diff --git a/.certmonger.metadata b/.certmonger.metadata index c02a279..e38fad0 100644 --- a/.certmonger.metadata +++ b/.certmonger.metadata @@ -1 +1 @@ -b5c636304b1d31d110d6f4fba03f9b100ad6aafa SOURCES/certmonger-0.75.14.tar.gz +277aca37d5ee3b693108ce7d9398ec3b44beb634 SOURCES/certmonger-0.78.4.tar.gz diff --git a/.gitignore b/.gitignore index d2881f8..366c9b4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/certmonger-0.75.14.tar.gz +SOURCES/certmonger-0.78.4.tar.gz diff --git a/SOURCES/1001-Remove-rekey-feature.patch b/SOURCES/1001-Remove-rekey-feature.patch new file mode 100644 index 0000000..11a60be --- /dev/null +++ b/SOURCES/1001-Remove-rekey-feature.patch @@ -0,0 +1,374 @@ +From f85876b61af0716c00a255be42c7b62fc3c83e3f Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Fri, 7 Aug 2015 13:40:41 +0200 +Subject: [PATCH] Remove rekey feature + +https://bugzilla.redhat.com/show_bug.cgi?id=1250397 +--- + src/certmonger-scep-submit.8.in | 8 -------- + src/certmonger.conf.5.in | 19 ------------------- + src/getcert-add-scep-ca.1.in | 8 -------- + src/getcert.c | 3 --- + src/prefs.c | 27 +-------------------------- + src/scep.c | 5 ----- + src/submit-e.c | 6 ------ + src/tdbush.c | 10 +--------- + tests/010-iterate/expected.out | 14 +++++--------- + tests/028-dbus/expected.out | 6 ------ + tests/036-getcert/expected.out | 26 ++++++++++++++------------ + tests/037-rekey2/expected.out | 4 ++-- + 12 files changed, 23 insertions(+), 113 deletions(-) + +diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in +index 7319c6a42c090420eb035515d94fd0640d990dda..31203c37fde407d2306de9d7f5aba9d3541eaaa3 100644 +--- a/src/certmonger-scep-submit.8.in ++++ b/src/certmonger-scep-submit.8.in +@@ -80,14 +80,6 @@ When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to + specify the CA identifier which is passed to the server as part of the client's + request. The default is "0". + .TP +-\fB\-n\fR +-The SCEP Renewal feature allows a client with a previously-issued certificate +-to use that certificate and the associated private key to request a new +-certificate for a different key pair, and can be used to support +-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for +-it. This option forces the \fIscep-submit\fR helper to prefer to issue +-requests which do not make use of this feature. +-.TP + \fB-v\fR + Increases the logging level. Use twice for more logging. This option + is mainly useful for troubleshooting. +diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in +index 241f48b07b5045708aa118663b569d5ac3947782..e1220f134c30e760af73fb0abc88a498e94f23d2 100644 +--- a/src/certmonger.conf.5.in ++++ b/src/certmonger.conf.5.in +@@ -72,25 +72,6 @@ These are the trust attributes which are applied to certificates which are not + necessarily to be trusted, when they are saved to NSS databases. The default + is \fI,,\fP. + +-.IP max_key_use_count +-When attempting to replace a certificate, if \fIcertmonger\fR has previously +-obtained at least this number of certificates using the current key pair, it +-will generate a new key pair to use before proceeding. There is effectively no +-default for this setting. +- +-.IP max_key_lifetime +-The amount of time after a key was first generated when \fIcertmonger\fR will +-attempt to generate a new key pair to replace it, as part of the process of +-replacing a certificate. +-The value is specified as a combination of years (y), months (M), weeks (w), +-days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is +-specified, seconds are assumed. +-The date when a key was generated is