diff --git a/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch b/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch new file mode 100644 index 0000000..2bd9262 --- /dev/null +++ b/SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch @@ -0,0 +1,702 @@ +From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 4 Nov 2021 13:51:31 -0400 +Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files + +If a non-PEM file was passed into add-scep-ca it would +accept it without question but later fail with: + +status: CA_UNREACHABLE +ca-error: Error: failed to verify signature on server response. + +Try to do basic validation of user-provided PEM files by: + +- stripping BEGIN/END headers +- removing newlines and carriage returns +- using OpenSSL EVP library to base64 decode the block + +This isn't fool-proof but it at least does some basic +sanity checking to ensure the file(s) exist and appear +to be PEM files. + +The unit tests use some Let's Encrypt CA certificates. + +https://bugzilla.redhat.com/show_bug.cgi?id=1492112 + +Signed-off-by: Rob Crittenden +--- + src/Makefile.am | 2 +- + src/getcert-add-scep-ca.1.in | 2 + + src/getcert.c | 39 ++++- + src/util-o.c | 144 ++++++++++++++++++ + src/util-o.h | 7 + + tests/040-pem/bad.empty | 0 + .../bad.isrg-root-x1-cross-signed.der.b64 | 25 +++ + tests/040-pem/expected.out | 7 + + .../good.isrg-root-x1-cross-signed.pem | 31 ++++ + .../good.isrg-root-x1-cross-signed_cr.pem | 31 ++++ + tests/040-pem/good.lets_encrypt_chain.pem | 93 +++++++++++ + tests/040-pem/run.sh | 21 +++ + tests/Makefile.am | 8 +- + tests/tools/Makefile.am | 3 +- + tests/tools/pem.c | 69 +++++++++ + 15 files changed, 474 insertions(+), 8 deletions(-) + create mode 100644 tests/040-pem/bad.empty + create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 + create mode 100644 tests/040-pem/expected.out + create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem + create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem + create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem + create mode 100755 tests/040-pem/run.sh + create mode 100644 tests/tools/pem.c + +diff --git a/src/Makefile.am b/src/Makefile.am +index 53571c5..d8e0a2e 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE) + getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS) + getcert_SOURCES = getcert.c tm.c tm.h + getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \ +- $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) ++ $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS) + if WITH_IPA + bin_PROGRAMS += ipa-getcert + ipa_getcert_CFLAGS = $(getcert_CFLAGS) +diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in +index c2751ed..901791e 100644 +--- a/src/getcert-add-scep-ca.1.in ++++ b/src/getcert-add-scep-ca.1.in +@@ -14,6 +14,8 @@ helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the + + .SH OPTIONS + .TP ++All user\-provided certificate files must be in PEM format. ++.TP + \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + The nickname to give to this CA configuration. This same value can later be + passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and +diff --git a/src/getcert.c b/src/getcert.c +index 4afafcb..ddcb739 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -49,6 +49,7 @@ + #include "submit-u.h" + #include "tdbus.h" + #include "tdbusm.h" ++#include "util-o.h" + + #ifdef ENABLE_NLS + #include +@@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + int c, prefer_non_renewal = 0, verbose = 0; + dbus_bool_t b; + static DBusMessage *req, *rep; ++ const char *poptarg; + poptContext pctx; + struct poptOption popts[] = { + {"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME}, + {"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL}, + {"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID}, +- {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME}, +- {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME}, +- {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, +- {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, ++ {"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME}, ++ {"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME}, ++ {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, ++ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, + {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL}, + {"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL}, + {"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL}, +@@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + return 1; + } + while ((c = poptGetNextOpt(pctx)) > 0) { ++ poptarg = poptGetOptArg(pctx); + switch (c) { + case 's': + bus = cm_tdbus_session; +@@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + poptPrintHelp(pctx, stdout, 0); + return 1; + break; ++ case 'R': ++ if (validate_pem(globals.tctx, poptarg) != 0) { ++ printf("The root certificate(s) in %s is not valid PEM\n", poptarg); ++ return 1; ++ } ++ root = talloc_strdup(globals.tctx, poptarg); ++ break; ++ case 'r': ++ if (validate_pem(globals.tctx, poptarg) != 0) { ++ printf("The RA certificate(s) in %s is not valid PEM\n", poptarg); ++ return 1; ++ } ++ racert = talloc_strdup(globals.tctx, poptarg); ++ break; ++ case 'I': ++ if (validate_pem(globals.tctx, poptarg) != 0) { ++ printf("The certificate(s) in %s is not