,14 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) + ret->cm_ca_capabilities = + free_if_empty_multi(ret, p); + break; ++ case cm_store_ca_field_scep_cipher: ++ ret->cm_ca_scep_cipher = ++ free_if_empty(p); ++ break; ++ case cm_store_ca_field_scep_digest: ++ ret->cm_ca_scep_digest = ++ free_if_empty(p); ++ break; + case cm_store_ca_field_scep_ca_identifier: + ret->cm_ca_scep_ca_identifier = + free_if_empty(p); +@@ -2339,6 +2353,10 @@ cm_store_ca_write(FILE *fp, struct cm_store_ca *ca) + ca->cm_ca_other_cert_store_nssdbs); + cm_store_file_write_strs(fp, cm_store_ca_field_capabilities, + ca->cm_ca_capabilities); ++ cm_store_file_write_str(fp, cm_store_ca_field_scep_cipher, ++ ca->cm_ca_scep_cipher); ++ cm_store_file_write_str(fp, cm_store_ca_field_scep_digest, ++ ca->cm_ca_scep_digest); + cm_store_file_write_str(fp, cm_store_ca_field_scep_ca_identifier, + ca->cm_ca_scep_ca_identifier); + cm_store_file_write_str(fp, cm_store_ca_field_encryption_cert, +@@ -2861,6 +2879,10 @@ cm_store_ca_dup(void *parent, struct cm_store_ca *ca) + + ret->cm_ca_capabilities = + cm_store_maybe_strdupv(ret, ca->cm_ca_capabilities); ++ ret->cm_ca_scep_cipher = ++ cm_store_maybe_strdup(ret, ca->cm_ca_scep_cipher); ++ ret->cm_ca_scep_digest = ++ cm_store_maybe_strdup(ret, ca->cm_ca_scep_digest); + ret->cm_ca_scep_ca_identifier = + cm_store_maybe_strdup(ret, ca->cm_ca_scep_ca_identifier); + ret->cm_ca_encryption_cert = +diff --git a/src/store-int.h b/src/store-int.h +index 98b37e6..4a40406 100644 +--- a/src/store-int.h ++++ b/src/store-int.h +@@ -349,6 +349,10 @@ struct cm_store_ca { + char **cm_ca_other_cert_store_nssdbs; + /* CA capabilities. Currently only ever SCEP capabilities. */ + char **cm_ca_capabilities; ++ /* SCEP Cipher to use. Overrides CA Capabilities */ ++ char *cm_ca_scep_cipher; ++ /* SCEP Digest to use. Overrides CA Capabilities */ ++ char *cm_ca_scep_digest; + /* An SCEP CA identifier, for use in gathering an RA (and possibly a + * CA) certificate. */ + char *cm_ca_scep_ca_identifier; +diff --git a/src/tdbus.h b/src/tdbus.h +index 7164f11..e63e783 100644 +--- a/src/tdbus.h ++++ b/src/tdbus.h +@@ -119,6 +119,8 @@ + #define CM_DBUS_PROP_ROOT_CERTS "root-certs" + #define CM_DBUS_PROP_OTHER_ROOT_CERTS "root-other-certs" + #define CM_DBUS_PROP_OTHER_CERTS "other-certs" ++#define CM_DBUS_PROP_SCEP_CIPHER "scep-cipher" ++#define CM_DBUS_PROP_SCEP_DIGEST "scep-digest" + #define CM_DBUS_PROP_SCEP_CA_IDENTIFIER "scep-ca-identifier" + #define CM_DBUS_PROP_SCEP_CA_CAPABILITIES "scep-ca-capabilities" + #define CM_DBUS_PROP_SCEP_RA_CERT "scep-ra-cert" +diff --git a/src/tdbush.c b/src/tdbush.c +index 04fe57e..3ce6c40 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -2128,6 +2128,27 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg, + } + } + ++/* org.fedorahosted.certonger.ca.get_config_file_path */ ++ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg, ++ struct cm_client_info *ci, struct cm_context *ctx) ++{ ++ DBusMessage *rep; ++ struct cm_store_ca *ca; ++ ca = get_ca_for_request_message(msg, ctx); ++ if (ca == NULL) { ++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; ++ } ++ rep = dbus_message_new_method_return(msg); ++ if (rep != NULL) { ++ cm_tdbusm_set_s(rep, ca->cm_store_private); ++ dbus_connection_send(conn, rep, NULL); ++ dbus_message_unref(rep); ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return send_internal_ca_error(conn, msg); ++ } ++} ++ + /* org.fedorahosted.certonger.ca.refresh */ + static DBusHandlerResult + ca_refresh(DBusConnection *conn, DBusMessage *msg, +@@ -2262,6 +2283,106 @@ ca_prop_set_external_helper(struct cm_context *ctx, void *parent, + } + + static const char * ++ca_prop_get_scep_cipher(struct cm_context *ctx, void *parent, ++ void *record, const char *name) ++{ ++ struct cm_store_ca *ca = record; ++ ++ if (strcmp(name, CM_DBUS_PROP_SCEP_CIPHER) == 0) { ++ if (ca->cm_ca_type != cm_ca_external) { ++ return ""; ++ } ++ if (ca->cm_ca_scep_cipher != NULL) { ++ return ca->cm_ca_scep_cipher; ++ } else { ++ return ""; ++ } ++ } ++ return NULL; ++} ++ ++static void ++ca_prop_set_scep_cipher(struct cm_context *ctx, void *parent, ++ void *record, const char *name, ++ const char *new_value) ++{ ++ const char *propname[2], *path; ++ struct cm_store_ca *ca = record; ++ enum cm_ca_phase phase; ++ ++ if (strcmp(name, CM_DBUS_PROP_SCEP_CIPHER) == 0) { ++ if (ca->cm_ca_type != cm_ca_external) { ++ return; ++ } ++ talloc_free(ca->cm_ca_scep_cipher); ++ ca->cm_ca_scep_cipher = new_value ? ++ talloc_strdup(ca, new_value) : ++ NULL; ++ for (phase = 0; phase < cm_ca_phase_invalid; phase++) { ++ cm_restart_ca(ctx, ca->cm_nickname, phase); ++ } ++ propname[0] = CM_DBUS_PROP_SCEP_CIPHER; ++ propname[1] = NULL; ++ path = talloc_asprintf(parent, "%s/%s", ++ CM_DBUS_CA_PATH, ++ ca->cm_busname); ++ cm_tdbush_property_emit_changed(ctx, path, ++ CM_DBUS_CA_INTERFACE, ++ propname); ++ } ++} ++ ++static const char * ++ca_prop_get_scep_digest(struct cm_context *ctx, void *parent, ++ void *record, const char *name) ++{ ++ struct cm_store_ca *ca = record; ++ ++ if (strcmp(name, CM_DBUS_PROP_SCEP_DIGEST) == 0) { ++ if (ca->cm_ca_type != cm_ca_external) { ++ return ""; ++ } ++ if (ca->cm_ca_scep_digest != NULL) { ++ return ca->cm_ca_scep_digest; ++ } else { ++ return ""; ++ } ++ } ++ return NULL; ++} ++ ++static void ++ca_prop_set_scep_digest(struct cm_context *ctx, void *parent, ++ void *record, const char *name, ++ const char *new_value) ++{ ++ const char *propname[2], *path; ++ struct cm_store_ca *ca = record; ++ enum cm_ca_phase phase; ++ ++ if (strcmp(name, CM_DBUS_PROP_SCEP_DIGEST) == 0) { ++ if (ca->cm_ca_type != cm_ca_external) { ++ return; ++ } ++ talloc_free(ca->cm_ca_scep_digest); ++ ca->cm_ca_scep_digest = new_value ? ++ talloc_strdup(ca, new_value) : ++ NULL; ++ for (phase = 0; phase < cm_ca_phase_invalid; phase++) { ++ cm_restart_ca(ctx, ca->cm_nickname, phase); ++ } ++ propname[0] = CM_DBUS_PROP_SCEP_DIGEST; ++ propname[1] = NULL; ++ path = talloc_asprintf(parent, "%s/%s", ++ CM_DBUS_CA_PATH, ++ ca->cm_busname); ++ cm_tdbush_property_emit_changed(ctx, path, ++ CM_DBUS_CA_INTERFACE, ++ propname); ++ } ++} ++ ++static const char * + ca_prop_get_scep_ca_identifier(struct cm_context *ctx, void *parent, + void *record, const char *name) + { +@@ -7232,6 +7353,14 @@ cm_tdbush_iface_ca(void) + if (ret == NULL) { + ret = make_interface(CM_DBUS_CA_INTERFACE, + make_interface_item(cm_tdbush_interface_method, ++ make_method("get_config_file_path", ++ ca_get_config_file_path, ++ make_method_arg("path", ++ DBUS_TYPE_STRING_AS_STRING, ++ cm_tdbush_method_arg_out, ++ NULL), ++ NULL), ++ make_interface_item(cm_tdbush_interface_method, + make_method("get_nickname", + ca_get_nickname, + make_method_arg("nickname", +@@ -7483,6 +7612,24 @@ cm_tdbush_iface_ca(void) + NULL, NULL, NULL, NULL, NULL, + NULL), + make_interface_item(cm_tdbush_interface_property, ++ make_property(CM_DBUS_PROP_SCEP_CIPHER, ++ cm_tdbush_property_string, ++ cm_tdbush_property_readwrite, ++ cm_tdbush_property_special, ++ 0, ++ ca_prop_get_scep_cipher, NULL, NULL, NULL, NULL, ++ ca_prop_set_scep_cipher, NULL, NULL, NULL, NULL, ++ NULL), ++ make_interface_item(cm_tdbush_interface_property, ++ make_property(CM_DBUS_PROP_SCEP_DIGEST, ++ cm_tdbush_property_string, ++ cm_tdbush_property_readwrite, ++ cm_tdbush_property_special, ++ 0, ++ ca_prop_get_scep_digest, NULL, NULL, NULL, NULL, ++ ca_prop_set_scep_digest, NULL, NULL, NULL, NULL, ++ NULL), ++ make_interface_item(cm_tdbush_interface_property, + make_property(CM_DBUS_PROP_SCEP_CA_IDENTIFIER, + cm_tdbush_property_string, + cm_tdbush_property_readwrite, +@@ -7527,7 +7674,7 @@ cm_tdbush_iface_ca(void) + NULL, NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, NULL, + NULL), +- NULL)))))))))))))))))))))))))))))))))))); ++ NULL))))))))))))))))))))))))))))))))))))))); + } + return ret; + } +-- +1.8.3.1 + diff --git a/SOURCES/0023-Updates-per-Feedback.patch b/SOURCES/0023-Updates-per-Feedback.patch new file mode 100644 index 0000000..4181934 --- /dev/null +++ b/SOURCES/0023-Updates-per-Feedback.patch @@ -0,0 +1,50 @@ +From 43392d48924d6d50ef2712947ddea424e723e171 Mon Sep 17 00:00:00 2001 +From: Trevor Vaughan +Date: Tue, 27 Mar 2018 09:28:28 -0400 +Subject: [PATCH 23/25] Updates per Feedback + +Ref: #89 +--- + src/scepgen-o.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/scepgen-o.c b/src/scepgen-o.c +index 07c2b8b..05fc437 100644 +--- a/src/scepgen-o.c ++++ b/src/scepgen-o.c +@@ -457,7 +457,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + _exit(1); + } + +- cm_log(1, "SCEP cipher authoritatively set to: '%s'\n", scep_cipher); ++ cm_log(1, "SCEP cipher set from configuration to: '%s'\n", scep_cipher); + } + else { + cipher = cm_prefs_nocipher; +@@ -527,11 +527,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + digest = cm_prefs_md5; + } + else { +- cm_log(1, "Option 'scep_digest' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_digest); ++ cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest); + _exit(1); + } + +- cm_log(1, "SCEP digest authoritatively set to: '%s'\n", scep_digest); ++ cm_log(1, "SCEP digest set from configuration to: '%s'\n", scep_digest); + } + else { + pref_digest = cm_prefs_preferred_digest(); +@@ -578,7 +578,8 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + } + } + if (digest == cm_prefs_nodigest) { +- /* Per the latest Draft RFC */ ++ /* Per SCEP RFC draft-gutmann-scep-10 - March 1, 2018 */ ++ /* https://www.ietf.org/id/draft-gutmann-scep-10.txt */ + cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n"); + digest = cm_prefs_sha256; + } +-- +1.8.3.1 + diff --git a/SOURCES/0024-Updated-tests.patch b/SOURCES/0024-Updated-tests.patch new file mode 100644 index 0000000..9abebc1 --- /dev/null +++ b/SOURCES/0024-Updated-tests.patch @@ -0,0 +1,224 @@ +From 151699403803230e6d420b422cca13380b36e2a8 Mon Sep 17 00:00:00 2001 +From: Trevor Vaughan +Date: Tue, 27 Mar 2018 18:04:34 -0400 +Subject: [PATCH 24/25] Updated tests + +Worked around the fact that data under the 'cas' directory is +dynamically provisioned by moving from `cmp` to `diff -q -I` in +run-tests.sh and excluding everything in the dynamically generated +space. + +Ref #89 +--- + tests/028-dbus/expected.out | 42 +++++++++++++++++++++++++++++++++++++++++- + tests/033-scep/run.sh | 6 +++--- + tests/run-tests.sh | 4 +++- + 3 files changed, 47 insertions(+), 5 deletions(-) + +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index 4c33e9a..dd9cac1 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -536,6 +536,9 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri + + + ++ ++ ++ + + + +@@ -580,6 +583,8 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri + + + ++ ++ + + + +@@ -588,6 +593,9 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri + + + ++[ /org/fedorahosted/certmonger/cas/CA1: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/local ++ + [ /org/fedorahosted/certmonger/cas/CA1: org.fedorahosted.certmonger.ca.get_nickname ] + local + +@@ -641,6 +649,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ ++ + + + +@@ -685,6 +696,8 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ + + + +@@ -693,6 +706,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/20180327134236 ++ + [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ] + SelfSign + +@@ -715,7 +731,7 @@ dbus.Array([], signature=dbus.Signature('s')) + [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.refresh ] + 1 + +-/org/fedorahosted/certmonger/cas/CA2: warning: property org.fedorahosted.certmonger.ca.scep-ca-identifier not settable on this object ++/org/fedorahosted/certmonger/cas/CA2: property org.fedorahosted.certmonger.ca.scep-cipher not set: (, x) + [ /org/fedorahosted/certmonger/cas/CA3: org.freedesktop.DBus.Introspectable.Introspect ] + +@@ -748,6 +764,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ ++ + + + +@@ -792,6 +811,8 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ + + + +@@ -800,6 +821,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/20180327134236-1 ++ + [ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ] + IPA + +@@ -853,6 +877,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ ++ + + + +@@ -897,6 +924,8 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ + + + +@@ -905,6 +934,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/20180327134236-2 ++ + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ] + certmaster + +@@ -958,6 +990,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ ++ + + + +@@ -1002,6 +1037,8 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ + + + +@@ -1010,6 +1047,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/20180327134236-3 ++ + [ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ] + dogtag-ipa-renew-agent + +diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh +index 15480ac..f270a49 100755 +--- a/tests/033-scep/run.sh ++++ b/tests/033-scep/run.sh +@@ -103,7 +103,7 @@ check_nonce() { + fi + } + +-set_digest md5 ++set_digest sha256 + $toolsdir/scepgen ca entry > scepdata + + echo "[req, no trust root]" +@@ -135,7 +135,7 @@ grep ^gic: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r mini. + check_failed + echo OK + echo "[req, old root]" +-set_digest md5 ++set_digest sha256 + $toolsdir/scepgen ca entry > scepdata + if test x`grep ^req: scepdata | cut -f2- -d:` = x ; then + echo missing req +@@ -145,7 +145,7 @@ check_verified + check_msgtype $SCEP_MSGTYPE_PKCSREQ + check_txid + check_nonce +-check_digest md5 ++check_digest sha256 + echo OK + echo "[gic, old trust root]" + set_digest sha1 +diff --git a/tests/run-tests.sh b/tests/run-tests.sh +index a0f7c2d..266ddc6 100755 +--- a/tests/run-tests.sh ++++ b/tests/run-tests.sh +@@ -77,7 +77,9 @@ for testid in "$@" $subdirs ; do + if ! test -s "$i" ; then + break + fi +- if cmp -s "$tmpfile" "$i" 2> /dev/null ; then ++ # This regex needs to be ignored since it is dynamically created at ++ # every CA creation ++ if diff -q -I "tmpdir/cas/[[:digit:]]\+" "$tmpfile" "$i" 2> /dev/null ; then + stat=0 + echo "OK" + cp $tmpfile "$builddir"/"$testid"/actual.out +-- +1.8.3.1 + diff --git a/SOURCES/0025-Add-cipher-and-digest-difference-messages.patch b/SOURCES/0025-Add-cipher-and-digest-difference-messages.patch new file mode 100644 index 0000000..f4ec184 --- /dev/null +++ b/SOURCES/0025-Add-cipher-and-digest-difference-messages.patch @@ -0,0 +1,38 @@ +From 8ee05aae1f0a85bcd763cde1dfcc8a33be85c35c Mon Sep 17 00:00:00 2001 +From: Trevor Vaughan +Date: Wed, 11 Apr 2018 16:01:13 -0400 +Subject: [PATCH 25/25] Add cipher and digest difference messages + +Ensure that users know that AES is the cipher and SHA is the digest when +CA capabilities are not supported. + +Ref #89 +--- + src/scepgen-o.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/scepgen-o.c b/src/scepgen-o.c +index 05fc437..7120ade 100644 +--- a/src/scepgen-o.c ++++ b/src/scepgen-o.c +@@ -503,7 +503,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + } + if (cipher == cm_prefs_nocipher) { + /* Per the latest Draft RFC */ +- cm_log(1, "Could not determine supported CA capabilities, using AES256.\n"); ++ cm_log(1, "Could not determine supported CA capabilities, using cipher AES256.\n"); + cipher = cm_prefs_aes256; + } + } +@@ -580,7 +580,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + if (digest == cm_prefs_nodigest) { + /* Per SCEP RFC draft-gutmann-scep-10 - March 1, 2018 */ + /* https://www.ietf.org/id/draft-gutmann-scep-10.txt */ +- cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n"); ++ cm_log(1, "Could not determine supported CA capabilities, using digest SHA256.\n"); + digest = cm_prefs_sha256; + } + } +-- +1.8.3.1 + diff --git a/SOURCES/0026-Document-key-cert-file-owner-and-mode-options.patch b/SOURCES/0026-Document-key-cert-file-owner-and-mode-options.patch new file mode 100644 index 0000000..58c6efb --- /dev/null +++ b/SOURCES/0026-Document-key-cert-file-owner-and-mode-options.patch @@ -0,0 +1,115 @@ +From a05cc4f346011697b3a4b49abad809b00bc1105c Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 20 May 2019 16:37:23 -0400 +Subject: [PATCH 26/29] Document key/cert file owner and mode options + +The owner and permission options were available but not +documented either on the command-line or in the man page. + +Affects request, resubmit and start-tracking commands. + +https://bugzilla.redhat.com/show_bug.cgi?id=1549585 +--- + src/getcert-request.1.in | 8 ++++++++ + src/getcert-resubmit.1.in | 8 ++++++++ + src/getcert-start-tracking.1.in | 8 ++++++++ + src/getcert.c | 12 ++++++++++++ + 4 files changed, 36 insertions(+) + +diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in +index 8269b78..691ba35 100644 +--- a/src/getcert-request.1.in ++++ b/src/getcert-request.1.in +@@ -208,6 +208,14 @@ one to fail. + \fB\-v\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. ++\fB\-o\fR OWNER, --key-owner=OWNER ++After generation set the owner on the private key file or database to OWNER. ++\fB\-m\fR MODE, --key-perms=MODE ++After generation set the file permissions on the private key file or database to MODE. ++\fB\-O\fR OWNER, --cert-owner=OWNER ++After generation set the owner on the certificate file or database to OWNER. ++\fB\-M\fR MODE, --cert-perms=MODE ++After generation set the file permissions on the certificate file or database to MODE. + + .SH NOTES + Locations specified for key and certificate storage need to be +diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in +index 62d5f28..89ea609 100644 +--- a/src/getcert-resubmit.1.in ++++ b/src/getcert-resubmit.1.in +@@ -145,6 +145,14 @@ one to fail. + \fB\-v\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. ++\fB\-o\fR OWNER, --key-owner=OWNER ++After generation set the owner on the private key file or database to OWNER. ++\fB\-m\fR MODE, --key-perms=MODE ++After generation set the file permissions on the private key file or database to MODE. ++\fB\-O\fR OWNER, --cert-owner=OWNER ++After generation set the owner on the certificate file or database to OWNER. ++\fB\-M\fR MODE, --cert-perms=MODE ++After generation set the file permissions on the certificate file or database to MODE. + + .SH BUGS + Please file tickets for any that you find at https://fedorahosted.org/certmonger/ +diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in +index 9daeed3..e1c9dd4 100644 +--- a/src/getcert-start-tracking.1.in ++++ b/src/getcert-start-tracking.1.in +@@ -181,6 +181,14 @@ the attempt to obtain a new one to fail. + \fB\-v\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. ++\fB\-o\fR OWNER, --key-owner=OWNER ++After generation set the owner on the private key file or database to OWNER. ++\fB\-m\fR MODE, --key-perms=MODE ++After generation set the file permissions on the private key file or database to MODE. ++\fB\-O\fR OWNER, --cert-owner=OWNER ++After generation set the owner on the certificate file or database to OWNER. ++\fB\-M\fR MODE, --cert-perms=MODE ++After generation set the file permissions on the certificate file or database to MODE. + + .SH NOTES + Locations specified for key and certificate storage need to be +diff --git a/src/getcert.c b/src/getcert.c +index 03af587..bddba29 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -4743,6 +4743,10 @@ help(const char *twopartcmd, const char *category) + N_(" -a NSS database in which to store the CA's certificates\n"), + N_(" -w try to wait for the certificate to be issued\n"), + N_(" -v report all details of errors\n"), ++ N_(" -o OWNER owner information for private key\n"), ++ N_(" -m MODE file permissions for private key\n"), ++ N_(" -O OWNER owner information for certificate\n"), ++ N_(" -M MODE file permissions for certificate\n"), + NULL, + }; + const char *start_tracking_help[] = { +@@ -4793,6 +4797,10 @@ help(const char *twopartcmd, const char *category) + N_(" -a NSS database in which to store the CA's certificates\n"), + N_(" -w try to wait for the certificate to be issued\n"), + N_(" -v report all details of errors\n"), ++ N_(" -o OWNER owner information for private key\n"), ++ N_(" -m MODE file permissions for private key\n"), ++ N_(" -O OWNER owner information for certificate\n"), ++ N_(" -M MODE file permissions for certificate\n"), + NULL, + }; + const char *stop_tracking_help[] = { +@@ -4865,6 +4873,10 @@ help(const char *twopartcmd, const char *category) + N_(" -a NSS database in which to store the CA's certificates\n"), + N_(" -w try to wait for the certificate to be issued\n"), + N_(" -v report all details of errors\n"), ++ N_(" -o OWNER owner information for private key\n"), ++ N_(" -m MODE file permissions for private key\n"), ++ N_(" -O OWNER owner information for certificate\n"), ++ N_(" -M MODE file permissions for certificate\n"), + NULL, + }; + const char *rekey_help[] = { +-- +2.17.2 + diff --git a/SOURCES/0027-scep-correct-GetCAChain-to-GetCACertChain.patch b/SOURCES/0027-scep-correct-GetCAChain-to-GetCACertChain.patch new file mode 100644 index 0000000..2d0f054 --- /dev/null +++ b/SOURCES/0027-scep-correct-GetCAChain-to-GetCACertChain.patch @@ -0,0 +1,2002 @@ +From b853571e14967d7b8a9fcada6576a5cf69637846 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 31 Jul 2019 14:13:09 -0400 +Subject: [PATCH 27/29] scep: correct GetCAChain to GetCACertChain + +The SCEP helper was incorrectly using "GetCAChain" as the operation +name, when the specs call the request "GetCACertChain". From report by +Jason Garland (ticket #50). +--- + Makefile.in | 15 +- + aclocal.m4 | 325 ++++++++++++++++++++++++++++------------ + compile | 9 +- + config.guess | 191 ++++++++++++++--------- + config.sub | 71 ++++++--- + dbus/Makefile.in | 4 +- + depcomp | 6 +- + install-sh | 4 +- + missing | 6 +- + src/Makefile.in | 249 +++++++++++++++++++++++++++--- + src/scep.c | 6 +- + systemd/Makefile.in | 4 +- + sysvinit/Makefile.in | 4 +- + tests/Makefile.in | 25 ++-- + tests/tools/Makefile.in | 4 +- + 15 files changed, 676 insertions(+), 247 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index 9b342bd..4885730 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -1,7 +1,7 @@ +-# Makefile.in generated by automake 1.15 from Makefile.am. ++# Makefile.in generated by automake 1.15.1 from Makefile.am. + # @configure_input@ + +-# Copyright (C) 1994-2014 Free Software Foundation, Inc. ++# Copyright (C) 1994-2017 Free Software Foundation, Inc. + + # This Makefile.in is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -162,7 +162,8 @@ CTAGS = ctags + CSCOPE = cscope + DIST_SUBDIRS = $(SUBDIRS) + am__DIST_COMMON = $(srcdir)/Makefile.in ABOUT-NLS README compile \ +- config.guess config.rpath config.sub install-sh missing ++ config.guess config.rpath config.sub depcomp install-sh \ ++ missing + DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) + distdir = $(PACKAGE)-$(VERSION) + top_distdir = $(distdir) +@@ -619,7 +620,7 @@ distdir: $(DISTFILES) + ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ + || chmod -R a+r "$(distdir)" + dist-gzip: distdir +- tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz ++ tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz + $(am__post_remove_distdir) + + dist-bzip2: distdir +@@ -645,7 +646,7 @@ dist-shar: distdir + @echo WARNING: "Support for shar distribution archives is" \ + "deprecated." >&2 + @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 +- shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz ++ shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz + $(am__post_remove_distdir) + + dist-zip: distdir +@@ -663,7 +664,7 @@ dist dist-all: + distcheck: dist + case '$(DIST_ARCHIVES)' in \ + *.tar.gz*) \ +- GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ ++ eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\ + *.tar.bz2*) \ + bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ + *.tar.lz*) \ +@@ -673,7 +674,7 @@ distcheck: dist + *.tar.Z*) \ + uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ + *.shar.gz*) \ +- GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ ++ eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ + *.zip*) \ + unzip $(distdir).zip ;;\ + esac +diff --git a/aclocal.m4 b/aclocal.m4 +index ad2ebef..170d082 100644 +--- a/aclocal.m4 ++++ b/aclocal.m4 +@@ -1,6 +1,6 @@ +-# generated automatically by aclocal 1.15 -*- Autoconf -*- ++# generated automatically by aclocal 1.15.1 -*- Autoconf -*- + +-# Copyright (C) 1996-2014 Free Software Foundation, Inc. ++# Copyright (C) 1996-2017 Free Software Foundation, Inc. + + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -20,32 +20,63 @@ You have another version of autoconf. It may work, but is not guaranteed to. + If you have problems, you may need to regenerate the build system entirely. + To do so, use the procedure documented by the package, typically 'autoreconf'.])]) + +-# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +-# serial 1 (pkg-config-0.24) +-# +-# Copyright © 2004 Scott James Remnant . +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 2 of the License, or +-# (at your option) any later version. +-# +-# This program is distributed in the hope that it will be useful, but +-# WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +-# General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program; if not, write to the Free Software +-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +-# +-# As a special exception to the GNU General Public License, if you +-# distribute this file as part of a program that contains a +-# configuration script generated by Autoconf, you may include it under +-# the same distribution terms that you use for the rest of that program. ++# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- ++# serial 11 (pkg-config-0.29.1) + +-# PKG_PROG_PKG_CONFIG([MIN-VERSION]) +-# ---------------------------------- ++dnl Copyright © 2004 Scott James Remnant . ++dnl Copyright © 2012-2015 Dan Nicholson ++dnl ++dnl This program is free software; you can redistribute it and/or modify ++dnl it under the terms of the GNU General Public License as published by ++dnl the Free Software Foundation; either version 2 of the License, or ++dnl (at your option) any later version. ++dnl ++dnl This program is distributed in the hope that it will be useful, but ++dnl WITHOUT ANY WARRANTY; without even the implied warranty of ++dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++dnl General Public License for more details. ++dnl ++dnl You should have received a copy of the GNU General Public License ++dnl along with this program; if not, write to the Free Software ++dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA ++dnl 02111-1307, USA. ++dnl ++dnl As a special exception to the GNU General Public License, if you ++dnl distribute this file as part of a program that contains a ++dnl configuration script generated by Autoconf, you may include it under ++dnl the same distribution terms that you use for the rest of that ++dnl program. ++ ++dnl PKG_PREREQ(MIN-VERSION) ++dnl ----------------------- ++dnl Since: 0.29 ++dnl ++dnl Verify that the version of the pkg-config macros are at least ++dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's ++dnl installed version of pkg-config, this checks the developer's version ++dnl of pkg.m4 when generating configure. ++dnl ++dnl To ensure that this macro is defined, also add: ++dnl m4_ifndef([PKG_PREREQ], ++dnl [m4_fatal([must install pkg-config 0.29 or later before running autoconf/autogen])]) ++dnl ++dnl See the "Since" comment for each macro you use to see what version ++dnl of the macros you require. ++m4_defun([PKG_PREREQ], ++[m4_define([PKG_MACROS_VERSION], [0.29.1]) ++m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1, ++ [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])]) ++])dnl PKG_PREREQ ++ ++dnl PKG_PROG_PKG_CONFIG([MIN-VERSION]) ++dnl ---------------------------------- ++dnl Since: 0.16 ++dnl ++dnl Search for the pkg-config tool and set the PKG_CONFIG variable to ++dnl first found in the path. Checks that the version of pkg-config found ++dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is ++dnl used since that's the first version where most current features of ++dnl pkg-config existed. + AC_DEFUN([PKG_PROG_PKG_CONFIG], + [m4_pattern_forbid([^_?PKG_[A-Z_]+$]) + m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$]) +@@ -67,18 +98,19 @@ if test -n "$PKG_CONFIG"; then + PKG_CONFIG="" + fi + fi[]dnl +-])# PKG_PROG_PKG_CONFIG ++])dnl PKG_PROG_PKG_CONFIG + +-# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +-# +-# Check to see whether a particular set of modules exists. Similar +-# to PKG_CHECK_MODULES(), but does not set variables or print errors. +-# +-# Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +-# only at the first occurence in configure.ac, so if the first place +-# it's called might be skipped (such as if it is within an "if", you +-# have to call PKG_CHECK_EXISTS manually +-# -------------------------------------------------------------- ++dnl PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) ++dnl ------------------------------------------------------------------- ++dnl Since: 0.18 ++dnl ++dnl Check to see whether a particular set of modules exists. Similar to ++dnl PKG_CHECK_MODULES(), but does not set variables or print errors. ++dnl ++dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) ++dnl only at the first occurence in configure.ac, so if the first place ++dnl it's called might be skipped (such as if it is within an "if", you ++dnl have to call PKG_CHECK_EXISTS manually + AC_DEFUN([PKG_CHECK_EXISTS], + [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl + if test -n "$PKG_CONFIG" && \ +@@ -88,8 +120,10 @@ m4_ifvaln([$3], [else + $3])dnl + fi]) + +-# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) +-# --------------------------------------------- ++dnl _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) ++dnl --------------------------------------------- ++dnl Internal wrapper calling pkg-config via PKG_CONFIG and setting ++dnl pkg_failed based on the result. + m4_define([_PKG_CONFIG], + [if test -n "$$1"; then + pkg_cv_[]$1="$$1" +@@ -101,10 +135,11 @@ m4_define([_PKG_CONFIG], + else + pkg_failed=untried + fi[]dnl +-])# _PKG_CONFIG ++])dnl _PKG_CONFIG + +-# _PKG_SHORT_ERRORS_SUPPORTED +-# ----------------------------- ++dnl _PKG_SHORT_ERRORS_SUPPORTED ++dnl --------------------------- ++dnl Internal check to see if pkg-config supports short errors. + AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], + [AC_REQUIRE([PKG_PROG_PKG_CONFIG]) + if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then +@@ -112,19 +147,17 @@ if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + else + _pkg_short_errors_supported=no + fi[]dnl +-])# _PKG_SHORT_ERRORS_SUPPORTED ++])dnl _PKG_SHORT_ERRORS_SUPPORTED + + +-# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +-# [ACTION-IF-NOT-FOUND]) +-# +-# +-# Note that if there is a possibility the first call to +-# PKG_CHECK_MODULES might not happen, you should be sure to include an +-# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac +-# +-# +-# -------------------------------------------------------------- ++dnl PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], ++dnl [ACTION-IF-NOT-FOUND]) ++dnl -------------------------------------------------------------- ++dnl Since: 0.4.0 ++dnl ++dnl Note that if there is a possibility the first call to ++dnl PKG_CHECK_MODULES might not happen, you should be sure to include an ++dnl explicit call to PKG_PROG_PKG_CONFIG in your configure.ac + AC_DEFUN([PKG_CHECK_MODULES], + [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl + AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl +@@ -178,16 +211,40 @@ else + AC_MSG_RESULT([yes]) + $3 + fi[]dnl +-])# PKG_CHECK_MODULES ++])dnl PKG_CHECK_MODULES + + +-# PKG_INSTALLDIR(DIRECTORY) +-# ------------------------- +-# Substitutes the variable pkgconfigdir as the location where a module +-# should install pkg-config .pc files. By default the directory is +-# $libdir/pkgconfig, but the default can be changed by passing +-# DIRECTORY. The user can override through the --with-pkgconfigdir +-# parameter. ++dnl PKG_CHECK_MODULES_STATIC(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], ++dnl [ACTION-IF-NOT-FOUND]) ++dnl --------------------------------------------------------------------- ++dnl Since: 0.29 ++dnl ++dnl Checks for existence of MODULES and gathers its build flags with ++dnl static libraries enabled. Sets VARIABLE-PREFIX_CFLAGS from --cflags ++dnl and VARIABLE-PREFIX_LIBS from --libs. ++dnl ++dnl Note that if there is a possibility the first call to ++dnl PKG_CHECK_MODULES_STATIC might not happen, you should be sure to ++dnl include an explicit call to PKG_PROG_PKG_CONFIG in your ++dnl configure.ac. ++AC_DEFUN([PKG_CHECK_MODULES_STATIC], ++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl ++_save_PKG_CONFIG=$PKG_CONFIG ++PKG_CONFIG="$PKG_CONFIG --static" ++PKG_CHECK_MODULES($@) ++PKG_CONFIG=$_save_PKG_CONFIG[]dnl ++])dnl PKG_CHECK_MODULES_STATIC ++ ++ ++dnl PKG_INSTALLDIR([DIRECTORY]) ++dnl ------------------------- ++dnl Since: 0.27 ++dnl ++dnl Substitutes the variable pkgconfigdir as the location where a module ++dnl should install pkg-config .pc files. By default the directory is ++dnl $libdir/pkgconfig, but the default can be changed by passing ++dnl DIRECTORY. The user can override through the --with-pkgconfigdir ++dnl parameter. + AC_DEFUN([PKG_INSTALLDIR], + [m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])]) + m4_pushdef([pkg_description], +@@ -198,16 +255,18 @@ AC_ARG_WITH([pkgconfigdir], + AC_SUBST([pkgconfigdir], [$with_pkgconfigdir]) + m4_popdef([pkg_default]) + m4_popdef([pkg_description]) +-]) dnl PKG_INSTALLDIR ++])dnl PKG_INSTALLDIR + + +-# PKG_NOARCH_INSTALLDIR(DIRECTORY) +-# ------------------------- +-# Substitutes the variable noarch_pkgconfigdir as the location where a +-# module should install arch-independent pkg-config .pc files. By +-# default the directory is $datadir/pkgconfig, but the default can be +-# changed by passing DIRECTORY. The user can override through the +-# --with-noarch-pkgconfigdir parameter. ++dnl PKG_NOARCH_INSTALLDIR([DIRECTORY]) ++dnl -------------------------------- ++dnl Since: 0.27 ++dnl ++dnl Substitutes the variable noarch_pkgconfigdir as the location where a ++dnl module should install arch-independent pkg-config .pc files. By ++dnl default the directory is $datadir/pkgconfig, but the default can be ++dnl changed by passing DIRECTORY. The user can override through the ++dnl --with-noarch-pkgconfigdir parameter. + AC_DEFUN([PKG_NOARCH_INSTALLDIR], + [m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])]) + m4_pushdef([pkg_description], +@@ -218,13 +277,15 @@ AC_ARG_WITH([noarch-pkgconfigdir], + AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir]) + m4_popdef([pkg_default]) + m4_popdef([pkg_description]) +-]) dnl PKG_NOARCH_INSTALLDIR ++])dnl PKG_NOARCH_INSTALLDIR + + +-# PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, +-# [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +-# ------------------------------------------- +-# Retrieves the value of the pkg-config variable for the given module. ++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, ++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) ++dnl ------------------------------------------- ++dnl Since: 0.28 ++dnl ++dnl Retrieves the value of the pkg-config variable for the given module. + AC_DEFUN([PKG_CHECK_VAR], + [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl + AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl +@@ -233,9 +294,77 @@ _PKG_CONFIG([$1], [variable="][$3]["], [$2]) + AS_VAR_COPY([$1], [pkg_cv_][$1]) + + AS_VAR_IF([$1], [""], [$5], [$4])dnl +-])# PKG_CHECK_VAR ++])dnl PKG_CHECK_VAR + +-# Copyright (C) 2002-2014 Free Software Foundation, Inc. ++dnl PKG_WITH_MODULES(VARIABLE-PREFIX, MODULES, ++dnl [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND], ++dnl [DESCRIPTION], [DEFAULT]) ++dnl ------------------------------------------ ++dnl ++dnl Prepare a "--with-" configure option using the lowercase ++dnl [VARIABLE-PREFIX] name, merging the behaviour of AC_ARG_WITH and ++dnl PKG_CHECK_MODULES in a single macro. ++AC_DEFUN([PKG_WITH_MODULES], ++[ ++m4_pushdef([with_arg], m4_tolower([$1])) ++ ++m4_pushdef([description], ++ [m4_default([$5], [build with ]with_arg[ support])]) ++ ++m4_pushdef([def_arg], [m4_default([$6], [auto])]) ++m4_pushdef([def_action_if_found], [AS_TR_SH([with_]with_arg)=yes]) ++m4_pushdef([def_action_if_not_found], [AS_TR_SH([with_]with_arg)=no]) ++ ++m4_case(def_arg, ++ [yes],[m4_pushdef([with_without], [--without-]with_arg)], ++ [m4_pushdef([with_without],[--with-]with_arg)]) ++ ++AC_ARG_WITH(with_arg, ++ AS_HELP_STRING(with_without, description[ @<:@default=]def_arg[@:>@]),, ++ [AS_TR_SH([with_]with_arg)=def_arg]) ++ ++AS_CASE([$AS_TR_SH([with_]with_arg)], ++ [yes],[PKG_CHECK_MODULES([$1],[$2],$3,$4)], ++ [auto],[PKG_CHECK_MODULES([$1],[$2], ++ [m4_n([def_action_if_found]) $3], ++ [m4_n([def_action_if_not_found]) $4])]) ++ ++m4_popdef([with_arg]) ++m4_popdef([description]) ++m4_popdef([def_arg]) ++ ++])dnl PKG_WITH_MODULES ++ ++dnl PKG_HAVE_WITH_MODULES(VARIABLE-PREFIX, MODULES, ++dnl [DESCRIPTION], [DEFAULT]) ++dnl ----------------------------------------------- ++dnl ++dnl Convenience macro to trigger AM_CONDITIONAL after PKG_WITH_MODULES ++dnl check._[VARIABLE-PREFIX] is exported as make variable. ++AC_DEFUN([PKG_HAVE_WITH_MODULES], ++[ ++PKG_WITH_MODULES([$1],[$2],,,[$3],[$4]) ++ ++AM_CONDITIONAL([HAVE_][$1], ++ [test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"]) ++])dnl PKG_HAVE_WITH_MODULES ++ ++dnl PKG_HAVE_DEFINE_WITH_MODULES(VARIABLE-PREFIX, MODULES, ++dnl [DESCRIPTION], [DEFAULT]) ++dnl ------------------------------------------------------ ++dnl ++dnl Convenience macro to run AM_CONDITIONAL and AC_DEFINE after ++dnl PKG_WITH_MODULES check. HAVE_[VARIABLE-PREFIX] is exported as make ++dnl and preprocessor variable. ++AC_DEFUN([PKG_HAVE_DEFINE_WITH_MODULES], ++[ ++PKG_HAVE_WITH_MODULES([$1],[$2],[$3],[$4]) ++ ++AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"], ++ [AC_DEFINE([HAVE_][$1], 1, [Enable ]m4_tolower([$1])[ support])]) ++])dnl PKG_HAVE_DEFINE_WITH_MODULES ++ ++# Copyright (C) 2002-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -250,7 +379,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION], + [am__api_version='1.15' + dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to + dnl require some minimum version. Point them to the right macro. +-m4_if([$1], [1.15], [], ++m4_if([$1], [1.15.1], [], + [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl + ]) + +@@ -266,14 +395,14 @@ m4_define([_AM_AUTOCONF_VERSION], []) + # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. + # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. + AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], +-[AM_AUTOMAKE_VERSION([1.15])dnl ++[AM_AUTOMAKE_VERSION([1.15.1])dnl + m4_ifndef([AC_AUTOCONF_VERSION], + [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl + _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) + + # AM_AUX_DIR_EXPAND -*- Autoconf -*- + +-# Copyright (C) 2001-2014 Free Software Foundation, Inc. ++# Copyright (C) 2001-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -325,7 +454,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd` + + # AM_CONDITIONAL -*- Autoconf -*- + +-# Copyright (C) 1997-2014 Free Software Foundation, Inc. ++# Copyright (C) 1997-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -356,7 +485,7 @@ AC_CONFIG_COMMANDS_PRE( + Usually this means the macro was only invoked conditionally.]]) + fi])]) + +-# Copyright (C) 1999-2014 Free Software Foundation, Inc. ++# Copyright (C) 1999-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -547,7 +676,7 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl + + # Generate code to set up dependency tracking. -*- Autoconf -*- + +-# Copyright (C) 1999-2014 Free Software Foundation, Inc. ++# Copyright (C) 1999-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -623,7 +752,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], + + # Do all the work for Automake. -*- Autoconf -*- + +-# Copyright (C) 1996-2014 Free Software Foundation, Inc. ++# Copyright (C) 1996-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -820,7 +949,7 @@ for _am_header in $config_headers :; do + done + echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) + +-# Copyright (C) 2001-2014 Free Software Foundation, Inc. ++# Copyright (C) 2001-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -841,7 +970,7 @@ if test x"${install_sh+set}" != xset; then + fi + AC_SUBST([install_sh])]) + +-# Copyright (C) 2003-2014 Free Software Foundation, Inc. ++# Copyright (C) 2003-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -863,7 +992,7 @@ AC_SUBST([am__leading_dot])]) + # Add --enable-maintainer-mode option to configure. -*- Autoconf -*- + # From Jim Meyering + +-# Copyright (C) 1996-2014 Free Software Foundation, Inc. ++# Copyright (C) 1996-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -898,7 +1027,7 @@ AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles]) + + # Check to see how 'make' treats includes. -*- Autoconf -*- + +-# Copyright (C) 2001-2014 Free Software Foundation, Inc. ++# Copyright (C) 2001-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -948,7 +1077,7 @@ rm -f confinc confmf + + # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- + +-# Copyright (C) 1997-2014 Free Software Foundation, Inc. ++# Copyright (C) 