diff --git a/.certmonger.metadata b/.certmonger.metadata index 0062f2b..45c296f 100644 --- a/.certmonger.metadata +++ b/.certmonger.metadata @@ -1 +1 @@ -40c73b20ce99e2ffd521c5e6039ab4982ef363b6 SOURCES/certmonger-0.79.14.tar.gz +ab77485e556d96c5c2b885ee3d0f27794276dfee SOURCES/certmonger-0.79.17.tar.gz diff --git a/.gitignore b/.gitignore index 9e0149e..f837024 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/certmonger-0.79.14.tar.gz +SOURCES/certmonger-0.79.17.tar.gz diff --git a/SOURCES/0002-candidate-openssl-3.0-compat-fixes.patch b/SOURCES/0002-candidate-openssl-3.0-compat-fixes.patch deleted file mode 100644 index 0d4ca18..0000000 --- a/SOURCES/0002-candidate-openssl-3.0-compat-fixes.patch +++ /dev/null @@ -1,573 +0,0 @@ -From 3fb9420e843694567a4976c6d5fbe4551d6e0c99 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 18 May 2021 15:40:53 -0400 -Subject: [PATCH 1/3] candidate openssl 3.0 compat fixes - ---- - src/keyiread-o.c | 16 +++++-- - src/util-o.c | 2 + - tests/001-keyiread-ec/run.sh | 2 +- - tests/001-keyiread-rsa/run.sh | 2 +- - tests/001-keyiread/run.sh | 2 +- - tests/002-keygen-sql/prequal.sh | 5 +++ - tests/002-keygen/run.sh | 2 +- - tests/003-csrgen-ec/run.sh | 2 +- - tests/003-csrgen-rsa/run.sh | 2 +- - tests/003-csrgen/run.sh | 2 +- - tests/004-selfsign-ec/run.sh | 2 +- - tests/004-selfsign-rsa/run.sh | 2 +- - tests/004-selfsign/run.sh | 2 +- - tests/025-casave/run.sh | 2 +- - tests/026-local/expected.openssl1 | 73 ++++++++++++++++++++++++++++++ - tests/026-local/expected.openssl3 | 68 ++++++++++++++++++++++++++++ - tests/026-local/expected.out | 74 +------------------------------ - tests/026-local/run.sh | 11 ++++- - tests/030-rekey/expected.out | 4 -- - tests/030-rekey/run.sh | 10 +---- - tests/036-getcert/run.sh | 2 +- - 21 files changed, 184 insertions(+), 103 deletions(-) - create mode 100755 tests/002-keygen-sql/prequal.sh - create mode 100644 tests/026-local/expected.openssl1 - create mode 100644 tests/026-local/expected.openssl3 - -diff --git a/src/keyiread-o.c b/src/keyiread-o.c -index 9fceacf6..51f7f829 100644 ---- a/src/keyiread-o.c -+++ b/src/keyiread-o.c -@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - pubikey = cm_store_hex_from_bin(NULL, tmp, length); - } - tmp = NULL; -- length = i2d_PublicKey(pkey, (unsigned char **) &tmp); -+ length = i2d_PublicKey(pkey, NULL); - if (length > 0) { -- pubkey = cm_store_hex_from_bin(NULL, tmp, length); -+ tmp = malloc(length); -+ if (tmp != NULL) { -+ length = i2d_PublicKey(pkey, (unsigned char **) &tmp); -+ pubkey = cm_store_hex_from_bin(NULL, tmp, length); -+ } - } - } - fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey); -@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - pubikey = cm_store_hex_from_bin(NULL, tmp, length); - } - tmp = NULL; -- length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp); -+ length = i2d_PublicKey(nextpkey, NULL); - if (length > 0) { -- pubkey = cm_store_hex_from_bin(NULL, tmp, length); -+ tmp = malloc(length); -+ if (tmp != NULL) { -+ length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp); -+ pubkey = cm_store_hex_from_bin(NULL, tmp, length); -+ } - } - fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey); - } else { -diff --git a/src/util-o.c b/src/util-o.c -index 0415014a..2208ab64 100644 ---- a/src/util-o.c -+++ b/src/util-o.c -@@ -46,6 +46,7 @@ - void - util_o_init(void) - { -+#if OPENSSL_VERSION_MAJOR < 3 - #if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS - OpenSSL_add_all_algorithms(); - #elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS -@@ -53,6 +54,7 @@ util_o_init(void) - #else - SSL_library_init(); - #endif -+#endif - } - - char * -diff --git a/tests/001-keyiread-ec/run.sh b/tests/001-keyiread-ec/run.sh -index 3045f6d0..8a810d15 100755 ---- a/tests/001-keyiread-ec/run.sh -+++ b/tests/001-keyiread-ec/run.sh -@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do - EOF - $toolsdir/keyiread entry.nss.$size - # Export the key. -- if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then -+ if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then - echo Error exporting key for $size, continuing. - continue - fi -diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh -index c6b4d38b..997ce000 100755 ---- a/tests/001-keyiread-rsa/run.sh -+++ b/tests/001-keyiread-rsa/run.sh -@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do - -s "cn=T$size" -c "cn=T$size" \ - -x -t u -k rsa - # Export the key. -- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 -+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 - openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 - cat > entry.openssl.$size <<- EOF - key_storage_type=FILE -diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh -index 25acdbd8..3a2502a6 100755 ---- a/tests/001-keyiread/run.sh -+++ b/tests/001-keyiread/run.sh -@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do - -s "cn=T$size" -c "cn=T$size" \ - -x -t u - # Export the key. -- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 -+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 - openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 - cat > entry.openssl.$size <<- EOF - key_storage_type=FILE -diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh -new file mode 100755 -index 00000000..d146a650 ---- /dev/null -+++ b/tests/002-keygen-sql/prequal.sh -@@ -0,0 +1,5 @@ -+#!/bin/sh -+if test `id -u` -eq 0 ; then -+ echo "This test won't work right if run as root." -+ exit 1 -+fi -diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh -index 8bb609c5..e7e6525f 100755 ---- a/tests/002-keygen/run.sh -+++ b/tests/002-keygen/run.sh -@@ -2,7 +2,7 @@ - - cd "$tmpdir" - --scheme="${scheme:-dbm:}" -+scheme="${scheme:-sql:}" - - source "$srcdir"/functions - initnssdb "$scheme$tmpdir" -diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh -index 91117ec8..408ea526 100755 ---- a/tests/003-csrgen-ec/run.sh -+++ b/tests/003-csrgen-ec/run.sh -@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \ - -s "cn=T$size" -c "cn=T$size" \ - -x -t u -k ec -q $size - # Export the key. --pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 -+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 - openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : ) - # Read the public key and cache it. - cat > entry.openssl.$size <<- EOF -diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh -index bb8ebecb..9c11c708 100755 ---- a/tests/003-csrgen-rsa/run.sh -+++ b/tests/003-csrgen-rsa/run.sh -@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do - -s "cn=T$size" -c "cn=T$size" \ - -x -t u -k rsa - # Export the key. -- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" -+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" - openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : ) - # Read the public key and cache it. - cat > entry.openssl.$size <<- EOF -diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh -index d3dfbaf0..2a674679 100755 ---- a/tests/003-csrgen/run.sh -+++ b/tests/003-csrgen/run.sh -@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do - -s "cn=T$size" -c "cn=T$size" \ - -x -t u - # Export the key. -- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" -+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" - openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : ) - # Read the public key and cache it. - cat > entry.openssl.$size <<- EOF -diff --git a/tests/004-selfsign-ec/run.sh b/tests/004-selfsign-ec/run.sh -index 9d5bd11f..d1161fe5 100755 ---- a/tests/004-selfsign-ec/run.sh -+++ b/tests/004-selfsign-ec/run.sh -@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \ - -s "cn=T$size" -c "cn=T$size" \ - -x -t u -k ec -q $size - # Export the certificate and key. --pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 -+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 - openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1 - # Read that OpenSSL key. - cat > entry.$size <<- EOF -diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh -index c1dd4c80..b0cc71d2 100755 ---- a/tests/004-selfsign-rsa/run.sh -+++ b/tests/004-selfsign-rsa/run.sh -@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do - -s "cn=T$size" -c "cn=T$size" \ - -x -t u -k rsa - # Export the certificate and key. -- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 -+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 - openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1 - # Read that OpenSSL key. - cat > entry.$size <<- EOF -diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh -index eb1df4ee..ea00f4d7 100755 ---- a/tests/004-selfsign/run.sh -+++ b/tests/004-selfsign/run.sh -@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do - -s "cn=T$size" -c "cn=T$size" \ - -x -t u - # Export the certificate and key. -- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 -+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 - openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1 - # Read that OpenSSL key. - cat > entry.