valid PEM\n", poptarg); ++ return 1; ++ } ++ certs = talloc_strdup(globals.tctx, poptarg); ++ break; ++ case 'N': ++ if (validate_pem(globals.tctx, poptarg) != 0) { ++ printf("The certificate(s) in %s is not valid PEM\n", poptarg); ++ return 1; ++ } ++ signingca = talloc_strdup(globals.tctx, poptarg); ++ break; + } + } + if (c != -1) { +diff --git a/src/util-o.c b/src/util-o.c +index db45964..c05872c 100644 +--- a/src/util-o.c ++++ b/src/util-o.c +@@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey) + { + return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey); + } ++ ++static unsigned char * ++decode_base64(const unsigned char *input, int length, int *outlength) { ++ int expected_len; ++ unsigned char *output; ++ int output_len; ++ ++ expected_len = 3 * length / 4; ++ output = calloc(expected_len + 1, 1); ++ output_len = EVP_DecodeBlock(output, input, length); ++ ++ if (output_len < 0) { ++ *outlength = -1; ++ free(output); ++ return NULL; ++ } ++ if (output_len % 3 != 0) { ++ *outlength = -1; ++ free(output); ++ return NULL; ++ } ++ if (expected_len != output_len) { ++ *outlength = -1; ++ free(output); ++ return NULL; ++ } ++ *outlength = output_len; ++ return output; ++} ++ ++int ++validate_pem(void *parent, const char *path) ++{ ++ char *p; ++ char *s = NULL, *sp, *sq; ++ int ret = 0; ++ FILE *fp; ++ struct stat st; ++ char *tmp1 = NULL; ++ unsigned char *tmp2 = NULL; ++ char *buffer; ++ int n, i, length; ++ int found = 0; ++ ++ fp = fopen(path, "r"); ++ if (fp == NULL) { ++ printf("Unable to open %s for reading: %s\n", ++ path, strerror(errno)); ++ return -1; ++ } ++ if (fstat(fileno(fp), &st) == -1) { ++ printf("Error opening %s for reading: %s\n", ++ path, strerror(errno)); ++ fclose(fp); ++ return -1; ++ } ++ if (st.st_size == 0) { ++ printf("%s is an empty file.\n", path); ++ fclose(fp); ++ return -1; ++ } ++ ++ buffer = malloc(st.st_size + 1); ++ if (buffer == NULL) { ++ printf("Error allocating memory.\n"); ++ fclose(fp); ++ return -1; ++ } ++ ++ n = 0; ++ while (n < st.st_size) { ++ i = fread(buffer + n, 1, st.st_size - n, fp); ++ if (i <= 0) { ++ printf("Error reading %s: %s.\n", ++ path, strerror(errno)); ++ fclose(fp); ++ ret = -1; ++ goto done; ++ } ++ n += i; ++ } ++ fclose(fp); ++ buffer[st.st_size] = '\0'; ++ length = st.st_size; ++ s = malloc(length + 1); ++ if (s == NULL) { ++ printf("Error allocating memory.\n"); ++ ret = -1; ++ goto done; ++ } ++ memcpy(s, buffer, length); ++ s[length] = '\0'; ++ sp = s; ++ tmp1 = NULL; ++ tmp2 = NULL; ++ while ((sp = strstr(sp, "-----BEGIN")) != NULL) { ++ sq = strstr(sp, "-----END"); ++ if (sq != NULL) { ++ found++; ++ sq += strcspn(sq, "\r\n"); ++ sq += strspn(sq, "\r\n"); ++ ++ /* Strip down to pure base64 so no headers, new lines or cr */ ++ tmp1 = strndup(sp, sq - sp); ++ p = strstr(tmp1, "-----BEGIN"); ++ if (p != NULL) { ++ p += strcspn(p, "\n"); ++ if (*p == '\n') { ++ p++; ++ } ++ memmove(tmp1, p, strlen(p) + 1); ++ } ++ p = strstr(tmp1, "\n-----END"); ++ if (p != NULL) { ++ *p = '\0'; ++ } ++ while ((p = strchr(tmp1, '\r')) != NULL) { ++ memmove(p, p + 1, strlen(p)); ++ } ++ while ((p = strchr(tmp1, '\n')) != NULL) { ++ memmove(p, p + 1, strlen(p)); ++ } ++ length = 0; ++ tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length); ++ if (length < 0) { ++ ret = -1; ++ goto done; ++ } ++ sp = sq; ++ } ++ } ++ ++ if (found == 0) { ++ ret = -1; ++ } ++ ++done: ++ free(buffer); ++ free(s); ++ free(tmp1); ++ free(tmp2); ++ ++ return ret; ++} +diff --git a/src/util-o.h b/src/util-o.h +index 916777b..8550e07 100644 +--- a/src/util-o.h ++++ b/src/util-o.h +@@ -16,6 +16,12 @@ + */ + + #ifndef utilo_h ++#include ++#include ++#include ++#include ++#include ++ + #define utilo_h + + struct cm_store_entry; +@@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version); + void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg); + EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey); + EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey); ++int validate_pem(void *parent, const char *path); + + #endif +diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 +new file mode 100644 +index 0000000..f9d7e5b +--- /dev/null ++++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 +@@ -0,0 +1,25 @@ ++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK ++ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X ++DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu ++dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi ++MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4 ++93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK ++ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD ++cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/ ++iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY ++jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu ++Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD ++j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp ++gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi ++0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB ++/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw ++cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG ++AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv ++oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE ++FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG ++rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr ++AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk ++cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc ++RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr ++6GtPAQw4dy753ec5 +diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out +new file mode 100644 +index 0000000..0459fd2 +--- /dev/null ++++ b/tests/040-pem/expected.out +@@ -0,0 +1,7 @@ ++OK ++OK ++OK ++got expected error with bad.empty ++got expected error with bad.isrg-root-x1-cross-signed.der ++got expected error with bad.notfound ++OK +diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem +new file mode 100644 +index 0000000..239794a +--- /dev/null ++++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem +@@ -0,0 +1,31 @@ ++-----BEGIN CERTIFICATE----- ++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ ++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT ++DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB ++AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ++ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL ++wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D ++LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK ++4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 ++bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y ++sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ ++Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 ++FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc ++SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql ++PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND ++TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw ++SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 ++c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ++ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu ++b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E ++U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu ++MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC ++5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW ++9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG ++WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O ++he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC ++Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ++-----END CERTIFICATE----- +diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem +new file mode 100644 +index 0000000..239794a +--- /dev/null ++++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem +@@ -0,0 +1,31 @@ ++-----BEGIN CERTIFICATE----- ++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ ++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT ++DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB ++AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ++ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL ++wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D ++LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK ++4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 ++bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y ++sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ ++Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 ++FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc ++SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql ++PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND ++TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw ++SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 ++c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ++ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu ++b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E ++U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu ++MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC ++5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW ++9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG ++WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O ++he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC ++Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ++-----END CERTIFICATE----- +diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem +new file mode 100644 +index 0000000..29a16ff +--- /dev/null ++++ b/tests/040-pem/good.lets_encrypt_chain.pem +@@ -0,0 +1,93 @@ ++-----BEGIN CERTIFICATE----- ++MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1 ++WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg ++RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi ++MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX ++NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf ++89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl ++Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc ++Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz ++uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB ++AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU ++BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB ++FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo ++SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js ++LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF ++BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG ++AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD ++VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB ++ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx ++A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM ++UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2 ++DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1 ++eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu ++OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw ++p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY ++2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0 ++ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR ++PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b ++rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt ++-----END CERTIFICATE----- ++-----BEGIN CERTIFICATE----- ++MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw ++WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg ++RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK ++AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP ++R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx ++sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm ++NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg ++Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG ++/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC ++AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB ++Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA ++FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw ++AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw ++Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB ++gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W ++PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ++ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz ++CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm ++lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 ++avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 ++yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O ++yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids ++hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ ++HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv ++MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX ++nLRbwHOoq7hHwg== ++-----END CERTIFICATE----- ++-----BEGIN CERTIFICATE----- ++MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ ++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT ++DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB ++AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ++ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL ++wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D ++LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK ++4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 ++bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y ++sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ ++Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 ++FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc ++SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql ++PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND ++TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw ++SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 ++c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ++ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu ++b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E ++U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu ++MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC ++5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW ++9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG ++WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O ++he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC ++Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ++-----END CERTIFICATE----- +diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh +new file mode 100755 +index 0000000..1d4d1f4 +--- /dev/null ++++ b/tests/040-pem/run.sh +@@ -0,0 +1,21 @@ ++#!/bin/bash -e ++ ++cd "$tmpdir" ++cp -p "$srcdir"/040-pem/bad.* $tmpdir ++base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der ++rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 ++ ++for good in "$srcdir"/040-pem/good.* ; do ++ if ! "$toolsdir"/pem "$good" ; then ++ exit 1 ++ fi ++done ++for bad in "$tmpdir"/bad.* bad.notfound; do ++ if "$toolsdir"/pem "$bad" > /dev/null; then ++ echo unexpected success with `basename "$bad"` ++ exit 1 ++ else ++ echo got expected error with `basename "$bad"` ++ fi ++done ++echo OK +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 013d34b..e20b6d8 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -132,6 +132,8 @@ CLEANFILES = \ + 038-ms-v2-template/actual.err \ + 039-fromfile/actual.out \ + 039-fromfile/actual.err ++ 040-pem/actual.out \ ++ 040-pem/actual.err + EXTRA_DIST = \ + run-tests.sh functions certmonger.conf tools/cachain.sh \ + 001-keyiread/run.sh \ +@@ -353,7 +355,8 @@ EXTRA_DIST = \ + 038-ms-v2-template/expected.out \ + 038-ms-v2-template/extract-extdata.py \ + 038-ms-v2-template/run.sh \ +- 039-fromfile/run.sh ++ 039-fromfile/run.sh \ ++ 040-pem/run.sh + + subdirs = \ + 001-keyiread \ +@@ -388,7 +391,8 @@ subdirs = \ + 036-getcert \ + 037-rekey2 \ + 038-ms-v2-template \ +- 039-fromfile ++ 039-fromfile \ ++ 040-pem + + if HAVE_DBM_NSSDB + subdirs += \ +diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am +index 53f658e..1a01ee6 100644 +--- a/tests/tools/Makefile.am ++++ b/tests/tools/Makefile.am +@@ -16,7 +16,8 @@ endif + noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \ + name2oid iterate prefs dates listnicks pem2base base2pem \ + dparse payload checksig base64 cadata citerate casave hooks \ +- libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile ++ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \ ++ pem + noinst_LIBRARIES = libtools.a + if HAVE_OPENSSL + noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt +diff --git a/tests/tools/pem.c b/tests/tools/pem.c +new file mode 100644 +index 0000000..4fdd4f4 +--- /dev/null ++++ b/tests/tools/pem.c +@@ -0,0 +1,69 @@ ++/* ++ * Copyright (C) 2021 Red Hat, Inc. ++ * ++ * This program is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see . ++ */ ++ ++#include "../../src/config.h" ++ ++#include ++#include ++#include ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++ ++#include "../../src/util-o.h" ++ ++int ++main(int argc, const char **argv) ++{ ++ const char *filename; ++ void *parent; ++ int i, ret = 0; ++ poptContext pctx; ++ struct poptOption popts[] = { ++ POPT_AUTOHELP ++ POPT_TABLEEND ++ }; ++ ++ parent = talloc_new(NULL); ++ pctx = poptGetContext("pem", argc, argv, popts, 0); ++ while ((i = poptGetNextOpt(pctx)) > 0) { ++ continue; ++ } ++ if (i != -1) { ++ poptPrintUsage(pctx, stdout, 0); ++ return 1; ++ } ++ while ((filename = poptGetArg(pctx)) != NULL) { ++ if (validate_pem(parent, (char *)filename) == 0) { ++ printf("OK\n"); ++ } else { ++ ret = 1; ++ } ++ } ++ talloc_free(parent); ++ poptFreeContext(pctx); ++ return ret; ++} +-- +2.31.1 + diff --git a/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch b/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch new file mode 100644 index 0000000..43ef77c --- /dev/null +++ b/SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch @@ -0,0 +1,31 @@ +From 657c9ab79a00a2003f7c02c535418896cacc410a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 15 Nov 2021 09:58:40 -0500 +Subject: [PATCH] =?UTF-8?q?Fix=20implicit=20declaration=20of=20function=20?= + =?UTF-8?q?=E2=80=98PEM=5Fread=5Fbio=5FX509=E2=80=99?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add an include for openssl/pem.h + +Signed-off-by: Rob Crittenden +--- + src/submit-n.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/submit-n.c b/src/submit-n.c +index 3dcb820a..4f763a16 100644 +--- a/src/submit-n.c ++++ b/src/submit-n.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + #include + #include +-- +2.31.1 + diff --git a/SOURCES/0012-Remove-dependency-on-SHA-1.patch b/SOURCES/0012-Remove-dependency-on-SHA-1.patch new file mode 100644 index 0000000..253db46 --- /dev/null +++ b/SOURCES/0012-Remove-dependency-on-SHA-1.patch @@ -0,0 +1,46 @@ +From 2ef0a885962ecf558a8080b19652a5bd0c11c228 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 17 Mar 2022 15:44:00 -0400 +Subject: [PATCH] Remove dependency on SHA-1 + +--- + tests/033-scep/run.sh | 4 ++-- + tests/tools/cachain.sh | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh +index a36cd5a..baaa581 100755 +--- a/tests/033-scep/run.sh ++++ b/tests/033-scep/run.sh +@@ -148,7 +148,7 @@ check_nonce + check_digest sha256 + echo OK + echo "[gic, old trust root]" +-set_digest sha1 ++set_digest sha256 + $toolsdir/scepgen ca entry > scepdata + if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then + echo missing gic +@@ -158,7 +158,7 @@ check_verified + check_msgtype $SCEP_MSGTYPE_GETCERTINITIAL + check_txid + check_nonce +-check_digest sha1 ++check_digest sha256 + echo OK + echo "[req next, no trust root]" + if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then +diff --git a/tests/tools/cachain.sh b/tests/tools/cachain.sh +index 58f0c49..93aca9b 100755 +--- a/tests/tools/cachain.sh ++++ b/tests/tools/cachain.sh +@@ -1,5 +1,5 @@ + #!/bin/bash -e +-digest=sha1 ++digest=sha256 + keytype=rsa:1024 + serial=12345678 + cat > openssl.cnf << EOF +-- +2.31.1 + diff --git a/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch b/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch new file mode 100644 index 0000000..a5853ea --- /dev/null +++ b/SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch @@ -0,0 +1,267 @@ +From bdf93378eca9d28d5b49c8170c849d2c2e6f1991 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 7 Apr 2022 16:30:40 -0400 +Subject: [PATCH] Disable DSA in the RPM spec + +DSA has been disabled in default crypto policy since Fedora 30 +and will cause crashes if used in FIPS mode. + +Refresh the 028-dbus no-DSA expected output. It was out-of-sync +from previous changes. + +https://bugzilla.redhat.com/show_bug.cgi?id=2066439 + +Signed-off-by: Rob Crittenden +--- + certmonger.spec | 6 +- + tests/028-dbus/expected.out.nodsa | 135 +++--------------------------- + 2 files changed, 15 insertions(+), 126 deletions(-) + +diff --git a/certmonger.spec b/certmonger.spec +index 6715d83..9c01438 100644 +--- a/certmonger.spec ++++ b/certmonger.spec +@@ -28,7 +28,7 @@ + + Name: certmonger + Version: 0.79.14 +-Release: 1%{?dist} ++Release: 2%{?dist} + Summary: Certificate status monitor and PKI enrollment client + + Group: System Environment/Daemons +@@ -143,6 +143,7 @@ autoreconf -i -f + %if %{with xmlrpc} + --with-xmlrpc \ + %endif ++ --disable-dsa \ + --with-tmpdir=/run/certmonger --enable-pie --enable-now + %if %{with