1997-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -985,7 +1114,7 @@ else + fi + ]) + +-# Copyright (C) 2003-2014 Free Software Foundation, Inc. ++# Copyright (C) 2003-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -1019,7 +1148,7 @@ esac + + # Helper functions for option handling. -*- Autoconf -*- + +-# Copyright (C) 2001-2014 Free Software Foundation, Inc. ++# Copyright (C) 2001-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -1048,7 +1177,7 @@ AC_DEFUN([_AM_SET_OPTIONS], + AC_DEFUN([_AM_IF_OPTION], + [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) + +-# Copyright (C) 1999-2014 Free Software Foundation, Inc. ++# Copyright (C) 1999-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -1095,7 +1224,7 @@ AC_LANG_POP([C])]) + # For backward compatibility. + AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) + +-# Copyright (C) 2001-2014 Free Software Foundation, Inc. ++# Copyright (C) 2001-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -1114,7 +1243,7 @@ AC_DEFUN([AM_RUN_LOG], + + # Check to make sure that the build environment is sane. -*- Autoconf -*- + +-# Copyright (C) 1996-2014 Free Software Foundation, Inc. ++# Copyright (C) 1996-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -1195,7 +1324,7 @@ AC_CONFIG_COMMANDS_PRE( + rm -f conftest.file + ]) + +-# Copyright (C) 2009-2014 Free Software Foundation, Inc. ++# Copyright (C) 2009-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -1255,7 +1384,7 @@ AC_SUBST([AM_BACKSLASH])dnl + _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl + ]) + +-# Copyright (C) 2001-2014 Free Software Foundation, Inc. ++# Copyright (C) 2001-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -1283,7 +1412,7 @@ fi + INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" + AC_SUBST([INSTALL_STRIP_PROGRAM])]) + +-# Copyright (C) 2006-2014 Free Software Foundation, Inc. ++# Copyright (C) 2006-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -1302,7 +1431,7 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) + + # Check how to create a tarball. -*- Autoconf -*- + +-# Copyright (C) 2004-2014 Free Software Foundation, Inc. ++# Copyright (C) 2004-2017 Free Software Foundation, Inc. + # + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +diff --git a/compile b/compile +index a85b723..2ab71e4 100755 +--- a/compile ++++ b/compile +@@ -1,9 +1,9 @@ + #! /bin/sh + # Wrapper for compilers which do not understand '-c -o'. + +-scriptversion=2012-10-14.11; # UTC ++scriptversion=2016-01-11.22; # UTC + +-# Copyright (C) 1999-2014 Free Software Foundation, Inc. ++# Copyright (C) 1999-2017 Free Software Foundation, Inc. + # Written by Tom Tromey . + # + # This program is free software; you can redistribute it and/or modify +@@ -255,7 +255,8 @@ EOF + echo "compile $scriptversion" + exit $? + ;; +- cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) ++ cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \ ++ icl | *[/\\]icl | icl.exe | *[/\\]icl.exe ) + func_cl_wrapper "$@" # Doesn't return... + ;; + esac +@@ -342,6 +343,6 @@ exit $ret + # eval: (add-hook 'write-file-hooks 'time-stamp) + # time-stamp-start: "scriptversion=" + # time-stamp-format: "%:y-%02m-%02d.%02H" +-# time-stamp-time-zone: "UTC" ++# time-stamp-time-zone: "UTC0" + # time-stamp-end: "; # UTC" + # End: +diff --git a/config.guess b/config.guess +index dbfb978..a744844 100755 +--- a/config.guess ++++ b/config.guess +@@ -1,8 +1,8 @@ + #! /bin/sh + # Attempt to guess a canonical system name. +-# Copyright 1992-2015 Free Software Foundation, Inc. ++# Copyright 1992-2017 Free Software Foundation, Inc. + +-timestamp='2015-01-01' ++timestamp='2017-08-08' + + # This file is free software; you can redistribute it and/or modify it + # under the terms of the GNU General Public License as published by +@@ -27,7 +27,7 @@ timestamp='2015-01-01' + # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. + # + # You can get the latest version of this script from: +-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD ++# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess + # + # Please send patches to . + +@@ -50,7 +50,7 @@ version="\ + GNU config.guess ($timestamp) + + Originally written by Per Bothner. +-Copyright 1992-2015 Free Software Foundation, Inc. ++Copyright 1992-2017 Free Software Foundation, Inc. + + This is free software; see the source for copying conditions. There is NO + warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." +@@ -168,19 +168,29 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + # Note: NetBSD doesn't particularly care about the vendor + # portion of the name. We always set it to "unknown". + sysctl="sysctl -n hw.machine_arch" +- UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ +- /usr/sbin/$sysctl 2>/dev/null || echo unknown)` ++ UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ ++ /sbin/$sysctl 2>/dev/null || \ ++ /usr/sbin/$sysctl 2>/dev/null || \ ++ echo unknown)` + case "${UNAME_MACHINE_ARCH}" in + armeb) machine=armeb-unknown ;; + arm*) machine=arm-unknown ;; + sh3el) machine=shl-unknown ;; + sh3eb) machine=sh-unknown ;; + sh5el) machine=sh5le-unknown ;; ++ earmv*) ++ arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'` ++ endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'` ++ machine=${arch}${endian}-unknown ++ ;; + *) machine=${UNAME_MACHINE_ARCH}-unknown ;; + esac + # The Operating System including object format, if it has switched +- # to ELF recently, or will in the future. ++ # to ELF recently (or will in the future) and ABI. + case "${UNAME_MACHINE_ARCH}" in ++ earm*) ++ os=netbsdelf ++ ;; + arm*|i386|m68k|ns32k|sh3*|sparc|vax) + eval $set_cc_for_build + if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ +@@ -197,6 +207,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + os=netbsd + ;; + esac ++ # Determine ABI tags. ++ case "${UNAME_MACHINE_ARCH}" in ++ earm*) ++ expr='s/^earmv[0-9]/-eabi/;s/eb$//' ++ abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"` ++ ;; ++ esac + # The OS release + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need +@@ -207,13 +224,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + release='-gnu' + ;; + *) +- release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` ++ release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2` + ;; + esac + # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: + # contains redundant information, the shorter form: + # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. +- echo "${machine}-${os}${release}" ++ echo "${machine}-${os}${release}${abi}" + exit ;; + *:Bitrig:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` +@@ -223,6 +240,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} + exit ;; ++ *:LibertyBSD:*:*) ++ UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` ++ echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} ++ exit ;; + *:ekkoBSD:*:*) + echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + exit ;; +@@ -235,6 +256,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + *:MirBSD:*:*) + echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + exit ;; ++ *:Sortix:*:*) ++ echo ${UNAME_MACHINE}-unknown-sortix ++ exit ;; ++ *:Redox:*:*) ++ echo ${UNAME_MACHINE}-unknown-redox ++ exit ;; + alpha:OSF1:*:*) + case $UNAME_RELEASE in + *4.0) +@@ -251,42 +278,42 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case "$ALPHA_CPU_TYPE" in + "EV4 (21064)") +- UNAME_MACHINE="alpha" ;; ++ UNAME_MACHINE=alpha ;; + "EV4.5 (21064)") +- UNAME_MACHINE="alpha" ;; ++ UNAME_MACHINE=alpha ;; + "LCA4 (21066/21068)") +- UNAME_MACHINE="alpha" ;; ++ UNAME_MACHINE=alpha ;; + "EV5 (21164)") +- UNAME_MACHINE="alphaev5" ;; ++ UNAME_MACHINE=alphaev5 ;; + "EV5.6 (21164A)") +- UNAME_MACHINE="alphaev56" ;; ++ UNAME_MACHINE=alphaev56 ;; + "EV5.6 (21164PC)") +- UNAME_MACHINE="alphapca56" ;; ++ UNAME_MACHINE=alphapca56 ;; + "EV5.7 (21164PC)") +- UNAME_MACHINE="alphapca57" ;; ++ UNAME_MACHINE=alphapca57 ;; + "EV6 (21264)") +- UNAME_MACHINE="alphaev6" ;; ++ UNAME_MACHINE=alphaev6 ;; + "EV6.7 (21264A)") +- UNAME_MACHINE="alphaev67" ;; ++ UNAME_MACHINE=alphaev67 ;; + "EV6.8CB (21264C)") +- UNAME_MACHINE="alphaev68" ;; ++ UNAME_MACHINE=alphaev68 ;; + "EV6.8AL (21264B)") +- UNAME_MACHINE="alphaev68" ;; ++ UNAME_MACHINE=alphaev68 ;; + "EV6.8CX (21264D)") +- UNAME_MACHINE="alphaev68" ;; ++ UNAME_MACHINE=alphaev68 ;; + "EV6.9A (21264/EV69A)") +- UNAME_MACHINE="alphaev69" ;; ++ UNAME_MACHINE=alphaev69 ;; + "EV7 (21364)") +- UNAME_MACHINE="alphaev7" ;; ++ UNAME_MACHINE=alphaev7 ;; + "EV7.9 (21364A)") +- UNAME_MACHINE="alphaev79" ;; ++ UNAME_MACHINE=alphaev79 ;; + esac + # A Pn.n version is a patched version. + # A Vn.n version is a released version. + # A Tn.n version is a released field test version. + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. +- echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` ++ echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + # Reset EXIT trap before exiting to avoid spurious non-zero exit code. + exitcode=$? + trap '' 0 +@@ -359,16 +386,16 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + exit ;; + i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) + eval $set_cc_for_build +- SUN_ARCH="i386" ++ SUN_ARCH=i386 + # If there is a compiler, see if it is configured for 64-bit objects. + # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. + # This test works for both compilers. +- if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then ++ if [ "$CC_FOR_BUILD" != no_compiler_found ]; then + if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ +- (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ ++ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then +- SUN_ARCH="x86_64" ++ SUN_ARCH=x86_64 + fi + fi + echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` +@@ -393,7 +420,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + exit ;; + sun*:*:4.2BSD:*) + UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` +- test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 ++ test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 + case "`/bin/arch`" in + sun3) + echo m68k-sun-sunos${UNAME_RELEASE} +@@ -618,13 +645,13 @@ EOF + sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case "${sc_cpu_version}" in +- 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 +- 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 ++ 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 ++ 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case "${sc_kernel_bits}" in +- 32) HP_ARCH="hppa2.0n" ;; +- 64) HP_ARCH="hppa2.0w" ;; +- '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 ++ 32) HP_ARCH=hppa2.0n ;; ++ 64) HP_ARCH=hppa2.0w ;; ++ '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 + esac ;; + esac + fi +@@ -663,11 +690,11 @@ EOF + exit (0); + } + EOF +- (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` ++ (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + test -z "$HP_ARCH" && HP_ARCH=hppa + fi ;; + esac +- if [ ${HP_ARCH} = "hppa2.0w" ] ++ if [ ${HP_ARCH} = hppa2.0w ] + then + eval $set_cc_for_build + +@@ -680,12 +707,12 @@ EOF + # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess + # => hppa64-hp-hpux11.23 + +- if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | ++ if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | + grep -q __LP64__ + then +- HP_ARCH="hppa2.0w" ++ HP_ARCH=hppa2.0w + else +- HP_ARCH="hppa64" ++ HP_ARCH=hppa64 + fi + fi + echo ${HP_ARCH}-hp-hpux${HPUX_REV} +@@ -790,14 +817,14 @@ EOF + echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) +- FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` +- FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` ++ FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` ++ FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + 5000:UNIX_System_V:4.*:*) +- FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` +- FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` ++ FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` ++ FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) +@@ -813,10 +840,11 @@ EOF + UNAME_PROCESSOR=`/usr/bin/uname -p` + case ${UNAME_PROCESSOR} in + amd64) +- echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; +- *) +- echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; ++ UNAME_PROCESSOR=x86_64 ;; ++ i386) ++ UNAME_PROCESSOR=i586 ;; + esac ++ echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit ;; + i*:CYGWIN*:*) + echo ${UNAME_MACHINE}-pc-cygwin +@@ -879,7 +907,7 @@ EOF + exit ;; + *:GNU/*:*:*) + # other systems with GNU libc and userland +- echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} ++ echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + exit ;; + i*86:Minix:*:*) + echo ${UNAME_MACHINE}-pc-minix +@@ -902,7 +930,7 @@ EOF + EV68*) UNAME_MACHINE=alphaev68 ;; + esac + objdump --private-headers /bin/sh | grep -q ld.so.1 +- if test "$?" = 0 ; then LIBC="gnulibc1" ; fi ++ if test "$?" = 0 ; then LIBC=gnulibc1 ; fi + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + arc:Linux:*:* | arceb:Linux:*:*) +@@ -933,6 +961,9 @@ EOF + crisv32:Linux:*:*) + echo ${UNAME_MACHINE}-axis-linux-${LIBC} + exit ;; ++ e2k:Linux:*:*) ++ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} ++ exit ;; + frv:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; +@@ -945,6 +976,9 @@ EOF + ia64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; ++ k1om:Linux:*:*) ++ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} ++ exit ;; + m32r*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; +@@ -970,6 +1004,9 @@ EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } + ;; ++ mips64el:Linux:*:*) ++ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} ++ exit ;; + openrisc*:Linux:*:*) + echo or1k-unknown-linux-${LIBC} + exit ;; +@@ -1002,6 +1039,9 @@ EOF + ppcle:Linux:*:*) + echo powerpcle-unknown-linux-${LIBC} + exit ;; ++ riscv32:Linux:*:* | riscv64:Linux:*:*) ++ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} ++ exit ;; + s390:Linux:*:* | s390x:Linux:*:*) + echo ${UNAME_MACHINE}-ibm-linux-${LIBC} + exit ;; +@@ -1021,7 +1061,7 @@ EOF + echo ${UNAME_MACHINE}-dec-linux-${LIBC} + exit ;; + x86_64:Linux:*:*) +- echo ${UNAME_MACHINE}-unknown-linux-${LIBC} ++ echo ${UNAME_MACHINE}-pc-linux-${LIBC} + exit ;; + xtensa*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} +@@ -1100,7 +1140,7 @@ EOF + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i586. + # Note: whatever this is, it MUST be the same as what config.sub +- # prints for the "djgpp" host, or else GDB configury will decide that ++ # prints for the "djgpp" host, or else GDB configure will decide that + # this is a cross-build. + echo i586-pc-msdosdjgpp + exit ;; +@@ -1249,6 +1289,9 @@ EOF + SX-8R:SUPER-UX:*:*) + echo sx8r-nec-superux${UNAME_RELEASE} + exit ;; ++ SX-ACE:SUPER-UX:*:*) ++ echo sxace-nec-superux${UNAME_RELEASE} ++ exit ;; + Power*:Rhapsody:*:*) + echo powerpc-apple-rhapsody${UNAME_RELEASE} + exit ;; +@@ -1262,16 +1305,23 @@ EOF + UNAME_PROCESSOR=powerpc + fi + if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then +- if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then ++ if [ "$CC_FOR_BUILD" != no_compiler_found ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ +- (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ +- grep IS_64BIT_ARCH >/dev/null ++ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ ++ grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi ++ # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc ++ if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ ++ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ ++ grep IS_PPC >/dev/null ++ then ++ UNAME_PROCESSOR=powerpc ++ fi + fi + elif test "$UNAME_PROCESSOR" = i386 ; then + # Avoid executing cc on OS X 10.9, as it ships with a stub +@@ -1286,7 +1336,7 @@ EOF + exit ;; + *:procnto*:*:* | *:QNX:[0123456789]*:*) + UNAME_PROCESSOR=`uname -p` +- if test "$UNAME_PROCESSOR" = "x86"; then ++ if test "$UNAME_PROCESSOR" = x86; then + UNAME_PROCESSOR=i386 + UNAME_MACHINE=pc + fi +@@ -1295,15 +1345,18 @@ EOF + *:QNX:*:4*) + echo i386-pc-qnx + exit ;; +- NEO-?:NONSTOP_KERNEL:*:*) ++ NEO-*:NONSTOP_KERNEL:*:*) + echo neo-tandem-nsk${UNAME_RELEASE} + exit ;; + NSE-*:NONSTOP_KERNEL:*:*) + echo nse-tandem-nsk${UNAME_RELEASE} + exit ;; +- NSR-?:NONSTOP_KERNEL:*:*) ++ NSR-*:NONSTOP_KERNEL:*:*) + echo nsr-tandem-nsk${UNAME_RELEASE} + exit ;; ++ NSX-*:NONSTOP_KERNEL:*:*) ++ echo nsx-tandem-nsk${UNAME_RELEASE} ++ exit ;; + *:NonStop-UX:*:*) + echo mips-compaq-nonstopux + exit ;; +@@ -1317,7 +1370,7 @@ EOF + # "uname -m" is not consistent, so use $cputype instead. 386 + # is converted to i386 for consistency with other x86 + # operating systems. +- if test "$cputype" = "386"; then ++ if test "$cputype" = 386; then + UNAME_MACHINE=i386 + else + UNAME_MACHINE="$cputype" +@@ -1359,7 +1412,7 @@ EOF + echo i386-pc-xenix + exit ;; + i*86:skyos:*:*) +- echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' ++ echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` + exit ;; + i*86:rdos:*:*) + echo ${UNAME_MACHINE}-pc-rdos +@@ -1370,23 +1423,25 @@ EOF + x86_64:VMkernel:*:*) + echo ${UNAME_MACHINE}-unknown-esx + exit ;; ++ amd64:Isilon\ OneFS:*:*) ++ echo x86_64-unknown-onefs ++ exit ;; + esac + + cat >&2 < in order to provide the needed +-information to handle your system. ++If $0 has already been updated, send the following data and any ++information you think might be pertinent to config-patches@gnu.org to ++provide the necessary information to handle your system. + + config.guess timestamp = $timestamp + +diff --git a/config.sub b/config.sub +index 6467c95..932128b 100755 +--- a/config.sub ++++ b/config.sub +@@ -1,8 +1,8 @@ + #! /bin/sh + # Configuration validation subroutine script. +-# Copyright 1992-2015 Free Software Foundation, Inc. ++# Copyright 1992-2017 Free Software Foundation, Inc. + +-timestamp='2015-01-01' ++timestamp='2017-04-02' + + # This file is free software; you can redistribute it and/or modify it + # under the terms of the GNU General Public License as published by +@@ -33,7 +33,7 @@ timestamp='2015-01-01' + # Otherwise, we print the canonical config type on stdout and succeed. + + # You can get the latest version of this script from: +-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD ++# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub + + # This file is supposed to be the same for all GNU packages + # and recognize all the CPU types, system types and aliases +@@ -53,8 +53,7 @@ timestamp='2015-01-01' + me=`echo "$0" | sed -e 's,.