$size <<- EOF -diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh -index d81df82f..089d8223 100755 ---- a/tests/025-casave/run.sh -+++ b/tests/025-casave/run.sh -@@ -2,7 +2,7 @@ - - cd $tmpdir - --scheme="${scheme:-dbm}" -+scheme="${scheme:-sql}" - cat > $tmpdir/entrycb1 <<- EOF - id=EntryCB1 - ca_name=CAB1 -diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1 -new file mode 100644 -index 00000000..1f81c7ce ---- /dev/null -+++ b/tests/026-local/expected.openssl1 -@@ -0,0 +1,73 @@ -+[key] -+OK. -+[csr] -+Certificate Request: -+ Data: -+ Version: 1 (0x0) -+ Subject: CN=Babs Jensen's Signer -+ Attributes: -+ friendlyName :unable to print attribute -+ Requested Extensions: -+ X509v3 Key Usage: -+ Digital Signature, Certificate Sign, CRL Sign -+ X509v3 Subject Alternative Name: -+ email:root@localhost, email:root@localhost.localdomain -+ X509v3 Basic Constraints: critical -+ CA:TRUE -+ X509v3 Authority Key Identifier: -+ keyid:(160 bits) -+ -+ X509v3 Subject Key Identifier: -+ (160 bits) -+ Authority Information Access: -+ OCSP - URI:http://ocsp-1.example.com:12345 -+ OCSP - URI:http://ocsp-2.example.com:12345 -+ -+ OCSP No Check: -+ -+[issue] -+[issuer] -+Certificate: -+ Data: -+ Version: 3 (0x2) -+ Signature Algorithm: sha256WithRSAEncryption -+ Issuer: CN=Local Signing Authority, CN=$UUID -+ Subject: CN=Local Signing Authority, CN=$UUID -+ X509v3 extensions: -+ X509v3 Basic Constraints: critical -+ CA:TRUE -+ X509v3 Subject Key Identifier: -+ (160 bits) -+ X509v3 Authority Key Identifier: -+ keyid:(160 bits) -+ -+ X509v3 Key Usage: critical -+ Digital Signature, Certificate Sign, CRL Sign -+[subject] -+Certificate: -+ Data: -+ Version: 3 (0x2) -+ Signature Algorithm: sha256WithRSAEncryption -+ Issuer: CN=Local Signing Authority, CN=$UUID -+ Subject: CN=Babs Jensen's Signer -+ X509v3 extensions: -+ X509v3 Key Usage: -+ Digital Signature, Certificate Sign, CRL Sign -+ X509v3 Subject Alternative Name: -+ email:root@localhost, email:root@localhost.localdomain -+ X509v3 Basic Constraints: critical -+ CA:TRUE -+ X509v3 Authority Key Identifier: -+ keyid:(160 bits) -+ -+ X509v3 Subject Key Identifier: -+ (160 bits) -+ Authority Information Access: -+ OCSP - URI:http://ocsp-1.example.com:12345 -+ OCSP - URI:http://ocsp-2.example.com:12345 -+ -+ OCSP No Check: -+ -+[verify] -+cert: OK -+OK. -diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3 -new file mode 100644 -index 00000000..05666ccc ---- /dev/null -+++ b/tests/026-local/expected.openssl3 -@@ -0,0 +1,68 @@ -+[key] -+OK. -+[csr] -+Certificate Request: -+ Data: -+ Version: 1 (0x0) -+ Subject: CN=Babs Jensen's Signer -+ Attributes: -+ friendlyName :unable to print attribute -+ Requested Extensions: -+ X509v3 Key Usage: -+ Digital Signature, Certificate Sign, CRL Sign -+ X509v3 Subject Alternative Name: -+ email:root@localhost, email:root@localhost.localdomain -+ X509v3 Basic Constraints: critical -+ CA:TRUE -+ X509v3 Authority Key Identifier: -+ (160 bits) -+ X509v3 Subject Key Identifier: -+ (160 bits) -+ Authority Information Access: -+ OCSP - URI:http://ocsp-1.example.com:12345 -+ OCSP - URI:http://ocsp-2.example.com:12345 -+ OCSP No Check: -+ -+[issue] -+[issuer] -+Certificate: -+ Data: -+ Version: 3 (0x2) -+ Signature Algorithm: sha256WithRSAEncryption -+ Issuer: CN=Local Signing Authority, CN=$UUID -+ Subject: CN=Local Signing Authority, CN=$UUID -+ X509v3 extensions: -+ X509v3 Basic Constraints: critical -+ CA:TRUE -+ X509v3 Subject Key Identifier: -+ (160 bits) -+ X509v3 Authority Key Identifier: -+ (160 bits) -+ X509v3 Key Usage: critical -+ Digital Signature, Certificate Sign, CRL Sign -+[subject] -+Certificate: -+ Data: -+ Version: 3 (0x2) -+ Signature Algorithm: sha256WithRSAEncryption -+ Issuer: CN=Local Signing Authority, CN=$UUID -+ Subject: CN=Babs Jensen's Signer -+ X509v3 extensions: -+ X509v3 Key Usage: -+ Digital Signature, Certificate Sign, CRL Sign -+ X509v3 Subject Alternative Name: -+ email:root@localhost, email:root@localhost.localdomain -+ X509v3 Basic Constraints: critical -+ CA:TRUE -+ X509v3 Authority Key Identifier: -+ (160 bits) -+ X509v3 Subject Key Identifier: -+ (160 bits) -+ Authority Information Access: -+ OCSP - URI:http://ocsp-1.example.com:12345 -+ OCSP - URI:http://ocsp-2.example.com:12345 -+ OCSP No Check: -+ -+[verify] -+cert: OK -+OK. -diff --git a/tests/026-local/expected.out b/tests/026-local/expected.out -index 1f81c7ce..64afb8f5 100644 ---- a/tests/026-local/expected.out -+++ b/tests/026-local/expected.out -@@ -1,73 +1 @@ --[key] --OK. --[csr] --Certificate Request: -- Data: -- Version: 1 (0x0) -- Subject: CN=Babs Jensen's Signer -- Attributes: -- friendlyName :unable to print attribute -- Requested Extensions: -- X509v3 Key Usage: -- Digital Signature, Certificate Sign, CRL Sign -- X509v3 Subject Alternative Name: -- email:root@localhost, email:root@localhost.localdomain -- X509v3 Basic Constraints: critical -- CA:TRUE -- X509v3 Authority Key Identifier: -- keyid:(160 bits) -- -- X509v3 Subject Key Identifier: -- (160 bits) -- Authority Information Access: -- OCSP - URI:http://ocsp-1.example.com:12345 -- OCSP - URI:http://ocsp-2.example.com:12345 -- -- OCSP No Check: -- --[issue] --[issuer] --Certificate: -- Data: -- Version: 3 (0x2) -- Signature Algorithm: sha256WithRSAEncryption -- Issuer: CN=Local Signing Authority, CN=$UUID -- Subject: CN=Local Signing Authority, CN=$UUID -- X509v3 extensions: -- X509v3 Basic Constraints: critical -- CA:TRUE -- X509v3 Subject Key Identifier: -- (160 bits) -- X509v3 Authority Key Identifier: -- keyid:(160 bits) -- -- X509v3 Key Usage: critical -- Digital Signature, Certificate Sign, CRL Sign --[subject] --Certificate: -- Data: -- Version: 3 (0x2) -- Signature Algorithm: sha256WithRSAEncryption -- Issuer: CN=Local Signing Authority, CN=$UUID -- Subject: CN=Babs Jensen's Signer -- X509v3 extensions: -- X509v3 Key Usage: -- Digital Signature, Certificate Sign, CRL Sign -- X509v3 Subject Alternative Name: -- email:root@localhost, email:root@localhost.localdomain -- X509v3 Basic Constraints: critical -- CA:TRUE -- X509v3 Authority Key Identifier: -- keyid:(160 bits) -- -- X509v3 Subject Key Identifier: -- (160 bits) -- Authority Information Access: -- OCSP - URI:http://ocsp-1.example.com:12345 -- OCSP - URI:http://ocsp-2.example.com:12345 -- -- OCSP No Check: -- --[verify] --cert: OK --OK. -+# purposely empty -diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh -index 6f0e74c9..3e7ade56 100755 ---- a/tests/026-local/run.sh -+++ b/tests/026-local/run.sh -@@ -1,4 +1,13 @@ --#!/bin/bash -e -+#!/bin/bash -+ -+openssl cmp -h > /dev/null 2>&1 -+if [ $? == 1 ]; then -+ cp expected.openssl1 expected.out -+else -+ cp expected.openssl3 expected.out -+fi -+ -+set -e - - cd $tmpdir - -diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out -index e9a04221..8a9ac3fa 100644 ---- a/tests/030-rekey/expected.out -+++ b/tests/030-rekey/expected.out -@@ -11,7 +11,6 @@ key_requested_count=0 - (submit OpenSSL) - key_issued_count=0 - key_requested_count=1 --First round certificates OK. - NSS keys before re-keygen (preserve=1,pin=""): - <-> rsa originalhex NSS Certificate DB:i2048 - key_issued_count=0 -@@ -98,7 +97,6 @@ key_requested_count=0 - (submit OpenSSL) - key_issued_count=0 - key_requested_count=1 --First round certificates OK. - NSS keys before re-keygen (preserve=1,pin="password"): - <-> rsa originalhex NSS Certificate DB:i2048 - key_issued_count=0 -@@ -185,7 +183,6 @@ key_requested_count=0 - (submit OpenSSL) - key_issued_count=0 - key_requested_count=1 --First round certificates OK. - NSS keys before re-keygen (preserve=0,pin=""): - <-> rsa originalhex NSS Certificate DB:i2048 - key_issued_count=0 -@@ -270,7 +267,6 @@ key_requested_count=0 - (submit OpenSSL) - key_issued_count=0 - key_requested_count=1 --First round certificates OK. - NSS keys before re-keygen (preserve=0,pin="password"): - <-> rsa originalhex NSS Certificate DB:i2048 - key_issued_count=0 -diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh -index 07fea683..7b9125ec 100755 ---- a/tests/030-rekey/run.sh -+++ b/tests/030-rekey/run.sh -@@ -31,7 +31,7 @@ for preserve in 1 0 ; do - -s "cn=T$size" -c "cn=T$size" \ - -x -t u -m 4660 -f pinfile - # Export the certificate and key. -- pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1 -+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1 - openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size - openssl pkcs12 -in $size.p12 -passin pass: -nokeys -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size - # Grab a copy of the public key. -@@ -101,14 +101,6 @@ for preserve in 1 0 ; do - echo '(submit OpenSSL)' - $toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size - grep ^key.\*count= entry.openssl.$size | LANG=C sort -- # Now compare the self-signed certificates built from the keys. -- if ! cmp cert.nss.$size cert.openssl.$size ; then -- echo First round certificates differ: -- cat cert.nss.$size cert.openssl.