xmlrpc} + # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just +@@ -264,6 +265,9 @@ exit 0 + %endif + + %changelog ++* Mon Mar 28 2022 Rob Crittenden - 0.79.15-2 ++- Disable DSA. It is not allowed by default crypto policy (#2066439) ++ + * Tue Jun 14 2021 Rob Crittenden - 0.79.14-1 + - update to 0.79.14 + - Fix local CA to work under FIPS +diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa +index 20499bf..0e1b977 100644 +--- a/tests/028-dbus/expected.out.nodsa ++++ b/tests/028-dbus/expected.out.nodsa +@@ -11,12 +11,14 @@ Request ID 'Buddy': + CA: local + issuer: CN=$UUID,CN=Local Signing Authority + subject: CN=localhost ++ issued: sometime + expires: sometime + dns: localhost + principal name: host/localhost@LOCALHOST + key usage: digitalSignature,dataEncipherment + eku: id-kp-serverAuth + certificate template/profile: SomeProfileName ++ profile: SomeProfileName + pre-save command: echo Pre + post-save command: echo Post + track: yes +@@ -33,10 +35,6 @@ CA 'IPA': + is-default: no + ca-type: EXTERNAL + helper-location: $libexecdir/ipa-submit +-CA 'certmaster': +- is-default: no +- ca-type: EXTERNAL +- helper-location: $libexecdir/certmaster-submit + CA 'dogtag-ipa-renew-agent': + is-default: no + ca-type: EXTERNAL +@@ -44,8 +42,8 @@ CA 'dogtag-ipa-renew-agent': + + [[ API ]] + [ simpleprop.py ] +-/org/fedorahosted/certmonger/cas/CA6 +-/org/fedorahosted/certmonger/cas/CA6 ++/org/fedorahosted/certmonger/cas/CA5 ++/org/fedorahosted/certmonger/cas/CA5 + : -> : -k admin@localhost -> : + 0 -> 1 -> 0 + [ walk.py ] +@@ -181,7 +179,7 @@ OK + OK + + [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ] +-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o')) ++dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o')) + + [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ] + dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o')) +@@ -272,6 +270,7 @@ OK + + + ++ + + + +@@ -433,7 +432,7 @@ Buddy + + + [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ] +-(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s'))) ++(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently)) + + [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ] + recently +@@ -507,7 +506,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri + + + +- + + + [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ] +@@ -941,10 +939,10 @@ dbus.Array([], signature=dbus.Signature('s')) + + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ] +-$tmpdir/cas/20180327134236-2 ++$tmpdir/cas/20180327134236-3 + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ] +-certmaster ++dogtag-ipa-renew-agent + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ] + 0 +@@ -956,7 +954,7 @@ EXTERNAL + None + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ] +-$libexecdir/certmaster-submit ++$libexecdir/dogtag-ipa-renew-agent-submit + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ] + dbus.Array([], signature=dbus.Signature('s')) +@@ -964,116 +962,3 @@ dbus.Array([], signature=dbus.Signature('s')) + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ] + 1 + +-[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ] +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ] +-$tmpdir/cas/20180327134236-3 +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ] +-dogtag-ipa-renew-agent +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ] +-0 +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ] +-EXTERNAL +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ] +-None +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ] +-$libexecdir/dogtag-ipa-renew-agent-submit +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ] +-dbus.Array([], signature=dbus.Signature('s')) +- +-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ] +-1 +- +-- +2.31.1 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index d40f591..4a41f2d 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -28,7 +28,7 @@ Name: certmonger Version: 0.79.14 -Release: 5%{?dist} +Release: 7%{?dist} Summary: Certificate status monitor and PKI enrollment client License: GPLv3+ @@ -43,6 +43,10 @@ Patch0006: 0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch Patch0007: 0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch Patch0008: 0008-Use-implicit-empty-FALSE-for-extensions.patch Patch0009: 0009-Use-extensions-template-from-NSS.patch +Patch0010: 0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch +Patch0011: 0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch +Patch0012: 0012-Remove-dependency-on-SHA-1.patch +Patch0013: 0013-Disable-DSA-in-the-RPM-spec.patch BuildRequires: autoconf @@ -156,6 +160,7 @@ autoreconf -i -f %if %{with xmlrpc} --with-xmlrpc \ %endif + --disable-dsa \ --with-tmpdir=/run/certmonger --enable-pie --enable-now %if %{with xmlrpc} # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just @@ -273,6 +278,14 @@ exit 0 %endif %changelog +* Thu Apr 07 2022 Rob Crittenden - 0.79.14-7 +- Disable DSA (#2066439) + +* Thu Mar 17 2022 Rob Crittenden - 0.79.14-6 +- Certificate format validation when adding the SCEP server's CA + (#1492112) +- Replace some SHA1 usages with SHA256 in the unit tests + * Thu Oct 07 2021 Rob Crittenden - 0.79.14-5 - Certmonger SCEP renewal should not use old challenges (#1990926) - Certmonger certificates stuck in NEED_GUIDANCE (#2001082)