*/,,'` + + usage="\ +-Usage: $0 [OPTION] CPU-MFR-OPSYS +- $0 [OPTION] ALIAS ++Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS + + Canonicalize a configuration name. + +@@ -68,7 +67,7 @@ Report bugs and patches to ." + version="\ + GNU config.sub ($timestamp) + +-Copyright 1992-2015 Free Software Foundation, Inc. ++Copyright 1992-2017 Free Software Foundation, Inc. + + This is free software; see the source for copying conditions. There is NO + warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." +@@ -117,8 +116,8 @@ maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` + case $maybe_os in + nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ + linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ +- knetbsd*-gnu* | netbsd*-gnu* | \ +- kopensolaris*-gnu* | \ ++ knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \ ++ kopensolaris*-gnu* | cloudabi*-eabi* | \ + storm-chaos* | os2-emx* | rtmk-nova*) + os=-$maybe_os + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` +@@ -255,15 +254,16 @@ case $basic_machine in + | arc | arceb \ + | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ + | avr | avr32 \ ++ | ba \ + | be32 | be64 \ + | bfin \ + | c4x | c8051 | clipper \ + | d10v | d30v | dlx | dsp16xx \ +- | epiphany \ ++ | e2k | epiphany \ + | fido | fr30 | frv | ft32 \ + | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ +- | i370 | i860 | i960 | ia64 \ ++ | i370 | i860 | i960 | ia16 | ia64 \ + | ip2k | iq2000 \ + | k1om \ + | le32 | le64 \ +@@ -301,11 +301,12 @@ case $basic_machine in + | open8 | or1k | or1knd | or32 \ + | pdp10 | pdp11 | pj | pjl \ + | powerpc | powerpc64 | powerpc64le | powerpcle \ ++ | pru \ + | pyramid \ + | riscv32 | riscv64 \ + | rl78 | rx \ + | score \ +- | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ ++ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ + | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ + | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ +@@ -314,6 +315,7 @@ case $basic_machine in + | ubicom32 \ + | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ + | visium \ ++ | wasm32 \ + | we32k \ + | x86 | xc16x | xstormy16 | xtensa \ + | z8k | z80) +@@ -376,17 +378,18 @@ case $basic_machine in + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ + | avr-* | avr32-* \ ++ | ba-* \ + | be32-* | be64-* \ + | bfin-* | bs2000-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* \ + | c8051-* | clipper-* | craynv-* | cydra-* \ + | d10v-* | d30v-* | dlx-* \ +- | elxsi-* \ ++ | e2k-* | elxsi-* \ + | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ + | h8300-* | h8500-* \ + | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ + | hexagon-* \ +- | i*86-* | i860-* | i960-* | ia64-* \ ++ | i*86-* | i860-* | i960-* | ia16-* | ia64-* \ + | ip2k-* | iq2000-* \ + | k1om-* \ + | le32-* | le64-* \ +@@ -427,13 +430,15 @@ case $basic_machine in + | orion-* \ + | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ + | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ ++ | pru-* \ + | pyramid-* \ ++ | riscv32-* | riscv64-* \ + | rl78-* | romp-* | rs6000-* | rx-* \ + | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ + | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ + | sparclite-* \ +- | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ ++ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \ + | tahoe-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ + | tile*-* \ +@@ -442,6 +447,7 @@ case $basic_machine in + | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ + | vax-* \ + | visium-* \ ++ | wasm32-* \ + | we32k-* \ + | x86-* | x86_64-* | xc16x-* | xps100-* \ + | xstormy16-* | xtensa*-* \ +@@ -518,6 +524,9 @@ case $basic_machine in + basic_machine=i386-pc + os=-aros + ;; ++ asmjs) ++ basic_machine=asmjs-unknown ++ ;; + aux) + basic_machine=m68k-apple + os=-aux +@@ -638,6 +647,14 @@ case $basic_machine in + basic_machine=m68k-bull + os=-sysv3 + ;; ++ e500v[12]) ++ basic_machine=powerpc-unknown ++ os=$os"spe" ++ ;; ++ e500v[12]-*) ++ basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ++ os=$os"spe" ++ ;; + ebmon29k) + basic_machine=a29k-amd + os=-ebmon +@@ -933,6 +950,9 @@ case $basic_machine in + nsr-tandem) + basic_machine=nsr-tandem + ;; ++ nsx-tandem) ++ basic_machine=nsx-tandem ++ ;; + op50n-* | op60c-*) + basic_machine=hppa1.1-oki + os=-proelf +@@ -1017,7 +1037,7 @@ case $basic_machine in + ppc-* | ppcbe-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; +- ppcle | powerpclittle | ppc-le | powerpc-little) ++ ppcle | powerpclittle) + basic_machine=powerpcle-unknown + ;; + ppcle-* | powerpclittle-*) +@@ -1027,7 +1047,7 @@ case $basic_machine in + ;; + ppc64-* | ppc64p7-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; +- ppc64le | powerpc64little | ppc64-le | powerpc64-little) ++ ppc64le | powerpc64little) + basic_machine=powerpc64le-unknown + ;; + ppc64le-* | powerpc64little-*) +@@ -1228,6 +1248,9 @@ case $basic_machine in + basic_machine=a29k-wrs + os=-vxworks + ;; ++ wasm32) ++ basic_machine=wasm32-unknown ++ ;; + w65*) + basic_machine=w65-wdc + os=-none +@@ -1373,18 +1396,18 @@ case $os in + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ + | -sym* | -kopensolaris* | -plan9* \ + | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ +- | -aos* | -aros* \ ++ | -aos* | -aros* | -cloudabi* | -sortix* \ + | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ + | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ + | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ +- | -bitrig* | -openbsd* | -solidbsd* \ ++ | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \ + | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ + | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ + | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ +- | -chorusos* | -chorusrdb* | -cegcc* \ ++ | -chorusos* | -chorusrdb* | -cegcc* | -glidix* \ + | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ +- | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ ++ | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -linux-newlib* | -linux-musl* | -linux-uclibc* \ + | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ +@@ -1393,7 +1416,8 @@ case $os in + | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ + | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ + | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ +- | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) ++ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ ++ | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox*) + # Remember, each alternative MUST END IN *, to match a version number. + ;; + -qnx*) +@@ -1525,6 +1549,8 @@ case $os in + ;; + -nacl*) + ;; ++ -ios) ++ ;; + -none) + ;; + *) +@@ -1620,6 +1646,9 @@ case $basic_machine in + sparc-* | *-sun) + os=-sunos4.1.1 + ;; ++ pru-*) ++ os=-elf ++ ;; + *-be) + os=-beos + ;; +diff --git a/dbus/Makefile.in b/dbus/Makefile.in +index 579f2ac..0dac7d6 100644 +--- a/dbus/Makefile.in ++++ b/dbus/Makefile.in +@@ -1,7 +1,7 @@ +-# Makefile.in generated by automake 1.15 from Makefile.am. ++# Makefile.in generated by automake 1.15.1 from Makefile.am. + # @configure_input@ + +-# Copyright (C) 1994-2014 Free Software Foundation, Inc. ++# Copyright (C) 1994-2017 Free Software Foundation, Inc. + + # This Makefile.in is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +diff --git a/depcomp b/depcomp +index fc98710..b39f98f 100755 +--- a/depcomp ++++ b/depcomp +@@ -1,9 +1,9 @@ + #! /bin/sh + # depcomp - compile a program generating dependencies as side-effects + +-scriptversion=2013-05-30.07; # UTC ++scriptversion=2016-01-11.22; # UTC + +-# Copyright (C) 1999-2014 Free Software Foundation, Inc. ++# Copyright (C) 1999-2017 Free Software Foundation, Inc. + + # This program is free software; you can redistribute it and/or modify + # it under the terms of the GNU General Public License as published by +@@ -786,6 +786,6 @@ exit 0 + # eval: (add-hook 'write-file-hooks 'time-stamp) + # time-stamp-start: "scriptversion=" + # time-stamp-format: "%:y-%02m-%02d.%02H" +-# time-stamp-time-zone: "UTC" ++# time-stamp-time-zone: "UTC0" + # time-stamp-end: "; # UTC" + # End: +diff --git a/install-sh b/install-sh +index 0b0fdcb..0360b79 100755 +--- a/install-sh ++++ b/install-sh +@@ -1,7 +1,7 @@ + #!/bin/sh + # install - install a program, script, or datafile + +-scriptversion=2013-12-25.23; # UTC ++scriptversion=2016-01-11.22; # UTC + + # This originates from X11R5 (mit/util/scripts/install.sh), which was + # later released in X11R6 (xc/config/util/install.sh) with the +@@ -496,6 +496,6 @@ done + # eval: (add-hook 'write-file-hooks 'time-stamp) + # time-stamp-start: "scriptversion=" + # time-stamp-format: "%:y-%02m-%02d.%02H" +-# time-stamp-time-zone: "UTC" ++# time-stamp-time-zone: "UTC0" + # time-stamp-end: "; # UTC" + # End: +diff --git a/missing b/missing +index f62bbae..c6e3795 100755 +--- a/missing ++++ b/missing +@@ -1,9 +1,9 @@ + #! /bin/sh + # Common wrapper for a few potentially missing GNU programs. + +-scriptversion=2013-10-28.13; # UTC ++scriptversion=2016-01-11.22; # UTC + +-# Copyright (C) 1996-2014 Free Software Foundation, Inc. ++# Copyright (C) 1996-2017 Free Software Foundation, Inc. + # Originally written by Fran,cois Pinard , 1996. + + # This program is free software; you can redistribute it and/or modify +@@ -210,6 +210,6 @@ exit $st + # eval: (add-hook 'write-file-hooks 'time-stamp) + # time-stamp-start: "scriptversion=" + # time-stamp-format: "%:y-%02m-%02d.%02H" +-# time-stamp-time-zone: "UTC" ++# time-stamp-time-zone: "UTC0" + # time-stamp-end: "; # UTC" + # End: +diff --git a/src/Makefile.in b/src/Makefile.in +index b8b61af..471a2c6 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -1,7 +1,7 @@ +-# Makefile.in generated by automake 1.15 from Makefile.am. ++# Makefile.in generated by automake 1.15.1 from Makefile.am. + # @configure_input@ + +-# Copyright (C) 1994-2014 Free Software Foundation, Inc. ++# Copyright (C) 1994-2017 Free Software Foundation, Inc. + + # This Makefile.in is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -229,13 +229,18 @@ am__DEPENDENCIES_2 = libcm.a $(am__DEPENDENCIES_1) \ + @WITH_IPA_TRUE@ $(am__DEPENDENCIES_2) + certmaster_getcert_LINK = $(CCLD) $(certmaster_getcert_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +-am_certmaster_submit_OBJECTS = certmaster.$(OBJEXT) submit-x.$(OBJEXT) \ +- submit-u.$(OBJEXT) util.$(OBJEXT) log.$(OBJEXT) tm.$(OBJEXT) ++am_certmaster_submit_OBJECTS = certmaster_submit-certmaster.$(OBJEXT) \ ++ certmaster_submit-submit-x.$(OBJEXT) \ ++ certmaster_submit-submit-u.$(OBJEXT) \ ++ certmaster_submit-util.$(OBJEXT) \ ++ certmaster_submit-log.$(OBJEXT) certmaster_submit-tm.$(OBJEXT) + certmaster_submit_OBJECTS = $(am_certmaster_submit_OBJECTS) + certmaster_submit_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) ++certmaster_submit_LINK = $(CCLD) $(certmaster_submit_CFLAGS) $(CFLAGS) \ ++ $(AM_LDFLAGS) $(LDFLAGS) -o $@ + am_certmonger_OBJECTS = main.$(OBJEXT) env-system.$(OBJEXT) \ + tm.$(OBJEXT) + certmonger_OBJECTS = $(am_certmonger_OBJECTS) +@@ -308,9 +313,11 @@ ipa_getcert_OBJECTS = $(am_ipa_getcert_OBJECTS) + @WITH_IPA_TRUE@ipa_getcert_DEPENDENCIES = $(am__DEPENDENCIES_2) + ipa_getcert_LINK = $(CCLD) $(ipa_getcert_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +-am_ipa_submit_OBJECTS = ipa.$(OBJEXT) srvloc.$(OBJEXT) \ +- store-gen.$(OBJEXT) submit-x.$(OBJEXT) submit-u.$(OBJEXT) \ +- util.$(OBJEXT) log.$(OBJEXT) tm.$(OBJEXT) ++am_ipa_submit_OBJECTS = ipa_submit-ipa.$(OBJEXT) \ ++ ipa_submit-srvloc.$(OBJEXT) ipa_submit-store-gen.$(OBJEXT) \ ++ ipa_submit-submit-x.$(OBJEXT) ipa_submit-submit-u.$(OBJEXT) \ ++ ipa_submit-util.$(OBJEXT) ipa_submit-log.$(OBJEXT) \ ++ ipa_submit-tm.$(OBJEXT) + ipa_submit_OBJECTS = $(am_ipa_submit_OBJECTS) + ipa_submit_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@@ -318,6 +325,8 @@ ipa_submit_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) ++ipa_submit_LINK = $(CCLD) $(ipa_submit_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ ++ $(LDFLAGS) -o $@ + am_local_getcert_OBJECTS = local_getcert-local-getcert.$(OBJEXT) \ + local_getcert-tm.$(OBJEXT) + local_getcert_OBJECTS = $(am_local_getcert_OBJECTS) +@@ -898,7 +907,7 @@ tdbusm_check_SOURCES = tdbusm-check.c tm.c tm.h + tdbusm_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(POPT_LIBS) + serial_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LTLIBICONV) + nl_check_LDADD = libcm.a $(CERTMONGER_LIBS) +-submit_x_CFLAGS = $(AM_CFLAGS) -DCM_SUBMIT_X_MAIN ++submit_x_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) -DCM_SUBMIT_X_MAIN + submit_x_SOURCES = submit-x.c submit-x.h submit-u.c submit-u.h log.c log.h \ + tm.c tm.h + +@@ -907,6 +916,7 @@ submit_x_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \ + + toklist_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) + toklist_LDADD = $(NSS_LIBS) $(POPT_LIBS) ++ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) + ipa_submit_SOURCES = ipa.c srvloc.c srvloc.h store.h store-gen.c \ + submit-x.c submit-x.h submit-u.c submit-u.h \ + submit-e.h util.c util.h log.c log.h tm.c tm.h +@@ -915,6 +925,7 @@ ipa_submit_LDADD = $(XMLRPC_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \ + $(GMP_LIBS) $(IDN_LIBS) $(OPENSSL_LIBS) $(UUID_LIBS) \ + $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS) + ++certmaster_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) + certmaster_submit_SOURCES = certmaster.c submit-x.c submit-x.h \ + submit-e.h submit-u.c submit-u.h util.c util.h log.c log.h \ + tm.c tm.h +@@ -1242,7 +1253,7 @@ certmaster-getcert$(EXEEXT): $(certmaster_getcert_OBJECTS) $(certmaster_getcert_ + + certmaster-submit$(EXEEXT): $(certmaster_submit_OBJECTS) $(certmaster_submit_DEPENDENCIES) $(EXTRA_certmaster_submit_DEPENDENCIES) + @rm -f certmaster-submit$(EXEEXT) +- $(AM_V_CCLD)$(LINK) $(certmaster_submit_OBJECTS) $(certmaster_submit_LDADD) $(LIBS) ++ $(AM_V_CCLD)$(certmaster_submit_LINK) $(certmaster_submit_OBJECTS) $(certmaster_submit_LDADD) $(LIBS) + + certmonger$(EXEEXT): $(certmonger_OBJECTS) $(certmonger_DEPENDENCIES) $(EXTRA_certmonger_DEPENDENCIES) + @rm -f certmonger$(EXEEXT) +@@ -1270,7 +1281,7 @@ ipa-getcert$(EXEEXT): $(ipa_getcert_OBJECTS) $(ipa_getcert_DEPENDENCIES) $(EXTRA + + ipa-submit$(EXEEXT): $(ipa_submit_OBJECTS) $(ipa_submit_DEPENDENCIES) $(EXTRA_ipa_submit_DEPENDENCIES) + @rm -f ipa-submit$(EXEEXT) +- $(AM_V_CCLD)$(LINK) $(ipa_submit_OBJECTS) $(ipa_submit_LDADD) $(LIBS) ++ $(AM_V_CCLD)$(ipa_submit_LINK) $(ipa_submit_OBJECTS) $(ipa_submit_LDADD) $(LIBS) + + local-getcert$(EXEEXT): $(local_getcert_OBJECTS) $(local_getcert_DEPENDENCIES) $(EXTRA_local_getcert_DEPENDENCIES) + @rm -f local-getcert$(EXEEXT) +@@ -1326,9 +1337,14 @@ mostlyclean-compile: + distclean-compile: + -rm -f *.tab.c + +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certmaster.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certmaster_getcert-certmaster-getcert.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certmaster_getcert-tm.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certmaster_submit-certmaster.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certmaster_submit-log.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certmaster_submit-submit-u.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certmaster_submit-submit-x.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certmaster_submit-tm.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certmaster_submit-util.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dogtag_ipa_renew_agent_submit-dogtag-ipa.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dogtag_ipa_renew_agent_submit-dogtag.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dogtag_ipa_renew_agent_submit-env-system.Po@am__quote@ +@@ -1358,9 +1374,16 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/env-system.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getcert-getcert.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getcert-tm.Po@am__quote@ +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_getcert-ipa-getcert.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_getcert-tm.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_submit-ipa.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_submit-log.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_submit-srvloc.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_submit-store-gen.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_submit-submit-u.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_submit-submit-x.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_submit-tm.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_submit-util.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcm_a-cadata.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcm_a-canalyze.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcm_a-casave.Po@am__quote@ +@@ -1432,7 +1455,6 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_submit-tm.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_submit-util-o.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_submit-util.Po@am__quote@ +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/main.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nl-check.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scep_submit-env-system.Po@am__quote@ +@@ -1452,10 +1474,6 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/selfsign_getcert-selfsign-getcert.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/selfsign_getcert-tm.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serial-check.Po@am__quote@ +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srvloc.Po@am__quote@ +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/store-gen.Po@am__quote@ +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/submit-u.Po@am__quote@ +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/submit-x.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/submit_d-log.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/submit_d-submit-d.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/submit_d-submit-h.Po@am__quote@ +@@ -1475,7 +1493,6 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tlslayer-tlslayer.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tm.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/toklist-toklist.Po@am__quote@ +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/util.Po@am__quote@ + + .c.o: + @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@@ -2305,6 +2322,90 @@ certmaster_getcert-tm.obj: tm.c + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_getcert_CFLAGS) $(CFLAGS) -c -o certmaster_getcert-tm.obj `if test -f 'tm.c'; then $(CYGPATH_W) 'tm.c'; else $(CYGPATH_W) '$(srcdir)/tm.c'; fi` + ++certmaster_submit-certmaster.o: certmaster.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-certmaster.o -MD -MP -MF $(DEPDIR)/certmaster_submit-certmaster.Tpo -c -o certmaster_submit-certmaster.o `test -f 'certmaster.c' || echo '$(srcdir)/'`certmaster.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-certmaster.Tpo $(DEPDIR)/certmaster_submit-certmaster.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='certmaster.c' object='certmaster_submit-certmaster.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-certmaster.o `test -f 'certmaster.c' || echo '$(srcdir)/'`certmaster.c ++ ++certmaster_submit-certmaster.obj: certmaster.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-certmaster.obj -MD -MP -MF $(DEPDIR)/certmaster_submit-certmaster.Tpo -c -o certmaster_submit-certmaster.obj `if test -f 'certmaster.c'; then $(CYGPATH_W) 'certmaster.c'; else $(CYGPATH_W) '$(srcdir)/certmaster.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-certmaster.Tpo $(DEPDIR)/certmaster_submit-certmaster.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='certmaster.c' object='certmaster_submit-certmaster.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-certmaster.obj `if test -f 'certmaster.c'; then $(CYGPATH_W) 'certmaster.c'; else $(CYGPATH_W) '$(srcdir)/certmaster.c'; fi` ++ ++certmaster_submit-submit-x.o: submit-x.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-submit-x.o -MD -MP -MF $(DEPDIR)/certmaster_submit-submit-x.Tpo -c -o certmaster_submit-submit-x.o `test -f 'submit-x.c' || echo '$(srcdir)/'`submit-x.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-submit-x.Tpo $(DEPDIR)/certmaster_submit-submit-x.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='submit-x.c' object='certmaster_submit-submit-x.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-submit-x.o `test -f 'submit-x.c' || echo '$(srcdir)/'`submit-x.c ++ ++certmaster_submit-submit-x.obj: submit-x.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-submit-x.obj -MD -MP -MF $(DEPDIR)/certmaster_submit-submit-x.Tpo -c -o certmaster_submit-submit-x.obj `if test -f 'submit-x.c'; then $(CYGPATH_W) 'submit-x.c'; else $(CYGPATH_W) '$(srcdir)/submit-x.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-submit-x.Tpo $(DEPDIR)/certmaster_submit-submit-x.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='submit-x.c' object='certmaster_submit-submit-x.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-submit-x.obj `if test -f 'submit-x.c'; then $(CYGPATH_W) 'submit-x.c'; else $(CYGPATH_W) '$(srcdir)/submit-x.c'; fi` ++ ++certmaster_submit-submit-u.o: submit-u.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-submit-u.o -MD -MP -MF $(DEPDIR)/certmaster_submit-submit-u.Tpo -c -o certmaster_submit-submit-u.o `test -f 'submit-u.c' || echo '$(srcdir)/'`submit-u.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-submit-u.Tpo $(DEPDIR)/certmaster_submit-submit-u.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='submit-u.c' object='certmaster_submit-submit-u.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-submit-u.o `test -f 'submit-u.c' || echo '$(srcdir)/'`submit-u.c ++ ++certmaster_submit-submit-u.obj: submit-u.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-submit-u.obj -MD -MP -MF $(DEPDIR)/certmaster_submit-submit-u.Tpo -c -o certmaster_submit-submit-u.obj `if test -f 'submit-u.c'; then $(CYGPATH_W) 'submit-u.c'; else $(CYGPATH_W) '$(srcdir)/submit-u.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-submit-u.Tpo $(DEPDIR)/certmaster_submit-submit-u.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='submit-u.c' object='certmaster_submit-submit-u.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-submit-u.obj `if test -f 'submit-u.c'; then $(CYGPATH_W) 'submit-u.c'; else $(CYGPATH_W) '$(srcdir)/submit-u.c'; fi` ++ ++certmaster_submit-util.o: util.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-util.o -MD -MP -MF $(DEPDIR)/certmaster_submit-util.Tpo -c -o certmaster_submit-util.o `test -f 'util.c' || echo '$(srcdir)/'`util.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-util.Tpo $(DEPDIR)/certmaster_submit-util.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util.c' object='certmaster_submit-util.