$size -- exit 1 -- else -- echo First round certificates OK. -- fi - - # Now generate new keys, CSRs, and certificates (NSS). - echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):" -diff --git a/tests/036-getcert/run.sh b/tests/036-getcert/run.sh -index 1c99803d..bcb821d7 100755 ---- a/tests/036-getcert/run.sh -+++ b/tests/036-getcert/run.sh -@@ -51,7 +51,7 @@ listdb() { - } - - extract() { -- pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K "" -+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K "" - openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert - openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key - echo -n cert: --- -2.26.3 - diff --git a/SOURCES/0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch b/SOURCES/0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch deleted file mode 100644 index 2016234..0000000 --- a/SOURCES/0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch +++ /dev/null @@ -1,46 +0,0 @@ -From f6672effea3cf9e50d6d3f29c1fbfbf6b1578e06 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 28 Sep 2021 10:01:35 -0400 -Subject: [PATCH] Add compile check for EVP_PKEY_get_id along with EVP_PKEY_id - -EVP_PKEY_id is no longer available as a function, only as a preprocessor -macro, so AC_CHECK_FUNCS cannot recognize it. - -This was changed in OpenSSL 3.0.0-beta2 - -https://bugzilla.redhat.com/show_bug.cgi?id=2008451 - -Signed-off-by: Rob Crittenden ---- - configure.ac | 1 + - src/util-o.c | 2 +- - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 8bfa3fa..3b413a1 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -374,6 +374,7 @@ if ! ${configure_dist_target_only:-false} ; then - AC_CHECK_FUNCS(ASN1_TIME_set) - AC_CHECK_FUNCS(EVP_PKEY_base_id) - AC_CHECK_FUNCS(EVP_PKEY_id) -+ AC_CHECK_FUNCS(EVP_PKEY_get_id) - AC_CHECK_FUNCS(OBJ_get0_data) - AC_CHECK_FUNCS(OBJ_length) - AC_CHECK_FUNCS(X509_ATTRIBUTE_get0_object) -diff --git a/src/util-o.c b/src/util-o.c -index 2208ab6..db45964 100644 ---- a/src/util-o.c -+++ b/src/util-o.c -@@ -329,7 +329,7 @@ util_ASN1_TIME_set(ASN1_TIME *str, time_t t) - int - util_EVP_PKEY_id(const EVP_PKEY *pkey) - { --#ifdef HAVE_EVP_PKEY_ID -+#if defined(HAVE_EVP_PKEY_ID) || defined(HAVE_EVP_PKEY_GET_ID) - return EVP_PKEY_id(pkey); - #else - return pkey->type; --- -2.31.1 - diff --git a/SOURCES/0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch b/SOURCES/0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch deleted file mode 100644 index 3ebf548..0000000 --- a/SOURCES/0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch +++ /dev/null @@ -1,123 +0,0 @@ -From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 9 Jul 2021 20:49:28 +0000 -Subject: [PATCH] Add SCEP config option to treat the challenge password as an - OTP - -SCEP RFC 8894 specifies that a challenge password SHOULD be -removed from subsequent requests but that it MAY be included. - -This adds a new configuration option to treat the challenge password -as a one-time password (OTP) so that it will not be sent on -subsequent requests, like renewals, by removing it completely -from the tracking request. - -This allows certmonger to be able to renew AD-issued SCEP certificates -if the AD registry entry DisableRenewalSubjectNameMatch is set to 1. - -https://bugzilla.redhat.com/show_bug.cgi?id=1577570 - -Signed-off-by: Rob Crittenden ---- - src/certmonger.conf.5.in | 9 +++++++++ - src/certsave.c | 13 +++++++++++++ - src/prefs.c | 15 +++++++++++++++ - src/prefs.h | 4 ++++ - 4 files changed, 41 insertions(+) - -diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in -index 6a42d3cb..1b941b9d 100644 ---- a/src/certmonger.conf.5.in -+++ b/src/certmonger.conf.5.in -@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the - \fIselfsign\fR section, if one is set there, will be used. The default value - is \fI@CM_DEFAULT_CERT_LIFETIME@\fR. - -+.SH SCEP -+Within the \fIscep\fR section, these variables and values are recognized: -+ -+.IP challenge_password_otp -+This controls whether the SCEP challenge password is treated as a one-time -+password. If set to yes then the challenge password and/or challenge password -+file will be removed from the tracking request after the first certificate -+issuance so will not be sent with renewal requests. The default is no. -+ - .SH BUGS - Please file tickets for any that you find at https://fedorahosted.org/certmonger/ - -diff --git a/src/certsave.c b/src/certsave.c -index 6eaafe59..f8503662 100644 ---- a/src/certsave.c -+++ b/src/certsave.c -@@ -18,12 +18,25 @@ - #include "config.h" - #include "certsave.h" - #include "certsave-int.h" -+#include "prefs.h" - #include "store-int.h" -+#include "talloc.h" - - /* Start writing the certificate from the entry to the configured location. */ - struct cm_certsave_state * - cm_certsave_start(struct cm_store_entry *entry) - { -+ /* If saving a SCEP certificate wipe out the challenge password */ -+ if ((cm_prefs_scep_password_otp()) && -+ (entry->cm_template_challenge_password != NULL) && -+ (entry->cm_scep_nonce != NULL)) -+ { -+ talloc_free(entry->cm_template_challenge_password); -+ entry->cm_template_challenge_password = NULL; -+ talloc_free(entry->cm_template_challenge_password_file); -+ entry->cm_template_challenge_password_file = NULL; -+ } -+ - switch (entry->cm_cert_storage_type) { - #ifdef HAVE_OPENSSL - case cm_cert_storage_file: -diff --git a/src/prefs.c b/src/prefs.c -index 669e8f1f..52ffc908 100644 ---- a/src/prefs.c -+++ b/src/prefs.c -@@ -595,3 +595,18 @@ prefs_max_key_use_count(void) - } - return count; - } -+ -+int -+cm_prefs_scep_password_otp(void) -+{ -+ static int populate = -1; -+ if (populate == -1) { -+ const char *val; -+ val = cm_prefs_config("scep", "challenge_password_otp"); -+ if (val == NULL) { -+ val = "no"; -+ } -+ populate = cm_prefs_yesno(val); -+ } -+ return populate != -1 ? populate : 0; -+} -diff --git a/src/prefs.h b/src/prefs.h -index 248e1016..a107fb6c 100644 ---- a/src/prefs.h -+++ b/src/prefs.h -@@ -18,6 +18,8 @@ - #ifndef cmprefs_h - #define cmprefs_h - -+#include -+ - enum cm_prefs_cipher { - cm_prefs_aes128, - cm_prefs_aes192, -@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void); - long long prefs_key_end_of_life(time_t ref); - long prefs_max_key_use_count(void); - -+int cm_prefs_scep_password_otp(void); -+ - #endif --- -2.31.1 - diff --git a/SOURCES/0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch b/SOURCES/0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch deleted file mode 100644 index fd30ffb..0000000 --- a/SOURCES/0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch +++ /dev/null @@ -1,37 +0,0 @@ -From b4c090d2e12956a2df6157592839936adf4024f4 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 12 Aug 2021 16:26:09 -0400 -Subject: [PATCH] Fix file descriptor leak when executing CA helpers - -cm_cadata_start_generic() creates a pipe. One half is passed -to fetch(), the function that does all helper calls, -via the cm_cadata_state variable ret. The other half is the -reader and is used to detect execution errors. There is a pair -of write/read on this descriptor which on error would be the -errno. - -This second half wasn't being closed after reading to test for -errors. - -https://bugzilla.redhat.com/show_bug.cgi?id=1992439 - -Signed-off-by: Rob Crittenden ---- - src/cadata.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/cadata.c b/src/cadata.c -index cb9c13e2..c2764d3b 100644 ---- a/src/cadata.c -+++ b/src/cadata.c -@@ -773,6 +773,7 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op, - ca->cm_ca_external_helper, strerror(u)); - /* return the state so the process can be reaped */ - } -+ close(error_fd[0]); - return ret; - } - --- -2.31.1 - diff --git a/SOURCES/0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch b/SOURCES/0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch deleted file mode 100644 index e8db81a..0000000 --- a/SOURCES/0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 46cd5a7d9434ed104093152bdf0a55404e6a1c6b Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 5 Oct 2021 11:04:10 -0400 -Subject: [PATCH] Update csrgen test to understand OpenSSL 3.0.0 output - -OpenSSL 3.0.0 change a lot of output messages. When verifying -a certificate instead of printing just "verify OK" it prints -"Certificate request self-signature verify OK" - -Modify the check to match both OpenSSL 1.x and 3.x - -Related: https://pagure.io/certmonger/issue/223 - -Signed-off-by: Rob Crittenden ---- - tests/003-csrgen-ec/run.sh | 4 ++-- - tests/003-csrgen-rsa/run.sh | 4 ++-- - tests/003-csrgen/run.sh | 4 ++-- - 3 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh -index 91117ec8..7c0505f8 100755 ---- a/tests/003-csrgen-ec/run.sh -+++ b/tests/003-csrgen-ec/run.sh -@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss. - openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der - # The RSA tests already verify the contents of the requests, so we really only - # need to care about the signatures passing verification. --openssl req -verify -noout < csr.nss.$size 2>&1 --openssl req -verify -noout < csr.openssl.$size 2>&1 -+openssl req -verify -noout -noenc < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //' -+openssl req -verify -noout -noenc < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //' - openssl spkac -verify -noout < spkac.nss.$size 2>&1 - openssl spkac -verify -noout < spkac.openssl.$size 2>&1 - openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1 -diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh -index bb8ebecb..4f0c0ef0 100755 ---- a/tests/003-csrgen-rsa/run.sh -+++ b/tests/003-csrgen-rsa/run.sh -@@ -118,14 +118,14 @@ iterate() { - echo key_pubkey=616263 >> entry.openssl.$size - $toolsdir/csrgen entry.nss.$size > csr.nss.$size - # Both should verify. -- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then -+ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then - echo Signature failed for OpenSSL: - cat csr.openssl.