not recorded if the key was not generated +-by \fIcertmonger\fR, or if the key was generated with a version of +-\fIcertmonger\fR older than 0.78, and for those cases, this option has no +-effect. +-There is effectively no default for this setting. +- + .SH SELFSIGN + Within the \fIselfsign\fR section, these variables and values are recognized: + +diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in +index f07b9002a206526ea7f0334f5ba0071d8fffd3ae..64f0f5e80cd0fa3ae01fcf27828f97935dfb99c7 100644 +--- a/src/getcert-add-scep-ca.1.in ++++ b/src/getcert-add-scep-ca.1.in +@@ -46,14 +46,6 @@ A CA identifier value which will passed to the server when the + \fIscep-submit\fR helper is used to retrieve copies of the server's + certificates. + .TP +-\fB\-n\fR +-The SCEP Renewal feature allows a client with a previously-issued certificate +-to use that certificate and the associated private key to request a new +-certificate for a different key pair, and can be used to support +-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for +-it. This option forces the \fIscep-submit\fR helper to issue requests without +-making use of this feature. +-.TP + \fB\-v\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. +diff --git a/src/getcert.c b/src/getcert.c +index 49840dd968a75929ef55c6b77966187f0c59fa78..1b7d5fc27c970178e310e9bb7e9abde3f6b7bbce 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -4595,7 +4595,6 @@ static struct { + {"start-tracking", start_tracking}, + {"stop-tracking", stop_tracking}, + {"resubmit", resubmit}, +- {"rekey", rekey}, + {"refresh", refresh}, + {"list", list}, + {"status", status}, +@@ -5007,8 +5006,6 @@ help(const char *twopartcmd, const char *category) + N_("stop monitoring a certificate\n")}, + {"resubmit", resubmit_help, + N_("resubmit an in-progress enrollment request, or start a new one\n")}, +- {"rekey", rekey_help, +- N_("generate a new private key and replace a certificate\n")}, + {"refresh", refresh_help, + N_("check on the status of an in-progress enrollment request\n")}, + {"list", list_help, +diff --git a/src/prefs.c b/src/prefs.c +index ab363bbc2c08f834e7fc1bede8f1cf2c50229f1c..0a8e166ce30f3b0288cd7430568ae18d0e5ab914 100644 +--- a/src/prefs.c ++++ b/src/prefs.c +@@ -545,36 +545,11 @@ cm_prefs_nss_other_trust(void) + long long + prefs_key_end_of_life(time_t ref) + { +- const char *cfg; +- time_t tmp; +- +- tmp = -1; +- cfg = cm_prefs_config(NULL, "max_key_lifetime"); +- if (cfg != NULL) { +- if (cm_submit_u_delta_from_string(cfg, ref, &tmp) == 0) { +- return tmp; +- } +- } + return -1; + } + + long + prefs_max_key_use_count(void) + { +- static long count = -2; +- long tmp; +- const char *cfg; +- char *p; +- +- if (count == -2) { +- count = -1; +- cfg = cm_prefs_config(NULL, "max_key_use_count"); +- if (cfg != NULL) { +- tmp = strtol(cfg, &p, 10); +- if ((p != NULL) && (*p == '\0')) { +- count = tmp; +- } +- } +- } +- return count; ++ return -1; + } +diff --git a/src/scep.c b/src/scep.c +index d3bbc050947a1a0472187503110682c9028f9c6f..11f9ae3cc193981d3c2bf986a4a5c4c7d81506f5 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -231,7 +231,6 @@ main(int argc, const char **argv) + {"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"}, + {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"}, + {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"}, +- {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL}, + {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, + POPT_AUTOHELP + POPT_TABLEEND +@@ -255,8 +254,6 @@ main(int argc, const char **argv) + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV); + if (message == NULL) { + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); +- } else { +- rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); + } + } else + if (strcasecmp(mode, CM_OP_POLL) == 0) { +@@ -264,8 +261,6 @@ main(int argc, const char **argv) + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV); + if (message == NULL) { + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); +- } else { +- rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); + } + } else + if (strcasecmp(mode, CM_OP_FETCH_SCEP_CA_CERTS) == 0) { +diff --git a/src/submit-e.c b/src/submit-e.c +index 6997b436e42aa4f77c421040070ee2484467dea5..4d434f3ef1c87f9b5288a80d66006ea7baa9f643 100644 +--- a/src/submit-e.c ++++ b/src/submit-e.c +@@ -446,12 +446,6 @@ cm_submit_e_need_scep_messages(struct cm_submit_state *state) + static int + cm_submit_e_need_rekey(struct cm_submit_state *state) + { +- int status; +- status = cm_subproc_get_exitstatus(state->subproc); +- if (WIFEXITED(status) && +- (WEXITSTATUS(status) == CM_SUBMIT_STATUS_NEED_REKEY)) { +- return 0; +- } + return -1; + } + +diff --git a/src/tdbush.c b/src/tdbush.c +index 4660f80f26669d31b2629c543384fe95bbec1ea9..9a03674d7ba313129083f6f606e86ca4b3933186 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -7094,14 +7094,6 @@ cm_tdbush_iface_request(void) + NULL))), + NULL), + make_interface_item(cm_tdbush_interface_method, +- make_method("rekey", +- request_rekey, +- make_method_arg("working", +- DBUS_TYPE_BOOLEAN_AS_STRING, +- cm_tdbush_method_arg_out, +- NULL), +- NULL), +- make_interface_item(cm_tdbush_interface_method, + make_method("resubmit", + request_resubmit, + make_method_arg("working", +@@ -7156,7 +7148,7 @@ cm_tdbush_iface_request(void) + make_interface_item(cm_tdbush_interface_signal, + make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, + NULL), +- NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); ++ NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + } + return ret; + } +diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out +index bd57a01ba8725418978259018441f6a9a6672758..85d07b3baef83dbafd39c03888881cb665518733 100644 +--- a/tests/010-iterate/expected.out ++++ b/tests/010-iterate/expected.out +@@ -398,19 +398,15 @@ HAVE_CSR + -START- + NEED_TO_SUBMIT + SUBMITTING +-NEED_KEY_PAIR ++NEED_GUIDANCE + -STOP- +-NEED_KEY_PAIR ++NEED_GUIDANCE + -START- +-GENERATING_KEY_PAIR +-HAVE_KEY_PAIR +-NEED_KEYINFO ++NEED_GUIDANCE + -STOP- +-NEED_KEYINFO ++NEED_GUIDANCE + -START- +-READING_KEYINFO +-HAVE_KEYINFO +-NEED_CSR ++NEED_GUIDANCE + -STOP- + + [Enroll until we notice we have no specified CA.] +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index ba55dd5ce97c74475dbebb761c41dd2e64e64365..d8fb98bcf9950c9c21c48feac303dc0b46189ab7 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -401,9 +401,6 @@ OK + + + +- +- +- + + + +@@ -481,9 +478,6 @@ recently + 1 on /org/fedorahosted/certmonger/requests/Request2 + After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1) + +-[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ] +-1 +- + [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.resubmit ] + 1 + +diff --git a/tests/036-getcert/expected.out b/tests/036-getcert/expected.out +index c1a13c8e058e39285ee842b173356002da2fd0e6..b6d1eaf7c733e04d5b928e7a59edeca43a27a5ef 100644 +--- a/tests/036-getcert/expected.out ++++ b/tests/036-getcert/expected.out +@@ -11,20 +11,21 @@ certs:1 + keys:1 + -----BEGIN PRIVATE KEY----- + [Files, rekey] +-Resubmitting "first" to "local". + certs:1 + -----BEGIN CERTIFICATE----- + keys:1 + -----BEGIN PRIVATE KEY----- ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey + [Files, rekey with preserve=1] +-Resubmitting "first" to "local". + certs:1 + -----BEGIN CERTIFICATE----- +-keys:2 +------BEGIN PRIVATE KEY----- ++keys:1 + -----BEGIN PRIVATE KEY----- ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey ++ERROR: old keys were not saved on rekey + [Files, rekey with jerk CA] +-Resubmitting "first" to "jerkca". + certs:1 + -----BEGIN CERTIFICATE----- + keys:1 +@@ -44,30 +45,31 @@ pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 + [Database, rekey] +-Resubmitting "first" to "local". + certs:1 + keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey + [Database, rekey with preserve=1] +-Resubmitting "first" to "local". + certs:1 +-keys:2 ++keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey ++ERROR: old keys were not saved on rekey + [Database, rekey with jerk CA] +-Resubmitting "first" to "jerkca". + certs:1 +-keys:3 ++keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 + [Database, rekey with jerk CA, nonpreserving] +-Resubmitting "first" to "jerkca". + certs:1 +-keys:3 ++keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 +diff --git a/tests/037-rekey2/expected.out b/tests/037-rekey2/expected.out +index bd8cca7c3eedb5a02249f450451b651bb270ec24..62a1c746f86bb53fe79d1226ab9194825f7642d8 100644 +--- a/tests/037-rekey2/expected.out ++++ b/tests/037-rekey2/expected.out +@@ -112,7 +112,7 @@ MONITORING + -STOP- + MONITORING + -START- +-NEED_KEY_PAIR ++NEED_CSR + -STOP- + [Uses = 2.] + NEED_KEY_PAIR +@@ -228,6 +228,6 @@ MONITORING + -STOP- + MONITORING + -START- +-NEED_KEY_PAIR ++NEED_CSR + -STOP- + Test complete. +-- +2.4.3 + diff --git a/SOURCES/certmonger-0.75.14.tar.gz.sig b/SOURCES/certmonger-0.75.14.tar.gz.sig deleted file mode 100644 index 18eae39..0000000 Binary files a/SOURCES/certmonger-0.75.14.tar.gz.sig and /dev/null differ diff --git a/SOURCES/certmonger-0.78.4.tar.gz.sig b/SOURCES/certmonger-0.78.4.tar.gz.sig new file mode 100644 index 0000000..cd32a1a Binary files /dev/null and b/SOURCES/certmonger-0.78.4.tar.gz.sig differ diff --git a/SOURCES/certmonger-dbus-string-properties.patch b/SOURCES/certmonger-dbus-string-properties.patch deleted file mode 100644 index c7d96eb..0000000 --- a/SOURCES/certmonger-dbus-string-properties.patch +++ /dev/null @@ -1,91 +0,0 @@ -From fa734ee402ee1f41281ac89c3a376b24ae7e9112 Mon Sep 17 00:00:00 2001 -From: David Kupka -Date: Wed, 7 Jan 2015 21:34:15 -0500 -Subject: [PATCH] Retrieve string value from DBus property interface reply - correctly. - -org.freedesktop.DBus.Properties.Get method always returns variant data type. -The basic type inside it can't be accessed directly. ---- - src/getcert.c | 2 +- - src/tdbusm.c | 38 ++++++++++++++++++++++++++++++++++++++ - src/tdbusm.h | 1 + - 3 files changed, 40 insertions(+), 1 deletion(-) - -diff --git a/src/getcert.c b/src/getcert.c -index 5ea5e538e5f3beb840f88e6dbe21957b155b873b..8b2cb8a937947ca3d932cc9405a82c90acefabb3 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -474,7 +474,7 @@ query_prop_s(enum cm_tdbus_type which, - DBusMessage *rep; - char *s; - rep = query_prop(which, path, interface, prop, verbose); -- if (cm_tdbusm_get_s(rep, parent, &s) != 0) { -+ if (cm_tdbusm_get_vs(rep, parent, &s) != 0) { - s = ""; - } - dbus_message_unref(rep); -diff --git a/src/tdbusm.c b/src/tdbusm.c -index dd3e800d1a5f2fe9c2d7feff3e3938a6adb4c1ab..f7aaea82e20994a7382518153980e14fb0405453 100644 ---- a/src/tdbusm.c -+++ b/src/tdbusm.c -@@ -175,6 +175,44 @@ cm_tdbusm_get_p(DBusMessage *msg, void *parent, char **p) - } - - int -+cm_tdbusm_get_vs(DBusMessage *msg, void *parent, char **s) -+{ -+ DBusError err; -+ DBusMessageIter iter, sub_iter; -+ -+ *s = NULL; -+ dbus_error_init(&err); -+ -+ if (dbus_message_iter_init(msg, &iter) == FALSE) { -+ if (dbus_error_is_set(&err)) { -+ cm_log(3, "DBus error: %s", err.message); -+ dbus_error_free(&err); -+ } else { -+ cm_log(3, "Unknown DBus error."); -+ } -+ return -1; -+ } -+ -+ if (dbus_message_iter_get_arg_type(&iter) == DBUS_TYPE_VARIANT) { -+ dbus_message_iter_recurse(&iter, &sub_iter); -+ if (dbus_message_iter_get_arg_type(&sub_iter) == DBUS_TYPE_STRING) { -+ dbus_message_iter_get_basic(&sub_iter, s); -+ *s = *s ? talloc_strdup(parent, *s) : NULL; -+ return 0; -+ } -+ } -+ -+ if (dbus_error_is_set(&err)) { -+ cm_log(3, "Failed to extract data from DBus message: %s", err.message); -+ dbus_error_free(&err); -+ } else { -+ cm_log(3, "Failed to extract data from DBus message."); -+ } -+ *s = NULL; -+ return -1; -+} -+ -+int - cm_tdbusm_get_s(DBusMessage *msg, void *parent, char **s) - { - DBusError err; -diff --git a/src/tdbusm.h b/src/tdbusm.h -index b926b4941985509696b965fc955b2f204ce856df..813fae2f4a4a72da512e7559b5ed437cab4766e1 100644 ---- a/src/tdbusm.h -+++ b/src/tdbusm.h -@@ -22,6 +22,7 @@ int cm_tdbusm_get_b(DBusMessage *msg, void *parent, dbus_bool_t *b); - int cm_tdbusm_get_n(DBusMessage *msg, void *parent, long *n); - int cm_tdbusm_get_p(DBusMessage *msg, void *parent, char **p); - int cm_tdbusm_get_s(DBusMessage *msg, void *parent, char **s); -+int cm_tdbusm_get_vs(DBusMessage *msg, void *parent, char **s); - int cm_tdbusm_get_bp(DBusMessage *msg, void *parent, dbus_bool_t *b, char **p); - int cm_tdbusm_get_bs(DBusMessage *msg, void *parent, dbus_bool_t *b, char **s); - int cm_tdbusm_get_sb(DBusMessage *msg, void *parent, char **s, dbus_bool_t *b); --- -2.1.0 - diff --git a/SOURCES/certmonger-dogtag-approval-options.patch b/SOURCES/certmonger-dogtag-approval-options.patch deleted file mode 100644 index 0ddee2f..0000000 --- a/SOURCES/certmonger-dogtag-approval-options.patch +++ /dev/null @@ -1,154 +0,0 @@ -Backported from master. - -From de03df73802956143fd1fa743706b803938a610f Mon Sep 17 00:00:00 2001 -From: Jan Cholasta -Date: Tue, 18 Nov 2014 13:25:08 +0000 -Subject: [PATCH] Allow overriding parameter values in Dogtag request approval - ---- - src/certmonger-dogtag-ipa-renew-agent-submit.8.in | 8 +++ - src/dogtag.c | 61 ++++++++++++++++++++++- - 2 files changed, 68 insertions(+), 1 deletion(-) - -diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in -index 45129d4818aad0d91960a1bfe35a79e4e2406f02..d6d0c4c122014ac77e04ab8c3fc4a2742dfb8bdb 100644 ---- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in -+++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in -@@ -17,6 +17,7 @@ dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL - [-D serial (decimal)] - [-S state] - [-T profile] -+[-O param=value] - [-v] - [csrfile] - -@@ -125,6 +126,13 @@ The name of the type of certificate which the client should request from the CA - if it is not renewing a certificate (per the \fB-s\fR option above). The - default value is \fBcaServerCert\fP. - .TP -+\fB-O\fR param=value -+An additional parameter to pass to the server when approving the signing -+request using the agent's credentials. By default, any server-supplied default -+settings are applied. This option can be used either to override a -+server-supplied default setting, or to supply one which would otherwise have -+not been used. -+.TP - \fB-v\fR - Increases the logging level. Use twice for more