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-util.o `test -f 'util.c' || echo '$(srcdir)/'`util.c ++ ++certmaster_submit-util.obj: util.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-util.obj -MD -MP -MF $(DEPDIR)/certmaster_submit-util.Tpo -c -o certmaster_submit-util.obj `if test -f 'util.c'; then $(CYGPATH_W) 'util.c'; else $(CYGPATH_W) '$(srcdir)/util.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-util.Tpo $(DEPDIR)/certmaster_submit-util.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util.c' object='certmaster_submit-util.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-util.obj `if test -f 'util.c'; then $(CYGPATH_W) 'util.c'; else $(CYGPATH_W) '$(srcdir)/util.c'; fi` ++ ++certmaster_submit-log.o: log.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-log.o -MD -MP -MF $(DEPDIR)/certmaster_submit-log.Tpo -c -o certmaster_submit-log.o `test -f 'log.c' || echo '$(srcdir)/'`log.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-log.Tpo $(DEPDIR)/certmaster_submit-log.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='log.c' object='certmaster_submit-log.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-log.o `test -f 'log.c' || echo '$(srcdir)/'`log.c ++ ++certmaster_submit-log.obj: log.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-log.obj -MD -MP -MF $(DEPDIR)/certmaster_submit-log.Tpo -c -o certmaster_submit-log.obj `if test -f 'log.c'; then $(CYGPATH_W) 'log.c'; else $(CYGPATH_W) '$(srcdir)/log.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-log.Tpo $(DEPDIR)/certmaster_submit-log.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='log.c' object='certmaster_submit-log.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-log.obj `if test -f 'log.c'; then $(CYGPATH_W) 'log.c'; else $(CYGPATH_W) '$(srcdir)/log.c'; fi` ++ ++certmaster_submit-tm.o: tm.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-tm.o -MD -MP -MF $(DEPDIR)/certmaster_submit-tm.Tpo -c -o certmaster_submit-tm.o `test -f 'tm.c' || echo '$(srcdir)/'`tm.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-tm.Tpo $(DEPDIR)/certmaster_submit-tm.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tm.c' object='certmaster_submit-tm.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-tm.o `test -f 'tm.c' || echo '$(srcdir)/'`tm.c ++ ++certmaster_submit-tm.obj: tm.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -MT certmaster_submit-tm.obj -MD -MP -MF $(DEPDIR)/certmaster_submit-tm.Tpo -c -o certmaster_submit-tm.obj `if test -f 'tm.c'; then $(CYGPATH_W) 'tm.c'; else $(CYGPATH_W) '$(srcdir)/tm.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/certmaster_submit-tm.Tpo $(DEPDIR)/certmaster_submit-tm.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tm.c' object='certmaster_submit-tm.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(certmaster_submit_CFLAGS) $(CFLAGS) -c -o certmaster_submit-tm.obj `if test -f 'tm.c'; then $(CYGPATH_W) 'tm.c'; else $(CYGPATH_W) '$(srcdir)/tm.c'; fi` ++ + dogtag_ipa_renew_agent_submit-dogtag.o: dogtag.c + @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dogtag_ipa_renew_agent_submit_CFLAGS) $(CFLAGS) -MT dogtag_ipa_renew_agent_submit-dogtag.o -MD -MP -MF $(DEPDIR)/dogtag_ipa_renew_agent_submit-dogtag.Tpo -c -o dogtag_ipa_renew_agent_submit-dogtag.o `test -f 'dogtag.c' || echo '$(srcdir)/'`dogtag.c + @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/dogtag_ipa_renew_agent_submit-dogtag.Tpo $(DEPDIR)/dogtag_ipa_renew_agent_submit-dogtag.Po +@@ -2711,6 +2812,118 @@ ipa_getcert-tm.obj: tm.c + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_getcert_CFLAGS) $(CFLAGS) -c -o ipa_getcert-tm.obj `if test -f 'tm.c'; then $(CYGPATH_W) 'tm.c'; else $(CYGPATH_W) '$(srcdir)/tm.c'; fi` + ++ipa_submit-ipa.o: ipa.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-ipa.o -MD -MP -MF $(DEPDIR)/ipa_submit-ipa.Tpo -c -o ipa_submit-ipa.o `test -f 'ipa.c' || echo '$(srcdir)/'`ipa.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-ipa.Tpo $(DEPDIR)/ipa_submit-ipa.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa.c' object='ipa_submit-ipa.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-ipa.o `test -f 'ipa.c' || echo '$(srcdir)/'`ipa.c ++ ++ipa_submit-ipa.obj: ipa.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-ipa.obj -MD -MP -MF $(DEPDIR)/ipa_submit-ipa.Tpo -c -o ipa_submit-ipa.obj `if test -f 'ipa.c'; then $(CYGPATH_W) 'ipa.c'; else $(CYGPATH_W) '$(srcdir)/ipa.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-ipa.Tpo $(DEPDIR)/ipa_submit-ipa.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa.c' object='ipa_submit-ipa.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-ipa.obj `if test -f 'ipa.c'; then $(CYGPATH_W) 'ipa.c'; else $(CYGPATH_W) '$(srcdir)/ipa.c'; fi` ++ ++ipa_submit-srvloc.o: srvloc.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-srvloc.o -MD -MP -MF $(DEPDIR)/ipa_submit-srvloc.Tpo -c -o ipa_submit-srvloc.o `test -f 'srvloc.c' || echo '$(srcdir)/'`srvloc.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-srvloc.Tpo $(DEPDIR)/ipa_submit-srvloc.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='srvloc.c' object='ipa_submit-srvloc.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-srvloc.o `test -f 'srvloc.c' || echo '$(srcdir)/'`srvloc.c ++ ++ipa_submit-srvloc.obj: srvloc.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-srvloc.obj -MD -MP -MF $(DEPDIR)/ipa_submit-srvloc.Tpo -c -o ipa_submit-srvloc.obj `if test -f 'srvloc.c'; then $(CYGPATH_W) 'srvloc.c'; else $(CYGPATH_W) '$(srcdir)/srvloc.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-srvloc.Tpo $(DEPDIR)/ipa_submit-srvloc.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='srvloc.c' object='ipa_submit-srvloc.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-srvloc.obj `if test -f 'srvloc.c'; then $(CYGPATH_W) 'srvloc.c'; else $(CYGPATH_W) '$(srcdir)/srvloc.c'; fi` ++ ++ipa_submit-store-gen.o: store-gen.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-store-gen.o -MD -MP -MF $(DEPDIR)/ipa_submit-store-gen.Tpo -c -o ipa_submit-store-gen.o `test -f 'store-gen.c' || echo '$(srcdir)/'`store-gen.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-store-gen.Tpo $(DEPDIR)/ipa_submit-store-gen.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='store-gen.c' object='ipa_submit-store-gen.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-store-gen.o `test -f 'store-gen.c' || echo '$(srcdir)/'`store-gen.c ++ ++ipa_submit-store-gen.obj: store-gen.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-store-gen.obj -MD -MP -MF $(DEPDIR)/ipa_submit-store-gen.Tpo -c -o ipa_submit-store-gen.obj `if test -f 'store-gen.c'; then $(CYGPATH_W) 'store-gen.c'; else $(CYGPATH_W) '$(srcdir)/store-gen.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-store-gen.Tpo $(DEPDIR)/ipa_submit-store-gen.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='store-gen.c' object='ipa_submit-store-gen.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-store-gen.obj `if test -f 'store-gen.c'; then $(CYGPATH_W) 'store-gen.c'; else $(CYGPATH_W) '$(srcdir)/store-gen.c'; fi` ++ ++ipa_submit-submit-x.o: submit-x.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-submit-x.o -MD -MP -MF $(DEPDIR)/ipa_submit-submit-x.Tpo -c -o ipa_submit-submit-x.o `test -f 'submit-x.c' || echo '$(srcdir)/'`submit-x.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-submit-x.Tpo $(DEPDIR)/ipa_submit-submit-x.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='submit-x.c' object='ipa_submit-submit-x.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-submit-x.o `test -f 'submit-x.c' || echo '$(srcdir)/'`submit-x.c ++ ++ipa_submit-submit-x.obj: submit-x.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-submit-x.obj -MD -MP -MF $(DEPDIR)/ipa_submit-submit-x.Tpo -c -o ipa_submit-submit-x.obj `if test -f 'submit-x.c'; then $(CYGPATH_W) 'submit-x.c'; else $(CYGPATH_W) '$(srcdir)/submit-x.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-submit-x.Tpo $(DEPDIR)/ipa_submit-submit-x.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='submit-x.c' object='ipa_submit-submit-x.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-submit-x.obj `if test -f 'submit-x.c'; then $(CYGPATH_W) 'submit-x.c'; else $(CYGPATH_W) '$(srcdir)/submit-x.c'; fi` ++ ++ipa_submit-submit-u.o: submit-u.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-submit-u.o -MD -MP -MF $(DEPDIR)/ipa_submit-submit-u.Tpo -c -o ipa_submit-submit-u.o `test -f 'submit-u.c' || echo '$(srcdir)/'`submit-u.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-submit-u.Tpo $(DEPDIR)/ipa_submit-submit-u.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='submit-u.c' object='ipa_submit-submit-u.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-submit-u.o `test -f 'submit-u.c' || echo '$(srcdir)/'`submit-u.c ++ ++ipa_submit-submit-u.obj: submit-u.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-submit-u.obj -MD -MP -MF $(DEPDIR)/ipa_submit-submit-u.Tpo -c -o ipa_submit-submit-u.obj `if test -f 'submit-u.c'; then $(CYGPATH_W) 'submit-u.c'; else $(CYGPATH_W) '$(srcdir)/submit-u.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-submit-u.Tpo $(DEPDIR)/ipa_submit-submit-u.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='submit-u.c' object='ipa_submit-submit-u.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-submit-u.obj `if test -f 'submit-u.c'; then $(CYGPATH_W) 'submit-u.c'; else $(CYGPATH_W) '$(srcdir)/submit-u.c'; fi` ++ ++ipa_submit-util.o: util.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-util.o -MD -MP -MF $(DEPDIR)/ipa_submit-util.Tpo -c -o ipa_submit-util.o `test -f 'util.c' || echo '$(srcdir)/'`util.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-util.Tpo $(DEPDIR)/ipa_submit-util.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util.c' object='ipa_submit-util.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-util.o `test -f 'util.c' || echo '$(srcdir)/'`util.c ++ ++ipa_submit-util.obj: util.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-util.obj -MD -MP -MF $(DEPDIR)/ipa_submit-util.Tpo -c -o ipa_submit-util.obj `if test -f 'util.c'; then $(CYGPATH_W) 'util.c'; else $(CYGPATH_W) '$(srcdir)/util.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-util.Tpo $(DEPDIR)/ipa_submit-util.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util.c' object='ipa_submit-util.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-util.obj `if test -f 'util.c'; then $(CYGPATH_W) 'util.c'; else $(CYGPATH_W) '$(srcdir)/util.c'; fi` ++ ++ipa_submit-log.o: log.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-log.o -MD -MP -MF $(DEPDIR)/ipa_submit-log.Tpo -c -o ipa_submit-log.o `test -f 'log.c' || echo '$(srcdir)/'`log.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-log.Tpo $(DEPDIR)/ipa_submit-log.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='log.c' object='ipa_submit-log.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-log.o `test -f 'log.c' || echo '$(srcdir)/'`log.c ++ ++ipa_submit-log.obj: log.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-log.obj -MD -MP -MF $(DEPDIR)/ipa_submit-log.Tpo -c -o ipa_submit-log.obj `if test -f 'log.c'; then $(CYGPATH_W) 'log.c'; else $(CYGPATH_W) '$(srcdir)/log.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-log.Tpo $(DEPDIR)/ipa_submit-log.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='log.c' object='ipa_submit-log.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-log.obj `if test -f 'log.c'; then $(CYGPATH_W) 'log.c'; else $(CYGPATH_W) '$(srcdir)/log.c'; fi` ++ ++ipa_submit-tm.o: tm.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-tm.o -MD -MP -MF $(DEPDIR)/ipa_submit-tm.Tpo -c -o ipa_submit-tm.o `test -f 'tm.c' || echo '$(srcdir)/'`tm.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-tm.Tpo $(DEPDIR)/ipa_submit-tm.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tm.c' object='ipa_submit-tm.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-tm.o `test -f 'tm.c' || echo '$(srcdir)/'`tm.c ++ ++ipa_submit-tm.obj: tm.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -MT ipa_submit-tm.obj -MD -MP -MF $(DEPDIR)/ipa_submit-tm.Tpo -c -o ipa_submit-tm.obj `if test -f 'tm.c'; then $(CYGPATH_W) 'tm.c'; else $(CYGPATH_W) '$(srcdir)/tm.c'; fi` ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_submit-tm.Tpo $(DEPDIR)/ipa_submit-tm.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tm.c' object='ipa_submit-tm.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_submit_CFLAGS) $(CFLAGS) -c -o ipa_submit-tm.obj `if test -f 'tm.c'; then $(CYGPATH_W) 'tm.c'; else $(CYGPATH_W) '$(srcdir)/tm.c'; fi` ++ + local_getcert-local-getcert.o: local-getcert.c + @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(local_getcert_CFLAGS) $(CFLAGS) -MT local_getcert-local-getcert.o -MD -MP -MF $(DEPDIR)/local_getcert-local-getcert.Tpo -c -o local_getcert-local-getcert.o `test -f 'local-getcert.c' || echo '$(srcdir)/'`local-getcert.c + @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/local_getcert-local-getcert.Tpo $(DEPDIR)/local_getcert-local-getcert.Po +diff --git a/src/scep.c b/src/scep.c +index 5dd362d..fff7ca8 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2009,2010,2011,2012,2013,2014,2015 Red Hat, Inc. ++ * Copyright (C) 2009,2010,2011,2012,2013,2014,2015,2016 Red Hat, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -64,7 +64,7 @@ + + #define OP_GET_CA_CAPS "GetCACaps" + #define OP_GET_CA_CERT "GetCACert" +-#define OP_GET_CA_CHAIN "GetCAChain" ++#define OP_GET_CA_CERT_CHAIN "GetCACertChain" + #define OP_GET_INITIAL_CERT "PKIOperation" + #define OP_PKCSREQ "PKIOperation" + enum known_ops { +@@ -516,7 +516,7 @@ main(int argc, const char **argv) + break; + case op_get_ca_certs: + /* Step two: request the chain. */ +- params2 = talloc_asprintf(ctx, "operation=" OP_GET_CA_CHAIN "&message=%s", id); ++ params2 = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT_CHAIN "&message=%s", id); + break; + case op_get_initial_cert: + /* Step two: actually poll. If we have multiple messages which +diff --git a/systemd/Makefile.in b/systemd/Makefile.in +index cecbbd3..06c438b 100644 +--- a/systemd/Makefile.in ++++ b/systemd/Makefile.in +@@ -1,7 +1,7 @@ +-# Makefile.in generated by automake 1.15 from Makefile.am. ++# Makefile.in generated by automake 1.15.1 from Makefile.am. + # @configure_input@ + +-# Copyright (C) 1994-2014 Free Software Foundation, Inc. ++# Copyright (C) 1994-2017 Free Software Foundation, Inc. + + # This Makefile.in is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +diff --git a/sysvinit/Makefile.in b/sysvinit/Makefile.in +index cad70a6..85631ed 100644 +--- a/sysvinit/Makefile.in ++++ b/sysvinit/Makefile.in +@@ -1,7 +1,7 @@ +-# Makefile.in generated by automake 1.15 from Makefile.am. ++# Makefile.in generated by automake 1.15.1 from Makefile.am. + # @configure_input@ + +-# Copyright (C) 1994-2014 Free Software Foundation, Inc. ++# Copyright (C) 1994-2017 Free Software Foundation, Inc. + + # This Makefile.in is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +diff --git a/tests/Makefile.in b/tests/Makefile.in +index 239af9a..1a339be 100644 +--- a/tests/Makefile.in ++++ b/tests/Makefile.in +@@ -1,7 +1,7 @@ +-# Makefile.in generated by automake 1.15 from Makefile.am. ++# Makefile.in generated by automake 1.15.1 from Makefile.am. + # @configure_input@ + +-# Copyright (C) 1994-2014 Free Software Foundation, Inc. ++# Copyright (C) 1994-2017 Free Software Foundation, Inc. + + # This Makefile.in is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -473,8 +473,6 @@ EXTRA_DIST = \ + 008-certread/expected.out \ + 009-oiddict/run.sh \ + 009-oiddict/expected.out \ +- 010-iterate/run.sh \ +- 010-iterate/expected.out \ + 011-dbinit/expected.out \ + 011-dbinit/run.sh \ + 011-dbinit-dbm/expected.out \ +@@ -561,18 +559,21 @@ EXTRA_DIST = \ + 036-getcert/expected.out \ + 036-getcert/run.sh \ + 037-rekey2/expected.out \ +- 037-rekey2/run.sh ++ 037-rekey2/run.sh \ ++ 038-ms-v2-template/expected.out \ ++ 038-ms-v2-template/extract-extdata.py \ ++ 038-ms-v2-template/run.sh + + subdirs = 001-keyiread 001-keyiread-rsa 002-keygen 002-keygen-rsa \ + 003-csrgen 003-csrgen-rsa 004-selfsign 004-selfsign-rsa \ + 005-dbusm 006-serial 007-certsave 008-certread 009-oiddict \ +- 010-iterate 011-dbinit 012-dbadd 013-enckey 014-prefs \ +- 015-lockedkey 016-dates 017-notoken 018-pembase 019-dparse \ +- 021-resume 022-base64 023-cadata 024-citerate 025-casave \ +- 026-local 027-hooks 028-dbus 029-canonize 030-rekey 031-pkcs7 \ +- 032-chain 033-scep 034-perms 035-json 036-getcert 037-rekey2 \ +- $(am__append_1) $(am__append_2) $(am__append_3) \ +- $(am__append_4) ++ 011-dbinit 012-dbadd 013-enckey 014-prefs 015-lockedkey \ ++ 016-dates 017-notoken 018-pembase 019-dparse 021-resume \ ++ 022-base64 023-cadata 024-citerate 025-casave 026-local \ ++ 027-hooks 028-dbus 029-canonize 030-rekey 031-pkcs7 032-chain \ ++ 033-scep 034-perms 035-json 036-getcert 037-rekey2 \ ++ 038-ms-v2-template $(am__append_1) $(am__append_2) \ ++ $(am__append_3) $(am__append_4) + all: all-recursive + + .SUFFIXES: +diff --git a/tests/tools/Makefile.in b/tests/tools/Makefile.in +index c0565d2..4e77d61 100644 +--- a/tests/tools/Makefile.in ++++ b/tests/tools/Makefile.in +@@ -1,7 +1,7 @@ +-# Makefile.in generated by automake 1.15 from Makefile.am. ++# Makefile.in generated by automake 1.15.1 from Makefile.am. + # @configure_input@ + +-# Copyright (C) 1994-2014 Free Software Foundation, Inc. ++# Copyright (C) 1994-2017 Free Software Foundation, Inc. + + # This Makefile.in is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +-- +2.17.2 + diff --git a/SOURCES/0028-No-message-ca-ident-from-GetCACaps-GetCACert-drop-Ge.patch b/SOURCES/0028-No-message-ca-ident-from-GetCACaps-GetCACert-drop-Ge.patch new file mode 100644 index 0000000..702eb66 --- /dev/null +++ b/SOURCES/0028-No-message-ca-ident-from-GetCACaps-GetCACert-drop-Ge.patch @@ -0,0 +1,80 @@ +From 3ca83f42275ac846d63167bee257bb57dc9eb37d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 31 Jul 2019 14:17:39 -0400 +Subject: [PATCH 28/29] No message= from GetCACaps, GetCACert, drop + GetCACertChain + +In the SCEP Gutmann 10 spec there are no message= defined +for the GetCACaps or GetCACert commands. The nourse 23 spec still +defines this but it is optional. Don't send it at all. + +GetCACertChain doesn't exist at all in gutmann and was dropped in +revision 19 by nourse. + +https://pagure.io/certmonger/issue/103 +--- + src/scep.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/src/scep.c b/src/scep.c +index fff7ca8..7c9f844 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -64,7 +64,6 @@ + + #define OP_GET_CA_CAPS "GetCACaps" + #define OP_GET_CA_CERT "GetCACert" +-#define OP_GET_CA_CERT_CHAIN "GetCACertChain" + #define OP_GET_INITIAL_CERT "PKIOperation" + #define OP_PKCSREQ "PKIOperation" + enum known_ops { +@@ -356,11 +355,11 @@ main(int argc, const char **argv) + break; + case op_get_ca_caps: + /* Only step: read capabilities for the daemon. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); + break; + case op_get_ca_certs: + /* First step: get the root certificate. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT "&message=%s", id); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT); + break; + case op_get_initial_cert: + if ((racert == NULL) || (strlen(racert) == 0)) { +@@ -378,7 +377,7 @@ main(int argc, const char **argv) + return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; + } + /* First step: read capabilities for our use. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); + } + break; + case op_pkcsreq: +@@ -397,7 +396,7 @@ main(int argc, const char **argv) + return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; + } + /* First step: read capabilities for our use. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); + } + break; + } +@@ -511,13 +510,10 @@ main(int argc, const char **argv) + abort(); /* never reached */ + break; + case op_get_ca_caps: ++ case op_get_ca_certs: + /* nothing to do here */ + params2 = NULL; + break; +- case op_get_ca_certs: +- /* Step two: request the chain. */ +- params2 = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT_CHAIN "&message=%s", id); +- break; + case op_get_initial_cert: + /* Step two: actually poll. If we have multiple messages which + * we can use, decide which one to use. */ +-- +2.17.2 + diff --git a/SOURCES/0029-Document-R-N-o-in-dogtag-ipa-renew-agent-submit.patch b/SOURCES/0029-Document-R-N-o-in-dogtag-ipa-renew-agent-submit.patch new file mode 100644 index 0000000..950cf3b --- /dev/null +++ b/SOURCES/0029-Document-R-N-o-in-dogtag-ipa-renew-agent-submit.patch @@ -0,0 +1,80 @@ +From 9ae2a531042f3ad9cbc4ed773657ed99555ca3c7 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 27 Oct 2015 16:41:09 -0400 +Subject: [PATCH 29/29] Document -R/-N/-o in dogtag-ipa-renew-agent-submit + +Add notes about the -R, -N, and -o flags to the man page for +dogtag-ipa-renew-agent-submit. + +It's really just a version of dogtag-submit with different defaults +compiled in, and that should already be reflected in the --help output, +but overriding key behaviors while still using those defaults can be a +useful thing in troubleshooting situations, so we should document them. +Heads-up from Marco Rhodes. +--- + ...tmonger-dogtag-ipa-renew-agent-submit.8.in | 19 ++++++++++++++++++- + src/certmonger-dogtag-submit.8.in | 3 ++- + 2 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in +index 481e396..3863b2a 100644 +--- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in ++++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in +@@ -1,4 +1,4 @@ +-.TH certmonger 8 "18 Nov 2014" "certmonger Manual" ++.TH certmonger 8 "27 Oct 2015" "certmonger Manual" + + .SH NAME + dogtag-ipa-renew-agent-submit +@@ -18,6 +18,8 @@ dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL + [-S state] + [-T profile] + [-O param=value] ++[-N | -R] ++[-o option=value] + [-v] + [csrfile] + +@@ -134,6 +136,21 @@ settings are applied. This option can be used either to override a + server-supplied default setting, or to supply one which would otherwise have + not been used. + .TP ++\fB-N\fR ++Even if an already-issued certificate is available in the ++\fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been ++provided, don't attempt to renew a certificate using its serial number. ++Instead, attempt to obtain a new certificate using the signing request. ++The default behavior is to request a renewal if possible. ++.TP ++\fB-R\fR ++Negates the effect of the \fB-N\fR flag. ++.TP ++\fB-o\fR param=value ++When initially submitting a request to the CA, add the specified parameter and ++value along with any request parameters which would otherwise be sent. This ++option is not typically used. ++.TP + \fB-v\fR + Increases the logging level. Use twice for more logging. This option is mainly + useful for troubleshooting. +diff --git a/src/certmonger-dogtag-submit.8.in b/src/certmonger-dogtag-submit.8.in +index 54cd1b1..3a8fc87 100644 +--- a/src/certmonger-dogtag-submit.8.in ++++ b/src/certmonger-dogtag-submit.8.in +@@ -1,4 +1,4 @@ +-.TH certmonger 8 "13 Apr 2015" "certmonger Manual" ++.TH certmonger 8 "27 Oct 2015" "certmonger Manual" + + .SH NAME + dogtag-submit +@@ -108,6 +108,7 @@ Even if an already-issued certificate is available in the + \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been + provided, don't attempt to renew a certificate using its serial number. + Instead, attempt to obtain a new certificate using the signing request. ++The default behavior is to request a renewal if possible. + .TP + \fB-R\fR + Negates the effect of the \fB-N\fR flag. +-- +2.17.2 + diff --git a/SOURCES/1001-Remove-rekey-feature.patch b/SOURCES/1001-Remove-rekey-feature.patch new file mode 100644 index 0000000..525ab6b --- /dev/null +++ b/SOURCES/1001-Remove-rekey-feature.patch @@ -0,0 +1,374 @@ +From 3c763332adc224d0e325502cb3e5b97d4155bb0c Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Fri, 7 Aug 2015 13:40:41 +0200 +Subject: [PATCH] Remove rekey feature + +https://bugzilla.redhat.com/show_bug.cgi?id=1250397 +--- + src/certmonger-scep-submit.8.in | 8 -------- + src/certmonger.conf.5.in | 19 ------------------- + src/getcert-add-scep-ca.1.in | 8 -------- + src/getcert.c | 3 --- + src/prefs.c | 27 +-------------------------- + src/scep.c | 5 ----- + src/submit-e.c | 6 ------ + src/tdbush.c | 10 +--------- + tests/010-iterate/expected.out | 14 +++++--------- + tests/028-dbus/expected.out | 6 ------ + tests/036-getcert/expected.out | 26 ++++++++++++++------------ + tests/037-rekey2/expected.out | 4 ++-- + 12 files changed, 23 insertions(+), 113 deletions(-) + +diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in +index 7319c6a..31203c3 100644 +--- a/src/certmonger-scep-submit.8.in ++++ b/src/certmonger-scep-submit.8.in +@@ -80,14 +80,6 @@ When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to + specify the CA identifier which is passed to the server as part of the client's + request. The default is "0". + .TP +-\fB\-n\fR +-The SCEP Renewal feature allows a client with a previously-issued certificate +-to use that certificate and the associated private key to request a new +-certificate for a different key pair, and can be used to support +-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for +-it. This option forces the \fIscep-submit\fR helper to prefer to issue +-requests which do not make use of this feature. +-.TP + \fB-v\fR + Increases the logging level. Use twice for more logging. This option + is mainly useful for troubleshooting. +diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in +index 241f48b..e1220f1 100644 +--- a/src/certmonger.conf.5.in ++++ b/src/certmonger.conf.5.in +@@ -72,25 +72,6 @@ These are the trust attributes which are applied to certificates which are not + necessarily to be trusted, when they are saved to NSS databases. The default + is \fI,,\fP. + +-.IP max_key_use_count +-When attempting to replace a certificate, if \fIcertmonger\fR has previously +-obtained at least this number of certificates using the current key pair, it +-will generate a new key pair to use before proceeding. There is effectively no +-default for this setting. +- +-.IP max_key_lifetime +-The amount of time after a key was first generated when \fIcertmonger\fR will +-attempt to generate a new key pair to replace it, as part of the process of +-replacing a certificate. +-The value is specified as a combination of years (y), months (M), weeks (w), +-days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is +-specified, seconds are assumed. +-The date when a key was generated is not recorded if the key was not generated +-by \fIcertmonger\fR, or if the key was generated with a version of +-\fIcertmonger\fR older than 0.78, and for those cases, this option has no +-effect. +-There is effectively no default for this setting. +- + .SH SELFSIGN + Within the \fIselfsign\fR section, these variables and values are recognized: + +diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in +index f07b900..64f0f5e 100644 +--- a/src/getcert-add-scep-ca.1.in ++++ b/src/getcert-add-scep-ca.1.in +@@ -46,14 +46,6 @@ A CA identifier value which will passed to the server when the + \fIscep-submit\fR helper is used to retrieve copies of the server's + certificates. + .TP +-\fB\-n\fR +-The SCEP Renewal feature allows a client with a previously-issued certificate +-to use that certificate and the associated private key to request a new +-certificate for a different key pair, and can be used to support +-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for +-it. This option forces the \fIscep-submit\fR helper to issue requests without +-making use of this feature. +-.TP + \fB\-v\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. +diff --git a/src/getcert.c b/src/getcert.c +index 26a88f3..966ff41 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -4663,7 +4663,6 @@ static struct { + {"start-tracking", start_tracking}, + {"stop-tracking", stop_tracking}, + {"resubmit", resubmit}, +- {"rekey", rekey}, + {"refresh", refresh}, + {"list", list}, + {"status", status}, +@@ -5087,8 +5086,6 @@ help(const char *twopartcmd, const char *category) + N_("stop monitoring a certificate\n")}, + {"resubmit", resubmit_help, + N_("resubmit an in-progress enrollment request, or start a new one\n")}, +- {"rekey", rekey_help, +- N_("generate a new private key and replace a certificate\n")}, + {"refresh", refresh_help, + N_("check on the status of an in-progress enrollment request\n")}, + {"list", list_help, +diff --git a/src/prefs.c b/src/prefs.c +index ab363bb..0a8e166 100644 +--- a/src/prefs.c ++++ b/src/prefs.c +@@ -545,36 +545,11 @@ cm_prefs_nss_other_trust(void) + long long + prefs_key_end_of_life(time_t ref) + { +- const char *cfg; +- time_t tmp; +- +- tmp = -1; +- cfg = cm_prefs_config(NULL, "max_key_lifetime"); +- if (cfg != NULL) { +- if (cm_submit_u_delta_from_string(cfg, ref, &tmp) == 0) { +- return tmp; +- } +- } + return -1; + } + + long + prefs_max_key_use_count(void) + { +- static long count = -2; +- long tmp; +- const char *cfg; +- char *p; +- +- if (count == -2) { +- count = -1; +- cfg = cm_prefs_config(NULL, "max_key_use_count"); +- if (cfg != NULL) { +- tmp = strtol(cfg, &p, 10); +- if ((p != NULL) && (*p == '\0')) { +- count = tmp; +- } +- } +- } +- return count; ++ return -1; + } +diff --git a/src/scep.c b/src/scep.c +index d3bbc05..11f9ae3 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -231,7 +231,6 @@ main(int argc, const char **argv) + {"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"}, + {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"}, + {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"}, +- {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL}, + {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, + POPT_AUTOHELP + POPT_TABLEEND +@@ -255,8 +254,6 @@ main(int argc, const char **argv) + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV); + if (message == NULL) { + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); +- } else { +- rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); + } + } else + if (strcasecmp(mode, CM_OP_POLL) == 0) { +@@ -264,8 +261,6 @@ main(int argc, const char **argv) + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV); + if (message == NULL) { + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); +- } else { +- rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); + } + } else + if (strcasecmp(mode, CM_OP_FETCH_SCEP_CA_CERTS) == 0) { +diff --git a/src/submit-e.c b/src/submit-e.c +index befd01e..af05efe 100644 +--- a/src/submit-e.c ++++ b/src/submit-e.c +@@ -446,12 +446,6 @@ cm_submit_e_need_scep_messages(struct cm_submit_state *state) + static int + cm_submit_e_need_rekey(struct cm_submit_state *state) + { +- int status; +- status = cm_subproc_get_exitstatus(state->subproc); +- if (WIFEXITED(status) && +- (WEXITSTATUS(status) == CM_SUBMIT_STATUS_NEED_REKEY)) { +- return 0; +- } + return -1; + } + +diff --git a/src/tdbush.c b/src/tdbush.c +index 7fb3d16..04fe57e 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -7164,14 +7164,6 @@ cm_tdbush_iface_request(void) + cm_tdbush_method_arg_out, + NULL))), + NULL), +- make_interface_item(cm_tdbush_interface_method, +- make_method("rekey", +- request_rekey, +- make_method_arg("working", +- DBUS_TYPE_BOOLEAN_AS_STRING, +- cm_tdbush_method_arg_out, +- NULL), +- NULL), + make_interface_item(cm_tdbush_interface_method, + make_method("resubmit", + request_resubmit, +@@ -7227,7 +7219,7 @@ cm_tdbush_iface_request(void) + make_interface_item(cm_tdbush_interface_signal, + make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, + NULL), +- NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); ++ NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + } + return ret; + } +diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out +index bd57a01..85d07b3 100644 +--- a/tests/010-iterate/expected.out ++++ b/tests/010-iterate/expected.out +@@ -398,19 +398,15 @@ HAVE_CSR + -START- + NEED_TO_SUBMIT + SUBMITTING +-NEED_KEY_PAIR ++NEED_GUIDANCE + -STOP- +-NEED_KEY_PAIR ++NEED_GUIDANCE + -START- +-GENERATING_KEY_PAIR +-HAVE_KEY_PAIR +-NEED_KEYINFO ++NEED_GUIDANCE + -STOP- +-NEED_KEYINFO ++NEED_GUIDANCE + -START- +-READING_KEYINFO +-HAVE_KEYINFO +-NEED_CSR ++NEED_GUIDANCE + -STOP- + + [Enroll until we notice we have no specified CA.] +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index 8a81a7f..4c33e9a 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -404,9 +404,6 @@ OK + + + +- +- +- + + + +@@ -484,9 +481,6 @@ recently + 1 on /org/fedorahosted/certmonger/requests/Request2 + After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1) + +-[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ] +-1 +- + [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.resubmit ] + 1 + +diff --git a/tests/036-getcert/expected.out b/tests/036-getcert/expected.out +index c1a13c8..b6d1eaf 100644 +--- a/tests/036-getcert/expected.out ++++ b/tests/036-getcert/expected.out +@@ -11,20 +11,21 @@ certs:1 + keys:1 + -----BEGIN PRIVATE KEY----- + [Files, rekey] +-Resubmitting "first" to "local". + certs:1 + -----BEGIN CERTIFICATE----- + keys:1 + -----BEGIN PRIVATE KEY----- ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey + [Files, rekey with preserve=1] +-Resubmitting "first" to "local". + certs:1 + -----BEGIN CERTIFICATE----- +-keys:2 +------BEGIN PRIVATE KEY----- ++keys:1 + -----BEGIN PRIVATE KEY----- ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey ++ERROR: old keys were not saved on rekey + [Files, rekey with jerk CA] +-Resubmitting "first" to "jerkca". + certs:1 + -----BEGIN CERTIFICATE----- + keys:1 +@@ -44,30 +45,31 @@ pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 + [Database, rekey] +-Resubmitting "first" to "local". + certs:1 + keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey + [Database, rekey with preserve=1] +-Resubmitting "first" to "local". + certs:1 +-keys:2 ++keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey ++ERROR: old keys were not saved on rekey + [Database, rekey with jerk CA] +-Resubmitting "first" to "jerkca". + certs:1 +-keys:3 ++keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 + [Database, rekey with jerk CA, nonpreserving] +-Resubmitting "first" to "jerkca". + certs:1 +-keys:3 ++keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 +diff --git a/tests/037-rekey2/expected.out b/tests/037-rekey2/expected.out +index bd8cca7..62a1c74 100644 +--- a/tests/037-rekey2/expected.out ++++ b/tests/037-rekey2/expected.out +@@ -112,7 +112,7 @@ MONITORING + -STOP- + MONITORING + -START- +-NEED_KEY_PAIR ++NEED_CSR + -STOP- + [Uses = 2.] + NEED_KEY_PAIR +@@ -228,6 +228,6 @@ MONITORING + -STOP- + MONITORING + -START- +-NEED_KEY_PAIR ++NEED_CSR + -STOP- + Test complete. +-- +2.14.4 + diff --git a/SOURCES/1002-Fix-CA-option-name-for-ipa-cert-request.patch b/SOURCES/1002-Fix-CA-option-name-for-ipa-cert-request.patch new file mode 100644 index 0000000..7788e9b --- /dev/null +++ b/SOURCES/1002-Fix-CA-option-name-for-ipa-cert-request.patch @@ -0,0 +1,38 @@ +From 6aca3545c847673a7bc3d5120378f896dc420a15 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 18 Aug 2016 18:25:49 +1000 +Subject: [PATCH] Fix CA option name for ipa cert-request + +The cert-request option for specifying the issuer is 'cacn', but +certmonger is sending 'ca'. Use the correct option name. + +Part of: https://fedorahosted.org/certmonger/ticket/51 +--- + src/ipa.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/ipa.c b/src/ipa.c +index f8abe609a603b614067e56ebe9935472b647ed99..13ea4cadf108a86687ab3f689b1a4dd92e5f8339 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -369,7 +369,7 @@ submit: + } + /* Add the requested CA issuer named argument. */ + if (issuer != NULL) { +- cm_submit_x_add_named_arg_s(ctx, "ca", issuer); ++ cm_submit_x_add_named_arg_s(ctx, "cacn", issuer); + } + /* Tell the server to add entries for a principal if one + * doesn't exist yet. */ +@@ -389,7 +389,7 @@ submit: + case 3: /* invocation error - permanent */ + if ((i == 3005) && (issuer != NULL)) { + /* Most likely the server didn't understand the +- * "ca" argument. At least, at this ++ * "cacn" argument. At least, at this + * point. Randomly dropping arguments is not + * really an extensible solution, though. */ + issuer = NULL; +-- +2.7.4 + diff --git a/SOURCES/certmonger-0.78.4.tar.gz.sig b/SOURCES/certmonger-0.78.4.tar.gz.sig new file mode 100644 index 0000000..cd32a1a Binary files /dev/null and b/SOURCES/certmonger-0.78.4.tar.gz.sig differ diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec new file mode 100644 index 0000000..0417e06 --- /dev/null +++ b/SPECS/certmonger.spec @@ -0,0 +1,1160 @@ +%if 0%{?fedora} > 15 || 0%{?rhel} > 6 +%global systemd 1 +%global sysvinit 0 +%else +%global systemd 0 +%global sysvinit 1 +%endif + +%if 0%{?fedora} > 15 && 0%{?fedora} < 20 +%global systemdsysv 1 +%else +%global systemdsysv 0 +%endif + +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +%global tmpfiles 1 +%else +%global tmpfiles 0 +%endif + +%if 0%{?fedora} > 9 || 0%{?rhel} > 5 +%global sysvinitdir %{_initddir} +%else +%global sysvinitdir %{_initrddir} +%endif + +Name: certmonger +Version: 0.78.4 +Release: 12%{?dist} +Summary: Certificate status monitor and PKI enrollment client + +Group: System Environment/Daemons +License: GPLv3+ +URL: https://pagure.io/certmonger/ +Source0: https://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz +Source1: https://releases.pagure.org/released/certmonger/certmonger-%{version}.tar.gz.sig +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) + +Patch0001: 0001-Stop-assuming-RSA-512-works.patch +Patch0002: 0002-Stop-assuming-RSA-512-works-part-two.patch +Patch0003: 0003-Add-issuer-request-option-for-specifying-issuer.patch +Patch0004: 0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch +Patch0005: 0005-Comment-whitespace-fixup.patch +Patch0006: 0006-ipa-submit-Retry-without-ca-on-OptionError.patch +Patch0007: 0007-getcert-fix-a-potential-out-of-bounds.patch +Patch0008: 0008-Document-the-X-option-in-the-ipa-submit-man-page.patch +Patch0009: 0009-Fix-a-flakiness-in-the-028-dbus-test.patch +Patch0010: 0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch +Patch0011: 0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch +Patch0012: 0012-Remove-trailing-CR-LF-when-reading-passwords-from-a-.patch +Patch0013: 0013-Disable-the-10-iterate-tests-which-randomly-fail.patch +Patch0014: 0014-MS-cert-template-add-D-Bus-property-and-storage.patch +Patch0015: 0015-MS-cert-template-add-template-extension-to-CSR.patch +Patch0016: 0016-MS-cert-template-add-option-to-command-line-programs.patch +Patch0017: 0017-MS-cert-template-validate-argument.patch +Patch0018: 0018-MS-cert-template-add-tests.patch +Patch0019: 0019-Fix-C99-build-error-on-EL7-systems.patch +Patch0020: 0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch +Patch0021: 0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch +Patch0022: 0022-Allow-configuration-of-client-SCEP-algorithms.patch +Patch0023: 0023-Updates-per-Feedback.patch +Patch0024: 0024-Updated-tests.patch +Patch0025: 0025-Add-cipher-and-digest-difference-messages.patch +Patch0026: 0026-Document-key-cert-file-owner-and-mode-options.patch +Patch0027: 0027-scep-correct-GetCAChain-to-GetCACertChain.patch +Patch0028: 0028-No-message-ca-ident-from-GetCACaps-GetCACert-drop-Ge.patch +Patch0029: 0029-Document-R-N-o-in-dogtag-ipa-renew-agent-submit.patch + + +Patch1001: 1001-Remove-rekey-feature.patch +Patch1002: 1002-Fix-CA-option-name-for-ipa-cert-request.patch + +BuildRequires: openldap-devel +BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel +%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 +BuildRequires: libuuid-devel +%else +BuildRequires: e2fsprogs-devel +%endif +BuildRequires: libtalloc-devel, libtevent-devel +%if 0%{?rhel} >= 6 || 0%{?fedora} >= 9 +BuildRequires: libcurl-devel +%else +BuildRequires: curl-devel +%endif +BuildRequires: libxml2-devel, xmlrpc-c-devel +%if 0%{?rhel} < 6 +BuildRequires: bind-libbind-devel +%endif +# Required for 'make check': +# for diff and cmp +BuildRequires: diffutils +# for expect +BuildRequires: expect +# for mktemp, which was absorbed into coreutils at some point +BuildRequires: mktemp +# for certutil and pk12util +BuildRequires: nss-tools +# for openssl +BuildRequires: openssl +# for dbus-launch +BuildRequires: /usr/bin/dbus-launch +# for dos2unix +BuildRequires: /usr/bin/dos2unix +BuildRequires: /usr/bin/unix2dos +# for which +BuildRequires: /usr/bin/which +# for dbus tests +BuildRequires: dbus-python +# for popt or popt-devel, depending on the build environment +BuildRequires: /usr/include/popt.h +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: pkgconfig +BuildRequires: libtool +BuildRequires: gettext-devel + +# we need a running system bus +Requires: dbus + +# for killall in post script +Requires: psmisc + +%if %{systemd} +BuildRequires: systemd-units +Requires(post): systemd-units +Requires(preun): systemd-units, dbus, sed +Requires(postun): systemd-units +%endif + +%if %{systemdsysv} +Requires(post): systemd-sysv +%global systemdsysvsave \ +# Save the current service runlevel info, in case the user wants \ +# to apply the enabled status manually later, by running \ +# "systemd-sysv-convert --apply certmonger". \ +%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||: +%else +%global systemdsysvsave %{nil} +%endif + +%if %{sysvinit} +Requires(post): /sbin/chkconfig, /sbin/service +Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed +%endif + +%if 0%{?fedora} >= 15 +# Certain versions of libtevent have incorrect internal ABI versions. +Conflicts: libtevent < 0.9.13 +%endif + +%description +Certmonger is a service which is primarily concerned with getting your +system enrolled with a certificate authority (CA) and keeping it enrolled. + +%prep +%autosetup -p1 + +%if 0%{?rhel} > 0 +# Enabled by default for RHEL for bug #765600, still disabled by default for +# Fedora pending a similar bug report there. +sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in +%endif + +%build +autoreconf -i -f +%configure \ +%if %{systemd} + --enable-systemd \ +%endif +%if %{sysvinit} + --enable-sysvinit=%{sysvinitdir} \ +%endif +%if %{tmpfiles} + --enable-tmpfiles \ +%endif + --with-homedir=/var/run/certmonger \ + --with-tmpdir=/var/run/certmonger --enable-pie --enable-now +# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just +# tell us about libxmlrpc_client, but we need more. Work around. +make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc" + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/certmonger/{cas,requests} +install -m755 -d $RPM_BUILD_ROOT/var/run/certmonger +%{find_lang} %{name} + +%check +make check + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +if test $1 -eq 1 ; then + killall -HUP dbus-daemon 2>&1 > /dev/null +fi +%if %{systemd} +if test $1 -eq 1 ; then + /bin/systemctl daemon-reload >/dev/null 2>&1 || : +fi +%endif +%if %{sysvinit} +/sbin/chkconfig --add certmonger +%endif + +%triggerin -- certmonger < 0.58 +if test $1 -gt 1 ; then + # If the daemon is running, remove knowledge of the dogtag renewer. + objpath=`dbus-send --system --reply-timeout=10000 --dest=org.fedorahosted.certmonger --print-reply=o /org/fedorahosted/certmonger org.fedorahosted.certmonger.find_ca_by_nickname string:dogtag-ipa-renew-agent 2> /dev/null | sed -r 's,^ +,,g' || true` + if test -n "$objpath" ; then + dbus-send --system --dest=org.fedorahosted.certmonger --print-reply /org/fedorahosted/certmonger org.fedorahosted.certmonger.remove_known_ca objpath:"$objpath" >/dev/null 2> /dev/null + fi + # Remove the data file, in case it isn't running. + for cafile in %{_localstatedir}/lib/certmonger/cas/* ; do + if grep -q '^id=dogtag-ipa-renew-agent$' "$cafile" ; then + rm -f "$cafile" + fi + done +fi +exit 0 + +%postun +%if %{systemd} +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + /bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || : +fi +%endif +%if %{sysvinit} +if test $1 -gt 0 ; then + /sbin/service certmonger condrestart 2>&1 > /dev/null +fi +%endif +exit 0 + +%preun +%if %{systemd} +if test $1 -eq 0 ; then + /bin/systemctl --no-reload disable certmonger.service > /dev/null 2>&1 || : + /bin/systemctl stop certmonger.service > /dev/null 2>&1 || : +fi +%endif +%if %{sysvinit} +if test $1 -eq 0 ; then + /sbin/service certmonger stop 2>&1 > /dev/null + /sbin/chkconfig --del certmonger +fi +%endif +exit 0 + +%if %{systemd} +%triggerun -- certmonger < 0.43 +%{systemdsysvsave} +# Do this because the old package's %%postun doesn't know we need to do it. +/sbin/chkconfig --del certmonger >/dev/null 2>&1 || : +# Do this because the old package's %%postun wouldn't have tried. +/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || : +exit 0 +%endif + +%files -f %{name}.lang +%defattr(-,root,root,-) +%doc README LICENSE STATUS doc/*.txt +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/* +%{_datadir}/dbus-1/services/* +%dir %{_sysconfdir}/certmonger +%config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf +%dir /var/run/certmonger +%{_bindir}/* +%{_sbindir}/certmonger +%{_mandir}/man*/* +%{_libexecdir}/%{name} +%{_localstatedir}/lib/certmonger +%if %{sysvinit} +%{sysvinitdir}/certmonger +%endif +%if %{tmpfiles} +%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/certmonger.conf +%endif +%if %{systemd} +%{_unitdir}/* +%{_datadir}/dbus-1/system-services/* +%endif + +%changelog +* Wed Jul 31 2019 Rob Crittenden - 0.78.4-12 +- Add documentation for the '-N' option to the dogtag-ipa-renew-agent-submit + man page (#1651368) +- SCEP: Don't set message= with GetCaps and GetCACert (#1608781) +- SCEP operation GetCAChain is not valid. Should be GetCACertChain (#1590727) +- Document owner and permission parameters to getcert (#1549585) + +* Tue Feb 12 2019 Rob Crittenden - 0.78.4-11 +- Increase SCEP spec compliance, set more secure default cipher and hash. + (#1533216) + +* Fri Aug 24 2018 Rob Crittenden - 0.78.4-10 +- Backport patches to add support for the MS Certificate Template V2 + extension (#1622184) + +* Mon Aug 13 2018 Rob Crittenden - 0.78.4-9 +- Remove patch to pass _PROXY, _proxy, LANG and LC_* environment + variables to helpers. The root cause was a bug in IPA (#1596161) + +* Tue Jul 17 2018 Rob Crittenden - 0.78.4-8 +- Disable iterate-10 test which fails intermitently (#1596161) +- Add BuildRequires for running autoreconf + +* Tue Jul 17 2018 Rob Crittenden - 0.78.4-7 +- Pass _PROXY, _proxy, LANG and LC_* environment variables to + helpers (#1596161) + +* Tue May 29 2018 Rob Crittenden - 0.78.4-6 +- Remove reference to unused patch + +* Mon May 21 2018 Rob Crittenden - 0.78.4-5 +- Add Requires on psmsic for killall in post script (#1458890) +- upstream project migrated from fedorahosted.org to pagure.io (#1501723) +- Strip CR/LF from passwords read from a file (#1545935) + +* Mon Mar 5 2018 Rob Crittenden - 0.78.4-4 +- Use required DER encoding when setting CA basic constraint (#1551635) +- NSS 3.34 more strictly enforces length checking when verifying signatures + (#1551702) + +* Tue Sep 6 2016 Jan Cholasta - 0.78.4-3 +- Resolves: #1367683 getcert request command fails to use Sub CA using -X + argument + - Fix CA option name for ipa cert-request + +* Fri Jul 1 2016 Jan Cholasta - 0.78.4-2 +- Resolves: #1345755 Support for specifying IPA lightweight CA + - Add 'issuer' request option for specifying issuer + - Documentation: mark $CERTMONGER_CA_ISSUER as 0.79 + - Comment/whitespace fixup + - ipa-submit: Retry without "ca" on OptionError + - getcert: fix a potential out-of-bounds + - Document the -X option in the ipa-submit man page +- Resolves: #1351052 certmonger build for RHEL 7.3 failure + - Stop assuming RSA 512 works + - Stop assuming RSA 512 works, part two + - Fix a flakiness in the 028-dbus test + +* Mon Aug 10 2015 Jan Cholasta - 0.78.4-1 +- Resolves: #1249753 challenge password not added in csr using start-tracking +- Resolves: #1250397 Remove certmonger rekey feature in 7.2 + - Remove rekey feature +- Related: #1205756 Rebase certmonger to 0.77 or later + - Update to upstream 0.78.4 + +* Fri Jul 24 2015 Jan Cholasta - 0.78.3-1 +- Resolves: #1244914 scep ca helper does not parse command line options + correctly +- Related: #1205756 Rebase certmonger to 0.77 or later + - Update to upstream 0.78.3 + +* Mon Jun 22 2015 Jan Cholasta - 0.78.1-1 +- Resolves: #1140241 RFE: Add SCEP support to certmonger +- Resolves: #1148001 ipa-getcert killed by SIGABRT +- Resolves: #1205756 Rebase certmonger to 0.77 or later + - Update to upstream 0.78.1 + +* Tue Jan 13 2015 Jan Cholasta - 0.75.14-3 +- backport change from git to correctly retrieve string values from DBus + property interface replies (#1181022) + +* Wed Nov 19 2014 Jan Cholasta - 0.75.14-2 +- backport dogtag-submit: accept additional options to pass to the server when + approving requests using agent creds (#1165155) + +* Thu Aug 28 2014 Nalin Dahyabhai 0.75.14-1 +- make pathname canonicalization slightly smarter, to handle ".." in + locations (#1131758) +- updates to self-tests (#1144082) + +* Thu Aug 21 2014 Kevin Fenzi - 0.75.13-2 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Nalin Dahyabhai 0.75.13-1 +- add a missing test case file (whoops) + +* Mon Aug 18 2014 Nalin Dahyabhai 0.75.12-1 +- correct encoding/decoding of variant-typed data which we receive and send + as part of the org.freedesktop.DBus.Properties interface over the bus, and + add some tests for them (based on patch from David Kupka, ticket #36) + +* Fri Aug 15 2014 Fedora Release Engineering - 0.75.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Aug 12 2014 Nalin Dahyabhai 0.75.11-1 +- when getcert is passed a -a flag, to indicate that CA root certificates + should be stored in the specified database, don't ignore locations which + don't include a storage scheme (#1129537) +- when called to 'start-tracking' with the -a or -F flags, if we have + applicable certificates on-hand for a CA that we're either told to use + or which we decide is the correct one, save the certificates (#1129696) + +* Tue Aug 5 2014 Nalin Dahyabhai 0.75.10-1 +- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in + default.conf, and no "host" is set either, try to construct the server URI + using the "server" setting (#1126985) + +* Thu Jul 31 2014 Nalin Dahyabhai 0.75.9-1 +- avoid potential use-after-free after a CA is removed dynamically (thanks to + Keenan Brock) (#1125342) +- add a "external-helper" property to CA objects + +* Mon Jul 21 2014 Nalin Dahyabhai 0.75.8-1 +- add a 'refresh' option to the getcert command +- add a '-a' flag to the getcert command's 'refresh-ca' option + +* Thu Jul 17 2014 Nalin Dahyabhai 0.75.7-2 +- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older, + conditionalized it so that it's ignored on newer releases, and make + whether or not we call systemd-sysv-convert in triggers depend on that, + too (#1104138) + +* Thu Jul 17 2014 Nalin Dahyabhai 0.75.7-1 +- fix an inconsistency in how we parse cookie values returned by CA helpers, + in that single-line values would lose the end-of-line after a daemon + restart, but not before +- handle timeout values and exit status values when calling CA helpers + in non-SUBMIT, non-POLL modes (#1118468) +- rework how we save CA certificates so that we save CA certificates associated + with end-entity certificates when we save that end-entity certificate, which + requires running all of the involved pre- and post-save commands +- drop package Requires: on systemd-sysv (#1104138) + +* Thu Jun 26 2014 Nalin Dahyabhai 0.75.6-1 +- avoid potential use-after-free and read overrun after a CA is added + dynamically (thanks to Jan Cholasta) + +* Fri Jun 20 2014 Nalin Dahyabhai 0.75.5-1 +- documentation updates + +* Fri Jun 20 2014 Nalin Dahyabhai 0.75.4-2 +- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA + when we detect certmonger versions prior to 0.58 being installed, to + avoid cases where some older versions choke on CAs with nicknames that + contain characters that can't legally be part of a D-Bus name (#948993) + +* Thu Jun 19 2014 Nalin Dahyabhai 0.75.4-1 +- fix creation and packaging of the "local" CA's data directory + +* Wed Jun 18 2014 Nalin Dahyabhai 0.75.3-1 +- read and cache whether or not we saw a noOCSPcheck extension in certificates +- documentation updates + +* Mon Jun 16 2014 Nalin Dahyabhai 0.75.2-1 +- when generating keys using OpenSSL, if key generation fails, try + again with the default key size, in case we're in FIPS mode +- documentation updates + +* Sat Jun 14 2014 Nalin Dahyabhai 0.75.1-1 +- log the state in 'getcert status' verbose mode + +* Fri Jun 13 2014 Nalin Dahyabhai 0.75-1 +- add a -w (wait) flag to the getcert's request/resubmit/start-tracking + commands, and add a non-waiting status command + +* Wed Jun 11 2014 Nalin Dahyabhai 0.74.96-1 +- make the trust settings we apply to CA-supplied certificates while + saving them to NSS databases run-time configurable +- fix compiling against EL5-era OpenSSL +- when saving CA certificates we pull from an IPA server, nickname + it using the realm name with " IPA CA" appended rather than just + naming it "IPA CA" +- fix the local signer so that when it issues itself a new certificate, + it uses the same subject name +- add a -w flag to getcert's request, resubmit, and start-tracking + commands, telling it to wait until either the certificate is issued, + we get to a state where we know that we won't be able to get one, or + we are waiting for a CA + +* Mon Jun 9 2014 Nalin Dahyabhai 0.74.95-1 +- add the "local" signer, a local toy CA that signs anything you'll + ask it to sign + +* Sat Jun 07 2014 Fedora Release Engineering - 0.74-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Jun 6 2014 Nalin Dahyabhai 0.74.94-1 +- fix self-test errors that we trigger with new OpenSSL +- fix a build error that would sometimes happen when we're told to + build PIE binaries +- quiet a compile warning + +* Thu Jun 5 2014 Nalin Dahyabhai 0.74.93-1 +- add some self-tests +- simplify the internal submit-to-CA logic +- fixes for more problems found through static analysis + +* Tue Jun 3 2014 Nalin Dahyabhai 0.74.92-1 +- retrieve CA information from CAs, if the helpers can do so, and + add a command to explicitly refresh that data: "getcert refresh-ca" +- offer to save CA certificates to files and databases, when specified with + new -a and -F flags to getcert request/resubmit/start-tracking (#1098208, + trac #31) +- add IP address subject alternate names when getcert request/resubmit + is passed the -A option (trac #35) +- read and cache the freshestCRL extension in certificates +- properly interpret KDC-unreachable errors encountered in the IPA + submission error as a server-unreachable error that we will retry, + rather than a misconfiguration error which we won't +- don't let tests get tripped up by new formatting used in dos2unix status + messages (#1099080) +- updated translations +- be explicit that we are going to use bashisms in test scripts by calling + the shell interpreter as 'bash' rather than 'sh' (trac #27) + +* Thu Apr 3 2014 Nalin Dahyabhai 0.74-1 +- also save state when we exit due to SIGHUP +- don't get tripped up when enrollment helpers hand us certificates which + include CRLF line terminators (ticket #25) +- be tolerant of certificate issuer names, subject names, DNS, email, and + Kerberos principal namem subjectAltNames, and crl distribution point URLs + that contain newlines +- read and cache the certificate template extension in certificates +- enforce different minimum key sizes depending on the type of key we're + trying to generate +- store DER versions of subject, issuer and template subject, if we have + them (Jan Cholasta, ticket #26) +- when generating signing requests with subject names that don't quite parse + as subject names, encode what we're given as PrintableString rather than + as a UTF8String +- always chdir() to a known location at startup, even if we're not becoming + a daemon +- fix a couple of memory leaks (static analysis) +- add missing buildrequires: on which + +* Thu Feb 20 2014 Nalin Dahyabhai 0.73-1 +- updates to 0.73 + - getcert no longer claims to be stuck when a CA is unreachable, + because the daemon isn't actually stuck + +* Mon Feb 17 2014 Nalin Dahyabhai +- updates to 0.73 + - also pass the key type to enrollment helpers in the environment as + a the value of "CERTMONGER_KEY_TYPE" + +* Mon Feb 10 2014 Nalin Dahyabhai +- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir}, + where it belongs (#1180978) + +* Mon Feb 10 2014 Nalin Dahyabhai +- updates for 0.73 + - set the flag to encode EC public key parameters using named curves + instead of the default of all-the-details when using OpenSSL + - don't break when NSS supports secp521r1 but OpenSSL doesn't + - also pass the CA nickname to enrollment helpers in the environment as + a text value in "CERTMONGER_CA_NICKNAME", so they can use that value + when reading configuration settings + - also pass the SPKAC value to enrollment helpers in the environment as + a base64 value in "CERTMONGER_SPKAC" + - also pass the request's SubjectPublicKeyInfo value to enrollment helpers + in the environment as a base64 value in "CERTMONGER_SPKI" (part of #16) + - when generating signing requests using NSS, be more accommodating of + requested subject names that don't parse properly + +* Mon Feb 3 2014 Nalin Dahyabhai 0.72-1 +- update to 0.72 + - support generating DSA parameters and keys on sufficiently-new OpenSSL + and NSS + - support generating EC keys when OpenSSL and NSS support it, using key + size to select the curve to use from among secp256r1, secp384r1, + secp521r1 (which are the ones that are usually available, though + secp521r1 isn't always, even if the other two are) + - stop trying to cache public key parameters at all and instead cache public + key info properly + - encode the friendlyName attribute in signing requests as a BMPString, + not as a PrintableString + - catch more filesystem permissions problems earlier (more of #996581) + +* Mon Jan 27 2014 Nalin Dahyabhai 0.71-1 +- check for cases where we fail to allocate memory while reading a request + or CA entry from disk (John Haxby) +- only handle one watch at a time, which should avoid abort() during + attempts to reconnect to the message bus after losing our connection + to it (#1055521) + +* Fri Jan 24 2014 Daniel Mach - 0.70-2 +- Mass rebuild 2014-01-24 + +* Thu Jan 2 2014 Nalin Dahyabhai 0.70-1 +- add a --with-homedir option to configure, and use it, since subprocesses + which we run and which use NSS may attempt to write to $HOME/.pki, and + 0.69's strategy of setting that to "/" was rightly hitting SELinux policy + denials (#1047798) + +* Fri Dec 27 2013 Daniel Mach - 0.69-2 +- Mass rebuild 2013-12-27 + +* Mon Dec 9 2013 Nalin Dahyabhai 0.69-1 +- tweak how we decide whether we're on the master or a minion when we're + told to use certmaster as a CA +- clean up one of the tests so that it doesn't have to work around internal + logging producing duplicate messages +- when logging errors while setting up to contact xmlrpc servers, explicitly + note that the error is client-side +- don't abort() due to incorrect locking when an attempt to save an issued + certificate to the designated location fails (part of #1032760/#1033333, + ticket #22) +- when reading an issued certificate from an enrollment helper, ignore + noise before or after the certificate itself (more of #1032760/1033333, + ticket #22) +- run subprocesses in a cleaned-up environment (more of #1032760/1033333, + ticket #22) +- clear the ca-error that we saved when we had an error talking to the CA if we + subsequently succeed in talking to the CA +- various other static-analysis fixes + +* Thu Aug 29 2013 Nalin Dahyabhai 0.68-1 +- notice when the OpenSSL RNG isn't seeded +- notice when saving certificates or keys fails due to filesystem-related + permission denial (#996581) + +* Tue Aug 6 2013 Nalin Dahyabhai 0.67-3 +- pull up a patch from master to adapt self-tests to certutil's diagnostic + output having changed (#992050) + +* Sat Aug 03 2013 Fedora Release Engineering - 0.67-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Mar 11 2013 Nalin Dahyabhai 0.67-1 +- when saving certificates to NSS databases, try to preserve the trust + value assigned to a previously-present certificate with the same nickname + and subject, if one is found +- when saving certificates to NSS databases, also prune certificates from + the database which have both the same nickname and subject as the one + we're adding, to avoid tripping up tools that only fetch one certificate + by nickname + +* Wed Feb 13 2013 Fedora Release Engineering - 0.65-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 23 2013 Nalin Dahyabhai 0.66-1 +- build as position-independent executables with early binding (#883966) +- also don't tag the unit file as a configuration file (internal tooling) + +* Wed Jan 23 2013 Nalin Dahyabhai 0.65-2 +- don't tag the D-Bus session .service file as a configuration file (internal + tooling) + +* Tue Jan 8 2013 Nalin Dahyabhai 0.65-1 +- fix a crash in the self-tests + +* Tue Jan 8 2013 Nalin Dahyabhai 0.64-1 +- at startup, if we resume the state machine for a given certificate to a state + which expects to have the newly-added lock already acquired, acquire it + before moving on with the certificate's work (still aimed at fixing #883484) + +* Tue Dec 18 2012 Nalin Dahyabhai 0.63-1 +- serialize access to NSS databases and the running of pre- and post-save + commands which might also access them (possibly fixing part of #883484) + +* Thu Nov 29 2012 Nalin Dahyabhai 0.62-1 +- add a -u flag to getcert to enable requesting a keyUsage extension value +- request subjectKeyIdentifier extensions from CAs, and include them in + self-signed certificates +- request basicConstraints from CAs, defaulting to requests for end-entity + certificates +- when requesting CA certificates, also request authorityKeyIdentifier +- add support for requesting CRL distribution point and authorityInfoAccess + extensions that specify OCSP responder locations +- don't crash when OpenSSL