$size - echo Private key: - awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size - exit 1 - fi -- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then -+ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then - echo Signature failed for NSS: - cat csr.nss.$size - echo Private key: -diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh -index d3dfbaf0..093beabf 100755 ---- a/tests/003-csrgen/run.sh -+++ b/tests/003-csrgen/run.sh -@@ -170,14 +170,14 @@ iterate() { - echo key_pubkey=616263 >> entry.openssl.$size - $toolsdir/csrgen entry.nss.$size > csr.nss.$size - # Both should verify. -- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then -+ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then - echo Signature failed for OpenSSL: - cat csr.openssl.$size - echo Private key: - awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size - exit 1 - fi -- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then -+ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then - echo Signature failed for NSS: - cat csr.nss.$size - echo Private key: --- -2.31.1 - diff --git a/SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch b/SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch deleted file mode 100644 index 9264e87..0000000 --- a/SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch +++ /dev/null @@ -1,280 +0,0 @@ -From e3e4679693efc60bc7a25983909ddfa6883ab2ec Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 4 Oct 2021 18:52:53 +0200 -Subject: [PATCH] Use implicit, empty FALSE for extensions - -Cemplate had a bug that caused certmonger to create CSRs with invalid DER. -It was encoding extension's critical element even for default value FALSE. - -Fixes: https://pagure.io/certmonger/issue/223 -Signed-off-by: Christian Heimes ---- - src/certext.c | 7 +- - tests/003-csrgen-rsa/expected.out | 82 ++++++++++------------ - tests/003-csrgen/expected.out | 110 +++++++++++++----------------- - 3 files changed, 91 insertions(+), 108 deletions(-) - -diff --git a/src/certext.c b/src/certext.c -index 0d66971e..e5e0b4dc 100644 ---- a/src/certext.c -+++ b/src/certext.c -@@ -1706,9 +1706,12 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, - CERTCertExtension ext[13], *exts[14], **exts_ptr; - SECOidData *oid; - SECItem *item, encoded; -+ /* X509v3 extension's critical element has an implicit default, -+ * see https://pagure.io/certmonger/issue/223 -+ */ - SECItem der_false = { -- .len = 1, -- .data = (unsigned char *) "\000", -+ .len = 0, -+ .data = NULL, - }; - SECItem der_true = { - .len = 1, -diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out -index def53fe4..0fb88323 100644 ---- a/tests/003-csrgen-rsa/expected.out -+++ b/tests/003-csrgen-rsa/expected.out -@@ -8,8 +8,8 @@ pk12util: PKCS12 EXPORT SUCCESSFUL - 4096 OK. - Signature OK - The last CSR (the one with everything) was: -- 0:d=0 hl=4 l=1413 cons: SEQUENCE -- 4:d=1 hl=4 l=1133 cons: SEQUENCE -+ 0:d=0 hl=4 l=1389 cons: SEQUENCE -+ 4:d=1 hl=4 l=1109 cons: SEQUENCE - 8:d=2 hl=2 l= 1 prim: INTEGER :00 - 11:d=2 hl=2 l= 22 cons: SEQUENCE - 13:d=3 hl=2 l= 20 cons: SET -@@ -21,7 +21,7 @@ The last CSR (the one with everything) was: - 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption - 52:d=4 hl=2 l= 0 prim: NULL - 54:d=3 hl=4 l= 271 prim: BIT STRING -- 329:d=2 hl=4 l= 808 cons: cont [ 0 ] -+ 329:d=2 hl=4 l= 784 cons: cont [ 0 ] - 333:d=3 hl=2 l= 52 cons: SEQUENCE - 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword - 346:d=4 hl=2 l= 39 cons: SET -@@ -30,48 +30,40 @@ The last CSR (the one with everything) was: - 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName - 400:d=4 hl=2 l= 48 cons: SET - 402:d=5 hl=2 l= 46 prim: BMPSTRING -- 450:d=3 hl=4 l= 687 cons: SEQUENCE -+ 450:d=3 hl=4 l= 663 cons: SEQUENCE - 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request -- 465:d=4 hl=4 l= 672 cons: SET -- 469:d=5 hl=4 l= 668 cons: SEQUENCE -- 473:d=6 hl=2 l= 14 cons: SEQUENCE -+ 465:d=4 hl=4 l= 648 cons: SET -+ 469:d=5 hl=4 l= 644 cons: SEQUENCE -+ 473:d=6 hl=2 l= 11 cons: SEQUENCE - 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage -- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 -- 489:d=6 hl=4 l= 264 cons: SEQUENCE -- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name -- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 -- 757:d=6 hl=2 l= 32 cons: SEQUENCE -- 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage -- 764:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 -- 791:d=6 hl=2 l= 18 cons: SEQUENCE -- 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints -- 798:d=7 hl=2 l= 1 prim: BOOLEAN :255 -- 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 -- 811:d=6 hl=2 l= 34 cons: SEQUENCE -- 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -- 818:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D -- 847:d=6 hl=2 l= 32 cons: SEQUENCE -- 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -- 854:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D -- 881:d=6 hl=2 l= 107 cons: SEQUENCE -- 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access -- 893:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 -- 990:d=6 hl=2 l= 96 cons: SEQUENCE -- 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points -- 997:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 -- 1088:d=6 hl=2 l= 51 cons: SEQUENCE -- 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment -- 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 -- 1141:d=1 hl=2 l= 13 cons: SEQUENCE -- 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption -- 1154:d=2 hl=2 l= 0 prim: NULL -- 1156:d=1 hl=4 l= 257 prim: BIT STRING -+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 -+ 486:d=6 hl=4 l= 261 cons: SEQUENCE -+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name -+ 495:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 -+ 751:d=6 hl=2 l= 29 cons: SEQUENCE -+ 753:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage -+ 758:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 -+ 782:d=6 hl=2 l= 18 cons: SEQUENCE -+ 784:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints -+ 789:d=7 hl=2 l= 1 prim: BOOLEAN :255 -+ 792:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 -+ 802:d=6 hl=2 l= 31 cons: SEQUENCE -+ 804:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -+ 809:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D -+ 835:d=6 hl=2 l= 29 cons: SEQUENCE -+ 837:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -+ 842:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D -+ 866:d=6 hl=2 l= 104 cons: SEQUENCE -+ 868:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access -+ 878:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 -+ 972:d=6 hl=2 l= 93 cons: SEQUENCE -+ 974:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points -+ 979:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 -+ 1067:d=6 hl=2 l= 48 cons: SEQUENCE -+ 1069:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment -+ 1080:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 -+ 1117:d=1 hl=2 l= 13 cons: SEQUENCE -+ 1119:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption -+ 1130:d=2 hl=2 l= 0 prim: NULL -+ 1132:d=1 hl=4 l= 257 prim: BIT STRING - Test complete (32 combinations). -diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out -index 46e010cf..1081a678 100644 ---- a/tests/003-csrgen/expected.out -+++ b/tests/003-csrgen/expected.out -@@ -11,8 +11,8 @@ Signature OK - minicert.openssl.4096.pem: OK - 4096 OK. - The last CSR (the one with everything) was: -- 0:d=0 hl=4 l=1635 cons: SEQUENCE -- 4:d=1 hl=4 l=1355 cons: SEQUENCE -+ 0:d=0 hl=4 l=1599 cons: SEQUENCE -+ 4:d=1 hl=4 l=1319 cons: SEQUENCE - 8:d=2 hl=2 l= 1 prim: INTEGER :00 - 11:d=2 hl=2 l= 22 cons: SEQUENCE - 13:d=3 hl=2 l= 20 cons: SET -@@ -24,7 +24,7 @@ The last CSR (the one with everything) was: - 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption - 52:d=4 hl=2 l= 0 prim: NULL - 54:d=3 hl=4 l= 271 prim: BIT STRING -- 329:d=2 hl=4 l=1030 cons: cont [ 0 ] -+ 329:d=2 hl=4 l= 994 cons: cont [ 0 ] - 333:d=3 hl=2 l= 52 cons: SEQUENCE - 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword - 346:d=4 hl=2 l= 39 cons: SET -@@ -33,64 +33,52 @@ The last CSR (the one with everything) was: - 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName - 400:d=4 hl=2 l= 48 cons: SET - 402:d=5 hl=2 l= 46 prim: BMPSTRING -- 450:d=3 hl=4 l= 909 cons: SEQUENCE -+ 450:d=3 hl=4 l= 873 cons: SEQUENCE - 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request -- 465:d=4 hl=4 l= 894 cons: SET -- 469:d=5 hl=4 l= 890 cons: SEQUENCE -- 473:d=6 hl=2 l= 14 cons: SEQUENCE -+ 465:d=4 hl=4 l= 858 cons: SET -+ 469:d=5 hl=4 l= 854 cons: SEQUENCE -+ 473:d=6 hl=2 l= 11 cons: SEQUENCE - 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage -- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 -- 489:d=6 hl=4 l= 290 cons: SEQUENCE -- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name -- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 -- 783:d=6 hl=2 l= 32 cons: SEQUENCE -- 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage -- 790:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 -- 817:d=6 hl=2 l= 18 cons: SEQUENCE -- 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints -- 