logging. This option is mainly - useful for troubleshooting. -diff --git a/src/dogtag.c b/src/dogtag.c -index 700fe7f516a54f0581d94068e9066de9e4621f5d..6bd284327ffc1ab29d32deb8529fc5ef69314295 100644 ---- a/src/dogtag.c -+++ b/src/dogtag.c -@@ -76,6 +76,7 @@ help(const char *cmd) - "\t[-D serial (decimal)]\n" - "\t[-S state]\n" - "\t[-T profile]\n" -+ "\t[-O param=value]\n" - "\t[-v]\n" - "\t[-N]\n" - "\t[-V dogtag_version]\n" -@@ -140,6 +141,11 @@ main(int argc, char **argv) - const char *sslcert = NULL, *sslkey = NULL; - const char *sslpin = NULL, *sslpinfile = NULL; - const char *host = NULL, *csr = NULL, *serial = NULL, *template = NULL; -+ struct { -+ char *name; -+ char *value; -+ } *options = NULL; -+ size_t num_options = 0, j; - const char *dogtag_version = NULL; - char *ipaconfig = NULL, *savedstate = NULL; - char *p, *q, *params = NULL, *params2 = NULL; -@@ -178,7 +184,7 @@ main(int argc, char **argv) - - savedstate = getenv(CM_SUBMIT_COOKIE_ENV); - -- while ((c = getopt(argc, argv, "E:A:d:n:i:C:c:k:p:P:s:D:S:T:vV:NR")) != -1) { -+ while ((c = getopt(argc, argv, "E:A:d:n:i:C:c:k:p:P:s:D:S:T:O:vV:NR")) != -1) { - switch (c) { - case 'E': - eeurl = optarg; -@@ -220,6 +226,26 @@ main(int argc, char **argv) - case 'T': - template = optarg; - break; -+ case 'O': -+ if (strchr(optarg, '=') == NULL) { -+ printf(_("Profile params (-O) must be in the form of param=value.\n")); -+ help(argv[0]); -+ return CM_SUBMIT_STATUS_UNCONFIGURED; -+ } -+ options = realloc(options, -+ ++num_options * sizeof(*options)); -+ if (options == NULL) { -+ printf(_("Out of memory.\n")); -+ return CM_SUBMIT_STATUS_UNCONFIGURED; -+ } -+ options[num_options - 1].name = strdup(optarg); -+ if (options[num_options - 1].name == NULL) { -+ printf(_("Out of memory.\n")); -+ return CM_SUBMIT_STATUS_UNCONFIGURED; -+ } -+ *strchr(options[num_options - 1].name, '=') = '\0'; -+ options[num_options - 1].value = strchr(optarg, '=') + 1; -+ break; - case 'v': - verbose++; - break; -@@ -374,6 +400,18 @@ main(int argc, char **argv) - printf(_("No profile/template (-T) given, and no default known.\n")); - missing_args = TRUE; - } -+ if (options != NULL) { -+ if (agenturl == NULL) { -+ printf(_("No agent URL (-A) given, and no default " -+ "known.\n")); -+ missing_args = TRUE; -+ } -+ if (!can_agent) { -+ printf(_("No agent credentials specified, and no " -+ "default known.\n")); -+ missing_args = TRUE; -+ } -+ } - if (missing_args) { - help(argv[0]); - return CM_SUBMIT_STATUS_UNCONFIGURED; -@@ -544,12 +582,33 @@ main(int argc, char **argv) - for (i = 0; - (defaults != NULL) && (defaults[i] != NULL); - i++) { -+ /* Check if this default is one of the -+ * paramters we've been explicitly provided. */ -+ for (j = 0; j < num_options; j++) { -+ if (strcmp(defaults[i]->name, -+ options[j].name) == 0) { -+ break; -+ } -+ } -+ /* If we have a non-default value for it, skip -+ * this default. */ -+ if (j < num_options) { -+ continue; -+ } - p = cm_submit_u_url_encode(defaults[i]->name); - q = cm_submit_u_url_encode(defaults[i]->value); - params2 = talloc_asprintf(ctx, - "%s&%s=%s", - params2, p, q); - }; -+ /* Add parameters specified on command line */ -+ for (j = 0; j < num_options; j++) { -+ p = cm_submit_u_url_encode(options[j].name); -+ q = cm_submit_u_url_encode(options[j].value); -+ params2 = talloc_asprintf(ctx, -+ "%s&%s=%s", -+ params2, p, q); -+ } - break; - case op_none: - case op_submit: --- -2.1.0 - diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 0678f85..6195f1a 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -25,8 +25,8 @@ %endif Name: certmonger -Version: 0.75.14 -Release: 3%{?dist} +Version: 0.78.4 +Release: 1%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -35,8 +35,8 @@ URL: http://certmonger.fedorahosted.org Source0: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz Source1: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz.sig BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) -Patch0: certmonger-dogtag-approval-options.patch -Patch1: certmonger-dbus-string-properties.patch + +Patch1001: 1001-Remove-rekey-feature.patch BuildRequires: openldap-devel BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel @@ -52,6 +52,9 @@ BuildRequires: libcurl-devel BuildRequires: curl-devel %endif BuildRequires: libxml2-devel, xmlrpc-c-devel +%if 0%{?rhel} < 6 +BuildRequires: bind-libbind-devel +%endif # Required for 'make check': # for diff and cmp BuildRequires: diffutils @@ -72,6 +75,8 @@ BuildRequires: /usr/bin/unix2dos BuildRequires: /usr/bin/which # for dbus tests BuildRequires: dbus-python +# for popt or popt-devel, depending on the build environment +BuildRequires: /usr/include/popt.h # we need a running system bus Requires: dbus @@ -109,9 +114,8 @@ Certmonger is a service which is primarily concerned with getting your system enrolled with a certificate authority (CA) and keeping it enrolled. %prep -%setup -q -%patch0 -p1 -b .dogtag-approval-options -%patch1 -p1 -b .dbus-string-properties +%autosetup -p1 + %if 0%{?rhel} > 0 # Enabled by default for RHEL for bug #765600, still disabled by default for # Fedora pending a similar bug report there. @@ -237,9 +241,29 @@ exit 0 %endif %if %{systemd} %{_unitdir}/* +%{_datadir}/dbus-1/system-services/* %endif %changelog +* Mon Aug 10 2015 Jan Cholasta - 0.78.4-1 +- Resolves: #1249753 challenge password not added in csr using start-tracking +- Resolves: #1250397 Remove certmonger rekey feature in 7.2 + - Remove rekey feature +- Related: #1205756 Rebase certmonger to 0.77 or later + - Update to upstream 0.78.4 + +* Fri Jul 24 2015 Jan Cholasta - 0.78.3-1 +- Resolves: #1244914 scep ca helper does not parse command line options + correctly +- Related: #1205756 Rebase certmonger to 0.77 or later + - Update to upstream 0.78.3 + +* Mon Jun 22 2015 Jan Cholasta - 0.78.1-1 +- Resolves: #1140241 RFE: Add SCEP support to certmonger +- Resolves: #1148001 ipa-getcert killed by SIGABRT +- Resolves: #1205756 Rebase certmonger to 0.77 or later + - Update to upstream 0.78.1 + * Tue Jan 13 2015 Jan Cholasta - 0.75.14-3 - backport change from git to correctly retrieve string values from DBus property interface replies (#1181022) @@ -250,8 +274,8 @@ exit 0 * Thu Aug 28 2014 Nalin Dahyabhai 0.75.14-1 - make pathname canonicalization slightly smarter, to handle ".." in - locations -- updates to self-tests + locations (#1131758) +- updates to self-tests (#1144082) * Thu Aug 21 2014 Kevin Fenzi - 0.75.13-2 - Rebuild for rpm bug 1131960 @@ -420,7 +444,7 @@ exit 0 * Mon Feb 10 2014 Nalin Dahyabhai - move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir}, - where it belongs + where it belongs (#1180978) * Mon Feb 10 2014 Nalin Dahyabhai - updates for 0.73 @@ -433,7 +457,7 @@ exit 0 - also pass the SPKAC value to enrollment helpers in the environment as a base64 value in "CERTMONGER_SPKAC" - also pass the request's SubjectPublicKeyInfo value to enrollment helpers - in the environment as a base64 value in "CERTMONGER_SPKI" + in the environment as a base64 value in "CERTMONGER_SPKI" (part of #16) - when generating signing requests using NSS, be more accommodating of requested subject names that don't parse properly