can't build a template certificate from a request + when we're in FIPS mode +- put NSS in FIPS mode, when the system booted that way, except when we're + trying to write certificates to a database +- fix CSR generation and self-signing in FIPS mode with NSS +- fix self-signing in FIPS mode with OpenSSL +- new languages from the translation team: mai, ml, nn, ga + +* Tue Nov 27 2012 Nalin Dahyabhai 0.61-3 +- backport change from git to not choke if X509_REQ_to_X509() fails when we're + self-signing using OpenSSL +- backport another change from git to represent this as a CA-rejected error + +* Mon Sep 24 2012 Nalin Dahyabhai 0.61-1 +- fix a regression in reading old request tracking files where the + request was in state NEED_TO_NOTIFY or NOTIFYING + +* Wed Sep 5 2012 Nalin Dahyabhai 0.60-1 +- adjust internals of logic for talking to dogtag to at least have a + concept of non-agent cases +- when talking to an IPA server's internal Dogtag instance, infer which + ports the CA is listening on from the "dogtag_version" setting in the + IPA configuration (Ade Lee) +- send a notification (or log a message, whatever) when we save a new + certificate (#766167) + +* Mon Jul 30 2012 Nalin Dahyabhai +- fix a bad %%preun scriptlet + +* Wed Jul 18 2012 Fedora Release Engineering - 0.59-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 29 2012 Nalin Dahyabhai 0.59-1 +- mostly documentation updates + +* Fri Jun 29 2012 Nalin Dahyabhai 0.58-1 +- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using + an IPA server's internal Dogtag instance +- export the requested profile and old certificate to enrollment helpers +- make libxml and libcurl into hard build-time requirements +- serialize all pre/save/post sequences to make sure that stop/save/start + doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping + a service while we muck with more than one of its certificates + +* Fri Jun 15 2012 Nalin Dahyabhai +- add a command option (-T) to getcert for specifying which enrollment + profile to tell a CA that we're using, in case it cares (#10) + +* Thu Jun 14 2012 Nalin Dahyabhai 0.57-1 +- clarify that the command passed to getcert -C is a "post"-save command +- add a "pre"-save command option to getcert, specified with the -B flag (#9) +- after we notify of an impending not-valid-after approaching, don't do it + again immediately + +* Sat Mar 3 2012 Nalin Dahyabhai 0.56-1 +- when a caller sets the is-default flag on a CA, and another CA is no longer + the default, emit the PropertiesChanged signal on the CA which is not the + default, instead on the new default a second time +- drop some dead code from the D-Bus message handlers (static analysis, + #796813) +- cache public keys when we read private keys +- go back to printing an error indicating that we're missing a required + argument when we're missing a required argument, not that the option is + invalid (broken since 0.51, #796542) + +* Wed Feb 15 2012 Nalin Dahyabhai 0.55-1 +- allow root to use our implementation of org.freedesktop.DBus.Properties +- take more care to not emit useless PropertiesChanged signals + +* Wed Feb 15 2012 Nalin Dahyabhai 0.54-1 +- fix setting the group ID when spawning the post-save command + +* Tue Feb 14 2012 Nalin Dahyabhai 0.53-1 +- large changes to the D-Bus glue, exposing a lot of data which we were + providing via D-Bus getter methods as properties, and providing more + accurate introspection data +- emit a signal when the daemon saves a certificate to the destination + location, and provide an option to have the daemon spawn an arbitrary + command at that point, too (#766167) +- enable starting the service by default on RHEL (#765600) + +* Thu Jan 12 2012 Fedora Release Engineering - 0.52-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 16 2011 Nalin Dahyabhai 0.52-1 +- note that SELinux usually confines us to writing only to cert_t in + doc/getting-started.txt (#765599) +- fix crashes when we add a request during our first run when we're + populating the hard-coded CA list +- properly deal with cases where a path is passed to us is "./XXX" +- in session mode, create our data directories as we go + +* Tue Dec 6 2011 Nalin Dahyabhai 0.51-1 +- api: lift restrictions on characters used in request and CA nicknames by + making their object names not incorporate their nicknames +- api: add find_request_by_nickname and find_ca_by_nickname +- certmonger-ipa-submit.8: list -k, -K, -t in the summary, document -K +- getcert: print "invalid option" error messages ourselves (#756291) +- ipa-submit: supply a Referer: header when submitting requests to IPA + (#750617, needed for #747710) + +* Fri Oct 14 2011 Nalin Dahyabhai 0.50-1 +- really fix these this time: + - getcert: error out when "list -c" finds no matching CA (#743488) + - getcert: error out when "list -i" finds no matching request (#743485) + +* Wed Oct 12 2011 Nalin Dahyabhai 0.49-1 +- when using an NSS database, skip loading the module database (#743042) +- when using an NSS database, skip loading root certs +- generate SPKAC values when generating CSRs, though we don't do anything + with SPKAC values yet +- internally maintain and use challenge passwords, if we have them +- behave better when certificates have shorter lifetimes +- add/recognize/handle notification type "none" +- getcert: error out when "list -c" finds no matching CA (#743488) +- getcert: error out when "list -i" finds no matching request (#743485) + +* Thu Sep 29 2011 Nalin Dahyabhai 0.48-1 +- don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated + array (#742348) + +* Tue Sep 27 2011 Nalin Dahyabhai 0.47-1 +- getcert: distinguish between {stat() succeeds but isn't a directory} and + {stat() failed} when printing an error message (#739903) +- getcert resubmit/start-tracking: when we're looking for an existing request + by ID, and we don't find one, note that specifically (#741262) + +* Mon Aug 29 2011 Stephen Gallagher - 0.46-1.1 +- Rebuild against fixed libtevent version + +* Mon Aug 15 2011 Nalin Dahyabhai 0.46-1 +- treat the ability to access keys in an NSS database without using a PIN, + when we've been told we need one, as an error (#692766, really this time) + +* Thu Aug 11 2011 Nalin Dahyabhai 0.45-1 +- modify the systemd .service file to be a proper 'dbus' service (more + of #718172) + +* Thu Aug 11 2011 Nalin Dahyabhai 0.44-1 +- check specifically for cases where a specified token that we need to + use just isn't present for whatever reason (#697058) + +* Wed Aug 10 2011 Nalin Dahyabhai 0.43-1 +- add a -K option to ipa-submit, to use the current ccache, which makes + it easier to test + +* Fri Aug 5 2011 Nalin Dahyabhai +- if xmlrpc-c's struct xmlrpc_curl_xportparms has a gss_delegate field, set + it to TRUE when we're doing Negotiate auth (#727864, #727863, #727866) + +* Wed Jul 13 2011 Nalin Dahyabhai +- treat the ability to access keys in an NSS database without using a PIN, + when we've been told we need one, as an error (#692766) +- when handling "getcert resubmit" requests, if we don't have a key yet, + make sure we go all the way back to generating one (#694184) +- getcert: try to clean up tests for NSS and PEM file locations (#699059) +- don't try to set reconnect-on-exit policy unless we managed to connect + to the bus (#712500) +- handle cases where we specify a token but the storage token isn't + known (#699552) +- getcert: recognize -i and storage options to narrow down which requests + the user wants to know about (#698772) +- output hints when the daemon has startup problems, too (#712075) +- add flags to specify whether we're bus-activated or not, so that we can + exit if we have nothing to do after handling a request received over + the bus if some specified amount of time has passed +- explicitly disallow non-root access in the D-Bus configuration (#712072) +- migrate to systemd on releases newer than Fedora 15 or RHEL 6 (#718172) +- fix a couple of incorrect calls to talloc_asprintf() (#721392) + +* Wed Apr 13 2011 Nalin Dahyabhai 0.42-1 +- getcert: fix a buffer overrun preparing a request for the daemon when + there are more parameters to encode than space in the array (#696185) +- updated translations: de, es, id, pl, ru, uk + +* Mon Apr 11 2011 Nalin Dahyabhai 0.41-1 +- read information about the keys we've just generated before proceeding + to generating a CSR (part of #694184, part of #695675) +- when processing a "resubmit" request from getcert, go back to key + generation if we don't have keys yet, else go back to CSR generation as + before (#694184, #695675) +- configure with --with-tmpdir=/var/run/certmonger and own /var/run/certmonger + (#687899), and add a systemd tmpfiles.d control file for creating + /var/run/certmonger on Fedora 15 and later +- let session instances exit when they get disconnected from the bus +- use a lock file to make sure there's only one session instance messing + around with the user's files at a time +- fix errors saving certificates to NSS databases when there's already a + certificate there with the same nickname (#695672) +- make key and certificate location output from 'getcert list' more properly + translatable (#7) + +* Mon Mar 28 2011 Nalin Dahyabhai 0.40-1 +- update to 0.40 + - fix validation check on EKU OIDs in getcert (#691351) + - get session bus mode sorted + - add a list of recognized EKU values to the getcert-request man page + +* Fri Mar 25 2011 Nalin Dahyabhai 0.39-1 +- update to 0.39 + - fix use of an uninitialized variable in the xmlrpc-based submission + helpers (#690886) + +* Thu Mar 24 2011 Nalin Dahyabhai 0.38-1 +- update to 0.38 + - catch cases where we can't read a PIN file, but we never have to log + in to the token to access the private key (more of #688229) + +* Tue Mar 22 2011 Nalin Dahyabhai 0.37-1 +- update to 0.37 + - be more careful about checking if we can read a PIN file successfully + before we even call an API that might need us to try (#688229) + - fix strict aliasing warnings + +* Tue Mar 22 2011 Nalin Dahyabhai 0.36-1 +- update to 0.36 + - fix some use-after-free bugs in the daemon (#689776) + - fix a copy/paste error in certmonger-ipa-submit(8) + - getcert now suppresses error details when not given its new -v option + (#683926, more of #681641/#652047) + - updated translations + - de, es, pl, ru, uk + - indonesian translation is now for "id" rather than "in" + +* Wed Mar 2 2011 Nalin Dahyabhai 0.35.1-1 +- fix a self-test that broke because one-year-from-now is now a day's worth + of seconds further out than it was a few days ago + +* Mon Feb 14 2011 Nalin Dahyabhai 0.35-1 +- update to 0.35 + - self-test fixes to rebuild properly in mock (#670322) + +* Tue Feb 08 2011 Fedora Release Engineering - 0.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Jan 14 2011 Nalin Dahyabhai 0.34-1 +- update to 0.34 + - explicitly note the number of requests we're tracking in the output of + "getcert list" (#652049) + - try to offer some suggestions when we get certain specific errors back + in "getcert" (#652047) + - updated translations + - es + +* Thu Dec 23 2010 Nalin Dahyabhai 0.33-1 +- update to 0.33 + - new translations + - id by Okta Purnama Rahadian! + - updated translations + - pl, uk + - roll up assorted fixes for defects + +* Fri Nov 12 2010 Nalin Dahyabhai 0.32-2 +- depend on the e2fsprogs libuuid on Fedora and RHEL releases where it's + not part of util-linux-ng + +* Wed Oct 13 2010 Nalin Dahyabhai 0.32-1 +- oops, rfc5280 says we shouldn't be populating unique identifiers, so + make it a configuration option and default the behavior to off + +* Tue Oct 12 2010 Nalin Dahyabhai 0.31-1 +- start populating the optional unique identifier fields in self-signed + certificates + +* Thu Sep 30 2010 Nalin Dahyabhai 0.30-4 +- explicitly require "dbus" to try to ensure we have a running system bus + when we get started (#639126) + +* Wed Sep 29 2010 jkeating - 0.30-3 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Nalin Dahyabhai 0.30-2 +- try to SIGHUP the messagebus daemon at first install so that it'll + let us claim our service name if it isn't restarted before we are + first started (#636876) + +* Wed Aug 25 2010 Nalin Dahyabhai 0.30-1 +- update to 0.30 + - fix errors computing the time at the end of an interval that were + caught by self-tests + +* Mon Aug 23 2010 Nalin Dahyabhai 0.29-1 +- update to 0.29 + - fix 64-bit cleanliness issue using libdbus + - actually include the full set of tests in tarballs + +* Tue Aug 17 2010 Nalin Dahyabhai 0.28-1 +- update to 0.28 + - fix self-signing certificate notBefore and notAfter values on 32-bit + machines + +* Tue Aug 17 2010 Nalin Dahyabhai 0.27-1 +- update to 0.27 + - portability and test fixes + +* Fri Aug 13 2010 Nalin Dahyabhai 0.26-1 +- update to 0.26 + - when canceling a submission request that's being handled by a helper, + reap the child process's status after killing it (#624120) + +* Fri Aug 13 2010 Nalin Dahyabhai 0.25-1 +- update to 0.25 + - new translations + - in by Okta Purnama Rahadian! + - fix detection of cases where we can't access a private key in an NSS + database because we don't have the PIN + - teach '*getcert start-tracking' about the -p and -P options which the + '*getcert request' commands already understand (#621670), and also + the -U, -K, -E, and -D flags + - double-check that the nicknames of keys we get back from + PK11_ListPrivKeysInSlot() match the desired nickname before accepting + them as matches, so that our tests won't all blow up on EL5 + - fix dynamic addition and removal of CAs implemented through helpers + +* Mon Jun 28 2010 Nalin Dahyabhai 0.24-4 +- init script: ensure that the subsys lock is created whenever we're called to + "start" when we're already running (even more of #596719) + +* Tue Jun 15 2010 Nalin Dahyabhai 0.24-3 +- more gracefully handle manual daemon startups and cleaning up of unexpected + crashes (still more of #596719) + +* Thu Jun 10 2010 Nalin Dahyabhai 0.24-2 +- don't create the daemon pidfile until after we've connected to the D-Bus + (still more of #596719) + +* Tue Jun 8 2010 Nalin Dahyabhai 0.24-1 +- update to 0.24 + - keep the lock on the pid file, if we have one, when we fork, and cancel + daemon startup if we can't gain ownership of the lock (the rest of #596719) + - make the man pages note which external configuration files we consult when + submitting requests to certmaster and ipa CAs + +* Thu May 27 2010 Nalin Dahyabhai 0.23-1 +- update to 0.23 + - new translations + - pl by Piotr Drąg! + - cancel daemon startup if we can't gain ownership of our well-known + service name on the DBus (#596719) + +* Fri May 14 2010 Nalin Dahyabhai 0.22-1 +- update to 0.22 + - new translations + - de by Fabian Affolter! + - certmaster-submit: don't fall over when we can't find a certmaster.conf + or a minion.conf (i.e., certmaster isn't installed) (#588932) + - when reading extension values from certificates, prune out duplicate + principal names, email addresses, and hostnames + +* Tue May 4 2010 Nalin Dahyabhai 0.21-1 +- update to 0.21 + - getcert/*-getcert: relay the desired CA to the local service, whether + specified on the command line (in getcert) or as a built-in hard-wired + default (in *-getcert) (#584983) + - flesh out the default certmonger.conf so that people can get a feel for + the expected formatting (Jenny Galipeau) + +* Wed Apr 21 2010 Nalin Dahyabhai 0.20-1 +- update to 0.20 + - correctly parse certificate validity periods given in years (spotted by + Stephen Gallagher) + - setup for translation + - es by Héctor Daniel Cabrera! + - ru by Yulia Poyarkova! + - uk by Yuri Chornoivan! + - fix unpreprocessed defaults in certmonger.conf's man page + - tweak the IPA-specific message that indicates a principal name also needs + to be specified if we're not using the default subject name (#579542) + - make the validity period of self-signed certificates into a configuration + setting and not a piece of the state information we track about the signer + - init script: exit with status 2 instead of 1 when invoked with an + unrecognized argument (#584517) + +* Tue Mar 23 2010 Nalin Dahyabhai 0.19-1 +- update to 0.19 + - correctly initialize NSS databases that need to be using a PIN + - add certmonger.conf, for customizing notification timings and settings, + and use of digests other than the previously-hard-coded SHA256, and + drop those settings from individual requests + - up the default self-sign validity interval from 30 days to 365 days + - drop the first default notification interval from 30 days to 28 days + (these two combined to create a fun always-reissuing loop earlier) + - record the token which contains the key or certificate when we're + storing them in an NSS database, and report it + - improve handling of cases where we're supposed to use a PIN but we + either don't have one or we have the wrong one + - teach getcert to accept a PIN file's name or a PIN value when adding + a new entry + - update the IPA submission helper to use the new 'request_cert' signature + that's landing soon + - more tests + +* Fri Feb 12 2010 Nalin Dahyabhai 0.18-1 +- update to 0.18 + - add support for using encrypted storage for keys, using PIN values + supplied directly or read from files whose names are supplied + - don't choke on NSS database locations that use the "sql:" or "dbm:" + prefix + +* Mon Jan 25 2010 Nalin Dahyabhai 0.17-2 +- make the D-Bus configuration file (noreplace) (#541072) +- make the %%check section and the deps we have just for it conditional on + the same macro (#541072) + +* Wed Jan 6 2010 Nalin Dahyabhai 0.17-1 +- update to 0.17 + - fix a hang in the daemon (Rob Crittenden) + - documentation updates + - fix parsing of submission results from IPA (Rob Crittenden) + +* Fri Dec 11 2009 Nalin Dahyabhai 0.16-1 +- update to 0.16 + - set a umask at startup (Dan Walsh) + +* Tue Dec 8 2009 Nalin Dahyabhai 0.15-1 +- update to 0.15 + - notice that a directory with a trailing '/' is the same location as the + directory without it + - fix handling of the pid file when we write one (by actually giving it + contents) + +* Wed Nov 25 2009 Nalin Dahyabhai 0.14-1 +- update to 0.14 + - check key and certificate location at add-time to make sure they're + absolute paths to files or directories, as appropriate + - IPA: dig into the 'result' item if the named result value we're looking + for isn't in the result struct + +* Tue Nov 24 2009 Nalin Dahyabhai 0.13-1 +- update to 0.13 + - change the default so that we default to trying to auto-refresh + certificates unless told otherwise + - preemptively enforce limitations on request nicknames so that they + make valid D-Bus object path components + +* Tue Nov 24 2009 Nalin Dahyabhai 0.12-1 +- update to 0.12 + - add a crucial bit of error reporting when CAs reject our requests + - count the number of configured CAs correctly + +* Mon Nov 23 2009 Nalin Dahyabhai 0.11-1 +- update to 0.11 + - add XML-RPC submission for certmaster and IPA + - prune entries with duplicate names from the data store + +* Fri Nov 13 2009 Nalin Dahyabhai 0.10-1 +- update to 0.10 + - add some compiler warnings and then fix them + +* Fri Nov 13 2009 Nalin Dahyabhai 0.9-1 +- update to 0.9 + - run external submission helpers correctly + - fix signing of signing requests generated for keys stored in files + - only care about new interface and route notifications from netlink, + and ignore notifications that don't come from pid 0 + - fix logic for determining expiration status + - correct the version number in self-signed certificates + +* Tue Nov 10 2009 Nalin Dahyabhai 0.8-1 +- update to 0.8 + - encode windows UPN values in requests correctly + - watch for netlink routing changes and restart stalled submission requests + - 'getcert resubmit' can force a regeneration of the CSR and submission + +* Fri Nov 6 2009 Nalin Dahyabhai 0.7-1 +- update to 0.7 + - first cut at a getting-started document + - refactor some internal key handling with NSS + - check for duplicate request nicknames at add-time + +* Tue Nov 3 2009 Nalin Dahyabhai 0.6-1 +- update to 0.6 + - man pages + - 'getcert stop-tracking' actually makes the server forget now + - 'getcert request -e' was redundant, dropped the -e option + - 'getcert request -i' now sets the request nickname + - 'getcert start-tracking -i' now sets the request nickname + +* Mon Nov 2 2009 Nalin Dahyabhai 0.5-1 +- update to 0.5 + - packaging fixes + - add a selfsign-getcert client + - self-signed certs now get basic constraints and their own serial numbers + - accept id-ms-kp-sc-logon as a named EKU value in a request + +* Thu Oct 29 2009 Nalin Dahyabhai 0.4-1 +- update to 0.4 + +* Thu Oct 22 2009 Nalin Dahyabhai 0.1-1 +- update to 0.1 + +* Sun Oct 18 2009 Nalin Dahyabhai 0.0-1 +- initial package