824:d=7 hl=2 l= 1 prim: BOOLEAN :255 -- 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 -- 837:d=6 hl=2 l= 34 cons: SEQUENCE -- 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -- 844:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D -- 873:d=6 hl=2 l= 32 cons: SEQUENCE -- 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -- 880:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D -- 907:d=6 hl=2 l= 107 cons: SEQUENCE -- 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access -- 919:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 -- 1016:d=6 hl=2 l= 96 cons: SEQUENCE -- 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points -- 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 -- 1114:d=6 hl=2 l= 106 cons: SEQUENCE -- 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL -- 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 -- 1222:d=6 hl=2 l= 51 cons: SEQUENCE -- 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment -- 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 -- 1275:d=6 hl=2 l= 18 cons: SEQUENCE -- 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check -- 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 -- 1295:d=6 hl=2 l= 44 cons: SEQUENCE -- 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 -- 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 -- 1341:d=6 hl=2 l= 20 cons: SEQUENCE -- 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type -- 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 -- 1363:d=1 hl=2 l= 13 cons: SEQUENCE -- 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption -- 1376:d=2 hl=2 l= 0 prim: NULL -- 1378:d=1 hl=4 l= 257 prim: BIT STRING -+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 -+ 486:d=6 hl=4 l= 287 cons: SEQUENCE -+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name -+ 495:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 -+ 777:d=6 hl=2 l= 29 cons: SEQUENCE -+ 779:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage -+ 784:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 -+ 808:d=6 hl=2 l= 18 cons: SEQUENCE -+ 810:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints -+ 815:d=7 hl=2 l= 1 prim: BOOLEAN :255 -+ 818:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 -+ 828:d=6 hl=2 l= 31 cons: SEQUENCE -+ 830:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -+ 835:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D -+ 861:d=6 hl=2 l= 29 cons: SEQUENCE -+ 863:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -+ 868:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D -+ 892:d=6 hl=2 l= 104 cons: SEQUENCE -+ 894:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access -+ 904:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 -+ 998:d=6 hl=2 l= 93 cons: SEQUENCE -+ 1000:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points -+ 1005:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 -+ 1093:d=6 hl=2 l= 103 cons: SEQUENCE -+ 1095:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL -+ 1100:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 -+ 1198:d=6 hl=2 l= 48 cons: SEQUENCE -+ 1200:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment -+ 1211:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 -+ 1248:d=6 hl=2 l= 15 cons: SEQUENCE -+ 1250:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check -+ 1261:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 -+ 1265:d=6 hl=2 l= 41 cons: SEQUENCE -+ 1267:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 -+ 1278:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 -+ 1308:d=6 hl=2 l= 17 cons: SEQUENCE -+ 1310:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type -+ 1321:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 -+ 1327:d=1 hl=2 l= 13 cons: SEQUENCE -+ 1329:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption -+ 1340:d=2 hl=2 l= 0 prim: NULL -+ 1342:d=1 hl=4 l= 257 prim: BIT STRING - Test complete (69 combinations). --- -2.31.1 - diff --git a/SOURCES/0009-Use-extensions-template-from-NSS.patch b/SOURCES/0009-Use-extensions-template-from-NSS.patch deleted file mode 100644 index 99e98c3..0000000 --- a/SOURCES/0009-Use-extensions-template-from-NSS.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 4 Oct 2021 15:55:44 +0200 -Subject: [PATCH] Use extensions template from NSS - -Drop certmonger's custom extension template and use the sequence of X509v3 -extensions template from NSS. - -The certmonger template had a bug that caused certmonger to create CSRs -with invalid DER. It was encoding extension's critical element even for -default value FALSE. - -Fixes: https://pagure.io/certmonger/issue/223 -Signed-off-by: Christian Heimes ---- - src/certext.c | 41 +---------------------------------------- - 1 file changed, 1 insertion(+), 40 deletions(-) - -diff --git a/src/certext.c b/src/certext.c -index be536987..0d66971e 100644 ---- a/src/certext.c -+++ b/src/certext.c -@@ -203,45 +203,6 @@ cm_ms_template_template[] = { - {0, 0, NULL, 0}, - }; - --/* RFC 5280, 4.1 */ --const SEC_ASN1Template --cm_certext_cert_extension_template[] = { -- { -- .kind = SEC_ASN1_SEQUENCE, -- .offset = 0, -- .sub = NULL, -- .size = sizeof(CERTCertExtension), -- }, -- { -- .kind = SEC_ASN1_OBJECT_ID, -- .offset = offsetof(CERTCertExtension, id), -- .sub = NULL, -- .size = sizeof(SECItem), -- }, -- { -- .kind = SEC_ASN1_BOOLEAN, -- .offset = offsetof(CERTCertExtension, critical), -- .sub = NULL, -- .size = sizeof(SECItem), -- }, -- { -- .kind = SEC_ASN1_OCTET_STRING, -- .offset = offsetof(CERTCertExtension, value), -- .sub = NULL, -- .size = sizeof(SECItem), -- }, -- {0, 0, NULL, 0}, --}; --const SEC_ASN1Template --cm_certext_sequence_of_cert_extension_template[] = { -- { -- .kind = SEC_ASN1_SEQUENCE_OF, -- .offset = 0, -- .sub = cm_certext_cert_extension_template, -- .size = sizeof(CERTCertExtension **), -- }, --}; -- - /* Windows 2000-style UPN */ - static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03}; - static const SECOidData oid_ms_upn_name = { -@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, - /* Encode the sequence. */ - memset(&encoded, 0, sizeof(encoded)); - if (i > 1) { -- template = cm_certext_sequence_of_cert_extension_template; -+ template = CERT_SequenceOfCertExtensionTemplate; - if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr, - template) == &encoded) { - *extensions = talloc_memdup(entry, encoded.data, --- -2.31.1 - diff --git a/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch b/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch deleted file mode 100644 index 2bd9262..0000000 --- a/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch +++ /dev/null @@ -1,702 +0,0 @@ -From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 4 Nov 2021 13:51:31 -0400 -Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files - -If a non-PEM file was passed into add-scep-ca it would -accept it without question but later fail with: - -status: CA_UNREACHABLE -ca-error: Error: failed to verify signature on server response. - -Try to do basic validation of user-provided PEM files by: - -- stripping BEGIN/END headers -- removing newlines and carriage returns -- using OpenSSL EVP library to base64 decode the block - -This isn't fool-proof but it at least does some basic -sanity checking to ensure the file(s) exist and appear -to be PEM files. - -The unit tests use some Let's Encrypt CA certificates. - -https://bugzilla.redhat.com/show_bug.cgi?id=1492112 - -Signed-off-by: Rob Crittenden ---- - src/Makefile.am | 2 +- - src/getcert-add-scep-ca.1.in | 2 + - src/getcert.c | 39 ++++- - src/util-o.c | 144 ++++++++++++++++++ - src/util-o.h | 7 + - tests/040-pem/bad.empty | 0 - .../bad.isrg-root-x1-cross-signed.der.b64 | 25 +++ - tests/040-pem/expected.out | 7 + - .../good.isrg-root-x1-cross-signed.pem | 31 ++++ - .../good.isrg-root-x1-cross-signed_cr.pem | 31 ++++ - tests/040-pem/good.lets_encrypt_chain.pem | 93 +++++++++++ - tests/040-pem/run.sh | 21 +++ - tests/Makefile.am | 8 +- - tests/tools/Makefile.am | 3 +- - tests/tools/pem.c | 69 +++++++++ - 15 files changed, 474 insertions(+), 8 deletions(-) - create mode 100644 tests/040-pem/bad.empty - create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 - create mode 100644 tests/040-pem/expected.out - create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem - create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem - create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem - create mode 100755 tests/040-pem/run.sh - create mode 100644 tests/tools/pem.c - -diff --git a/src/Makefile.am b/src/Makefile.am -index 53571c5..d8e0a2e 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE) - getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS) - getcert_SOURCES = getcert.c tm.c tm.h - getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \ -- $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) -+ $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS) - if WITH_IPA - bin_PROGRAMS += ipa-getcert - ipa_getcert_CFLAGS = $(getcert_CFLAGS) -diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in -index c2751ed..901791e 100644 ---- a/src/getcert-add-scep-ca.1.in -+++ b/src/getcert-add-scep-ca.1.in -@@ -14,6 +14,8 @@ helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the - - .SH OPTIONS - .TP -+All user\-provided certificate files must be in PEM format. -+.TP - \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - The nickname to give to this CA configuration. This same value can later be - passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and -diff --git a/src/getcert.c b/src/getcert.c -index 4afafcb..ddcb739 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -49,6 +49,7 @@ - #include "submit-u.h" - #include "tdbus.h" - #include "tdbusm.h" -+#include "util-o.h" - - #ifdef ENABLE_NLS - #include -@@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv) - int c, prefer_non_renewal = 0, verbose = 0; - dbus_bool_t b; - static DBusMessage *req, *rep; -+ const char *poptarg; - poptContext pctx; - struct poptOption popts[] = { - {"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME}, - {"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL}, - {"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID}, -- {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME}, -- {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME}, -- {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, -- {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, -+ {"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME}, -+ {"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME}, -+ {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, -+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, - {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL}, - {"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL}, - {"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL}, -@@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) - return 1; - } - while ((c = poptGetNextOpt(pctx)) > 0) { -+ poptarg = poptGetOptArg(pctx); - switch (c) { - case 's': - bus = cm_tdbus_session; -@@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv) - poptPrintHelp(pctx, stdout, 0); - return 1; - break; -+ case 'R': -+ if (validate_pem(globals.tctx, poptarg) != 0) { -+ printf("The root certificate(s) in %s is not valid PEM\n", poptarg); -+ return 1; -+ } -+ root = talloc_strdup(globals.tctx, poptarg); -+ break; -+ case 'r': -+ if (validate_pem(globals.tctx, poptarg) != 0) { -+ printf("The RA certificate(s) in %s is not valid PEM\n", poptarg); -+ return 1; -+ } -+ racert = talloc_strdup(globals.tctx, poptarg); -+ break; -+ case 'I': -+ if (validate_pem(globals.tctx, poptarg) != 0) { -+ printf("The certificate(s) in %s is not valid PEM\n", poptarg); -+ return 1; -+ } -+ certs = talloc_strdup(globals.tctx, poptarg); -+ break; -+ case 'N': -+ if (validate_pem(globals.tctx, poptarg) != 0) { -+ printf("The certificate(s) in %s is not valid PEM\n", poptarg); -+ return 1; -+ } -+ signingca = talloc_strdup(globals.tctx, poptarg); -+ break; - } - } - if (c != -1) { -diff --git a/src/util-o.c b/src/util-o.c -index db45964..c05872c 100644 ---- a/src/util-o.c -+++ b/src/util-o.c -@@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey) - { - return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey); - } -+ -+static unsigned char * -+decode_base64(const unsigned char *input, int length, int *outlength) { -+ int expected_len; -+ unsigned char *output; -+ int output_len; -+ -+ expected_len = 3 * length / 4; -+ output = calloc(expected_len + 1, 1); -+ output_len = EVP_DecodeBlock(output, input, length); -+ -+ if (output_len < 0) { -+ *outlength = -1; -+ free(output); -+ return NULL; -+ } -+ if (output_len % 3 != 0) { -+ *outlength = -1; -+ free(output); -+ return NULL; -+ } -+ if (expected_len != output_len) { -+ *outlength = -1; -+ free(output); -+ return NULL; -+ } -+ *outlength = output_len; -+ return output; -+} -+ -+int -+validate_pem(void *parent, const char *path) -+{ -+ char *p; -+ char *s = NULL, *sp, *sq; -+ int ret = 0; -+ FILE *fp; -+ struct stat st; -+ char *tmp1 = NULL; -+ unsigned char *tmp2 = NULL; -+ char *buffer; -+ int n, i, length; -+ int found = 0; -+ -+ fp = fopen(path, "r"); -+ if (fp == NULL) { -+ printf("Unable to open %s for reading: %s\n", -+ path, strerror(errno)); -+ return -1; -+ } -+ if (fstat(fileno(fp), &st) == -1) { -+ printf("Error opening %s for reading: %s\n", -+ path, strerror(errno)); -+ fclose(fp); -+ return -1; -+ } -+ if (st.st_size == 0) { -+ printf("%s is an empty file.\n", path); -+ fclose(fp); -+ return -1; -+ } -+ -+ buffer = malloc(st.st_size + 1); -+ if (buffer == NULL) { -+ printf("Error allocating memory.\n"); -+ fclose(fp); -+ return -1; -+ } -+ -+ n = 0; -+ while (n < st.st_size) { -+ i = fread(buffer + n, 1, st.st_size - n, fp); -+ if (i <= 0) { -+ printf("Error reading %s: %s.\n", -+ path, strerror(errno)); -+ fclose(fp); -+ ret = -1; -+ goto done; -+ } -+ n += i; -+ } -+ fclose(fp); -+ buffer[st.st_size] = '\0'; -+ length = st.st_size; -+ s = malloc(length + 1); -+ if (s == NULL) { -+ printf("Error allocating memory.\n"); -+ ret = -1; -+ goto done; -+ } -+ memcpy(s, buffer, length); -+ s[length] = '\0'; -+ sp = s; -+ tmp1 = NULL; -+ tmp2 = NULL; -+ while ((sp = strstr(sp, "-----BEGIN")) != NULL) { -+ sq = strstr(sp, "-----END"); -+ if (sq != NULL) { -+ found++; -+ sq += strcspn(sq, "\r\n"); -+ sq += strspn(sq, "\r\n"); -+ -+ /* Strip down to pure base64 so no headers, new lines or cr */ -+ tmp1 = strndup(sp, sq - sp); -+ p = strstr(tmp1, "-----BEGIN"); -+ if (p != NULL) { -+ p += strcspn(p, "\n"); -+ if (*p == '\n') { -+ p++; -+ } -+ memmove(tmp1, p, strlen(p) + 1); -+ } -+ p = strstr(tmp1, "\n-----END"); -+ if (p != NULL) { -+ *p = '\0'; -+ } -+ while ((p = strchr(tmp1, '\r')) != NULL) { -+ memmove(p, p + 1, strlen(p)); -+ } -+ while ((p = strchr(tmp1, '\n')) != NULL) { -+ memmove(p, p + 1, strlen(p)); -+ } -+ length = 0; -+ tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length); -+ if (length < 0) { -+ ret = -1; -+ goto done; -+ } -+ sp = sq; -+ } -+ } -+ -+ if (found == 0) { -+ ret = -1; -+ } -+ -+done: -+ free(buffer); -+ free(s); -+ free(tmp1); -+ free(tmp2); -+ -+ return ret; -+} -diff --git a/src/util-o.h b/src/util-o.h -index 916777b..8550e07 100644 ---- a/src/util-o.h -+++ b/src/util-o.h -@@ -16,6 +16,12 @@ - */ - - #ifndef utilo_h -+#include -+#include -+#include -+#include -+#include -+ - #define utilo_h - - struct cm_store_entry; -@@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version); - void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg); - EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey); - EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey); -+int validate_pem(void *parent, const char *path); - - #endif -diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 -new file mode 100644 -index 0000000..f9d7e5b ---- /dev/null -+++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 -@@ -0,0 +1,25 @@ -+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK -+ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X -+DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu -+dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi -+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4 -+93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK -+ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD -+cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/ -+iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY -+jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu -+Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD -+j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp -+gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi -+0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB -+/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw -+cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx -++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG -+AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv -+oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE -+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG -+rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr -+AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk -+cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc -+RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr -+6GtPAQw4dy753ec5 -diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out -new file mode 100644 -index 0000000..0459fd2 ---- /dev/null -+++ b/tests/040-pem/expected.out -@@ -0,0 +1,7 @@ -+OK -+OK -+OK -+got expected error with bad.empty -+got expected error with bad.isrg-root-x1-cross-signed.der -+got expected error with bad.notfound -+OK -diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem -new file mode 100644 -index 0000000..239794a ---- /dev/null -+++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem -@@ -0,0 +1,31 @@ -+-----BEGIN CERTIFICATE----- -+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ -+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow -+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB -+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC -+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL -+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D -+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK -+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 -+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y -+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ -+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 -+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc -+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql -+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND -+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 -+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx -++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB -+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu -+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E -+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu -+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC -+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW -+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG -+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O -+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC -+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -+-----END CERTIFICATE----- -diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem -new file mode 100644 -index 0000000..239794a ---- /dev/null -+++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem -@@ -0,0 +1,31 @@ -+-----BEGIN CERTIFICATE----- -+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ -+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow -+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB -+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC -+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL -+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D -+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK -+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 -+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y -+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ -+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 -+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc -+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql -+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND -+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 -+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx -++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB -+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu -+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E -+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu -+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC -+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW -+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG -+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O -+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC -+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -+-----END CERTIFICATE----- -diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem -new file mode 100644 -index 0000000..29a16ff ---- /dev/null -+++ b/tests/040-pem/good.lets_encrypt_chain.pem -@@ -0,0 +1,93 @@ -+-----BEGIN CERTIFICATE----- -+MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw -+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1 -+WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -+RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi -+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX -+NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf -+89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl -+Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc -+Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz -+uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB -+AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU -+BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB -+FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo -+SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js -+LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF -+BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG -+AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD -+VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB -+ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx -+A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM -+UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2 -+DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1 -+eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu -+OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw -+p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY -+2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0 -+ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR -+PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b -+rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt -+-----END CERTIFICATE----- -+-----BEGIN CERTIFICATE----- -+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw -+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -+nLRbwHOoq7hHwg== -+-----END CERTIFICATE----- -+-----BEGIN CERTIFICATE----- -+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ -+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow -+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB -+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC -+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL -+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D -+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK -+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 -+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y -+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ -+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 -+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc -+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql -+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND -+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 -+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx -++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB -+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu -+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E -+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu -+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC -+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW -+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG -+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O -+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC -+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -+-----END CERTIFICATE----- -diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh -new file mode 100755 -index 0000000..1d4d1f4 ---- /dev/null -+++ b/tests/040-pem/run.sh -@@ -0,0 +1,21 @@ -+#!/bin/bash -e -+ -+cd "$tmpdir" -+cp -p "$srcdir"/040-pem/bad.* $tmpdir -+base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der -+rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 -+ -+for good in "$srcdir"/040-pem/good.* ; do -+ if ! "$toolsdir"/pem "$good" ; then -+ exit 1 -+ fi -+done -+for bad in "$tmpdir"/bad.* bad.notfound; do -+ if "$toolsdir"/pem "$bad" > /dev/null; then -+ echo unexpected success with `basename "$bad"` -+ exit 1 -+ else -+ echo got expected error with `basename "$bad"` -+ fi -+done -+echo OK -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 013d34b..e20b6d8 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -132,6 +132,8 @@ CLEANFILES = \ - 038-ms-v2-template/actual.err \ - 039-fromfile/actual.out \ - 039-fromfile/actual.err -+ 040-pem/actual.out \ -+ 040-pem/actual.err - EXTRA_DIST = \ - run-tests.sh functions certmonger.conf tools/cachain.sh \ - 001-keyiread/run.sh \ -@@ -353,7 +355,8 @@ EXTRA_DIST = \ - 038-ms-v2-template/expected.out \ - 038-ms-v2-template/extract-extdata.py \ - 038-ms-v2-template/run.sh \ -- 039-fromfile/run.sh -+ 039-fromfile/run.sh \ -+ 040-pem/run.sh - - subdirs = \ - 001-keyiread \ -@@ -388,7 +391,8 @@ subdirs = \ - 036-getcert \ - 037-rekey2 \ - 038-ms-v2-template \ -- 039-fromfile -+ 039-fromfile \ -+ 040-pem - - if HAVE_DBM_NSSDB - subdirs += \ -diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am -index 53f658e..1a01ee6 100644 ---- a/tests/tools/Makefile.am -+++ b/tests/tools/Makefile.am -@@ -16,7 +16,8 @@ endif - noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \ - name2oid iterate prefs dates listnicks pem2base base2pem \ - dparse payload checksig base64 cadata citerate casave hooks \ -- libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile -+ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \ -+ pem - noinst_LIBRARIES = libtools.a - if HAVE_OPENSSL - noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt -diff --git a/tests/tools/pem.c b/tests/tools/pem.c -new file mode 100644 -index 0000000..4fdd4f4 ---- /dev/null -+++ b/tests/tools/pem.c -@@ -0,0 +1,69 @@ -+/* -+ * Copyright (C) 2021 Red Hat, Inc. -+ * -+ * This program is free software: you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation, either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ */ -+ -+#include "../../src/config.h" -+ -+#include -+#include -+#include -+#ifdef HAVE_INTTYPES_H -+#include -+#endif -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+#include -+ -+#include "../../src/util-o.h" -+ -+int -+main(int argc, const char **argv) -+{ -+ const char *filename; -+ void *parent; -+ int i, ret = 0; -+ poptContext pctx; -+ struct poptOption popts[] = { -+ POPT_AUTOHELP -+ POPT_TABLEEND -+ }; -+ -+ parent = talloc_new(NULL); -+ pctx = poptGetContext("pem", argc, argv, popts, 0); -+ while ((i = poptGetNextOpt(pctx)) > 0) { -+ continue; -+ } -+ if (i != -1) { -+ poptPrintUsage(pctx, stdout, 0); -+ return 1; -+ } -+ while ((filename = poptGetArg(pctx)) != NULL) { -+ if (validate_pem(parent, (char *)filename) == 0) { -+ printf("OK\n"); -+ } else { -+ ret = 1; -+ } -+ } -+ talloc_free(parent); -+ poptFreeContext(pctx); -+ return ret; -+} --- -2.31.1 - diff --git a/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch b/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch deleted file mode 100644 index 43ef77c..0000000 --- a/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 657c9ab79a00a2003f7c02c535418896cacc410a Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 15 Nov 2021 09:58:40 -0500 -Subject: [PATCH] =?UTF-8?q?Fix=20implicit=20declaration=20of=20function=20?= - =?UTF-8?q?=E2=80=98PEM=5Fread=5Fbio=5FX509=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add an include for openssl/pem.h - -Signed-off-by: Rob Crittenden ---- - src/submit-n.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/submit-n.c b/src/submit-n.c -index 3dcb820a..4f763a16 100644 ---- a/src/submit-n.c -+++ b/src/submit-n.c -@@ -33,6 +33,7 @@ - #include - #include - #include -+#include - - #include - #include --- -2.31.1 - diff --git a/SOURCES/0012-Remove-dependency-on-SHA-1.patch b/SOURCES/0012-Remove-dependency-on-SHA-1.patch deleted file mode 100644 index 253db46..0000000 --- a/SOURCES/0012-Remove-dependency-on-SHA-1.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 2ef0a885962ecf558a8080b19652a5bd0c11c228 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 17 Mar 2022 15:44:00 -0400 -Subject: [PATCH] Remove dependency on SHA-1 - ---- - tests/033-scep/run.sh | 4 ++-- - tests/tools/cachain.sh | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh -index a36cd5a..baaa581 100755 ---- a/tests/033-scep/run.sh -+++ b/tests/033-scep/run.sh -@@ -148,7 +148,7 @@ check_nonce - check_digest sha256 - echo OK - echo "[gic, old trust root]" --set_digest sha1 -+set_digest sha256 - $toolsdir/scepgen ca entry > scepdata - if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then - echo missing gic -@@ -158,7 +158,7 @@ check_verified - check_msgtype $SCEP_MSGTYPE_GETCERTINITIAL - check_txid - check_nonce --check_digest sha1 -+check_digest sha256 - echo OK - echo "[req next, no trust root]" - if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then -diff --git a/tests/tools/cachain.sh b/tests/tools/cachain.sh -index 58f0c49..93aca9b 100755 ---- a/tests/tools/cachain.sh -+++ b/tests/tools/cachain.sh -@@ -1,5 +1,5 @@ - #!/bin/bash -e --digest=sha1 -+digest=sha256 - keytype=rsa:1024 - serial=12345678 - cat > openssl.cnf << EOF --- -2.31.1 - diff --git a/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch b/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch deleted file mode 100644 index a5853ea..0000000 --- a/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch +++ /dev/null @@ -1,267 +0,0 @@ -From bdf93378eca9d28d5b49c8170c849d2c2e6f1991 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 7 Apr 2022 16:30:40 -0400 -Subject: [PATCH] Disable DSA in the RPM spec - -DSA has been disabled in default crypto policy since Fedora 30 -and will cause crashes if used in FIPS mode. - -Refresh the 028-dbus no-DSA expected output. It was out-of-sync -from previous changes. - -https://bugzilla.redhat.com/show_bug.cgi?id=2066439 - -Signed-off-by: Rob Crittenden ---- - certmonger.spec | 6 +- - tests/028-dbus/expected.out.nodsa | 135 +++--------------------------- - 2 files changed, 15 insertions(+), 126 deletions(-) - -diff --git a/certmonger.spec b/certmonger.spec -index 6715d83..9c01438 100644 ---- a/certmonger.spec -+++ b/certmonger.spec -@@ -28,7 +28,7 @@ - - Name: certmonger - Version: 0.79.14 --Release: 1%{?dist} -+Release: 2%{?dist} - Summary: Certificate status monitor and PKI enrollment client - - Group: System Environment/Daemons -@@ -143,6 +143,7 @@ autoreconf -i -f - %if %{with xmlrpc} - --with-xmlrpc \ - %endif -+ --disable-dsa \ - --with-tmpdir=/run/certmonger --enable-pie --enable-now - %if %{with xmlrpc} - # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just -@@ -264,6 +265,9 @@ exit 0 - %endif - - %changelog -+* Mon Mar 28 2022 Rob Crittenden - 0.79.15-2 -+- Disable DSA. It is not allowed by default crypto policy (#2066439) -+ - * Tue Jun 14 2021 Rob Crittenden - 0.79.14-1 - - update to 0.79.14 - - Fix local CA to work under FIPS -diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa -index 20499bf..0e1b977 100644 ---- a/tests/028-dbus/expected.out.nodsa -+++ b/tests/028-dbus/expected.out.nodsa -@@ -11,12 +11,14 @@ Request ID 'Buddy': - CA: local - issuer: CN=$UUID,CN=Local Signing Authority - subject: CN=localhost -+ issued: sometime - expires: sometime - dns: localhost - principal name: host/localhost@LOCALHOST - key usage: digitalSignature,dataEncipherment - eku: id-kp-serverAuth - certificate template/profile: SomeProfileName -+ profile: SomeProfileName - pre-save command: echo Pre - post-save command: echo Post - track: yes -@@ -33,10 +35,6 @@ CA 'IPA': - is-default: no - ca-type: EXTERNAL - helper-location: $libexecdir/ipa-submit --CA 'certmaster': -- is-default: no -- ca-type: EXTERNAL -- helper-location: $libexecdir/certmaster-submit - CA 'dogtag-ipa-renew-agent': - is-default: no - ca-type: EXTERNAL -@@ -44,8 +42,8 @@ CA 'dogtag-ipa-renew-agent': - - [[ API ]] - [ simpleprop.py ] --/org/fedorahosted/certmonger/cas/CA6 --/org/fedorahosted/certmonger/cas/CA6 -+/org/fedorahosted/certmonger/cas/CA5 -+/org/fedorahosted/certmonger/cas/CA5 - : -> : -k admin@localhost -> : - 0 -> 1 -> 0 - [ walk.py ] -@@ -181,7 +179,7 @@ OK - OK - - [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ] --dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o')) -+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o')) - - [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ] - dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o')) -@@ -272,6 +270,7 @@ OK - - - -+ - - - -@@ -433,7 +432,7 @@ Buddy - - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ] --(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s'))) -+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently)) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ] - recently -@@ -507,7 +506,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri - - - -- - - - [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ] -@@ -941,10 +939,10 @@ dbus.Array([], signature=dbus.Signature('s')) - - - [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ] --$tmpdir/cas/20180327134236-2 -+$tmpdir/cas/20180327134236-3 - - [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ] --certmaster -+dogtag-ipa-renew-agent - - [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ] - 0 -@@ -956,7 +954,7 @@ EXTERNAL - None - - [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ] --$libexecdir/certmaster-submit -+$libexecdir/dogtag-ipa-renew-agent-submit - - [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ] - dbus.Array([], signature=dbus.Signature('s')) -@@ -964,116 +962,3 @@ dbus.Array([], signature=dbus.Signature('s')) - [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ] - 1 - --[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ] -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ] --$tmpdir/cas/20180327134236-3 -- --[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ] --dogtag-ipa-renew-agent -- --[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ] --0 -- --[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ] --EXTERNAL -- --[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ] --None -- --[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ] --$libexecdir/dogtag-ipa-renew-agent-submit -- --[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ] --dbus.Array([], signature=dbus.Signature('s')) -- --[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ] --1 -- --- -2.31.1 - diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 4a41f2d..addd5a2 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -27,8 +27,8 @@ %bcond_with xmlrpc Name: certmonger -Version: 0.79.14 -Release: 7%{?dist} +Version: 0.79.17 +Release: 1%{?dist} Summary: Certificate status monitor and PKI enrollment client License: GPLv3+ @@ -36,18 +36,6 @@ URL: http://pagure.io/certmonger/ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz #Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig -Patch0002: 0002-candidate-openssl-3.0-compat-fixes.patch -Patch0004: 0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch -Patch0005: 0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch -Patch0006: 0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch -Patch0007: 0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch -Patch0008: 0008-Use-implicit-empty-FALSE-for-extensions.patch -Patch0009: 0009-Use-extensions-template-from-NSS.patch -Patch0010: 0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch -Patch0011: 0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch -Patch0012: 0012-Remove-dependency-on-SHA-1.patch -Patch0013: 0013-Disable-DSA-in-the-RPM-spec.patch - BuildRequires: autoconf BuildRequires: automake @@ -278,6 +266,9 @@ exit 0 %endif %changelog +* Tue Dec 6 2022 Rob Crittenden - 0.79.17-1 +- Update to upstream 0.79.17 + * Thu Apr 07 2022 Rob Crittenden - 0.79.14-7 - Disable DSA (#2066439)