diff --git a/.certmonger.metadata b/.certmonger.metadata new file mode 100644 index 0000000..e38fad0 --- /dev/null +++ b/.certmonger.metadata @@ -0,0 +1 @@ +277aca37d5ee3b693108ce7d9398ec3b44beb634 SOURCES/certmonger-0.78.4.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..366c9b4 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/certmonger-0.78.4.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-Stop-assuming-RSA-512-works.patch b/SOURCES/0001-Stop-assuming-RSA-512-works.patch new file mode 100644 index 0000000..463f8bc --- /dev/null +++ b/SOURCES/0001-Stop-assuming-RSA-512-works.patch @@ -0,0 +1,659 @@ +From 1c464828a5ad8f47a6acf7b6d6ec1f324fe63b51 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 12 Jan 2016 17:27:18 -0500 +Subject: [PATCH] Stop assuming RSA 512 works + +For the sake of F24, stop assuming that we'll be able to generate +512-bit RSA keys. We use certutil to do some of it, and it doesn't give +us a way to toggle support on. +--- + tests/001-keyiread-rsa/expected.out | 2 - + tests/001-keyiread-rsa/run.sh | 4 +- + tests/001-keyiread/expected.out | 2 - + tests/001-keyiread/run.sh | 4 +- + tests/002-keygen-dsa/expected.out | 6 -- + tests/002-keygen-dsa/run.sh | 4 +- + tests/002-keygen-rsa/expected.out | 6 -- + tests/002-keygen-rsa/run.sh | 4 +- + tests/002-keygen/expected.out | 18 ----- + tests/002-keygen/run.sh | 4 +- + tests/003-csrgen-rsa/expected.out | 124 ++++++++++++++-------------- + tests/003-csrgen-rsa/run.sh | 4 +- + tests/003-csrgen/expected.out | 157 +++++++++++++++++------------------- + tests/003-csrgen/run.sh | 4 +- + tests/004-selfsign-rsa/expected.out | 1 - + tests/004-selfsign-rsa/run.sh | 2 +- + tests/004-selfsign/expected.out | 1 - + tests/004-selfsign/run.sh | 2 +- + 18 files changed, 152 insertions(+), 197 deletions(-) + +diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out +index fa3493c04b26eb676700abdab7895fe0a1ee3d6d..727897d14f9a3eb8eab8c3b12964fa7d38cefdef 100644 +--- a/tests/001-keyiread-rsa/expected.out ++++ b/tests/001-keyiread-rsa/expected.out +@@ -1,10 +1,8 @@ +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). + OK (RSA:3072). + OK (RSA:4096). +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). +diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh +index b5ac7150b80af45a23a56be6a49f3884a9f5049a..c7b7768690e80a9f3fcba0e42fe4a96b60efe48c 100755 +--- a/tests/001-keyiread-rsa/run.sh ++++ b/tests/001-keyiread-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a self-signed cert. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -30,7 +30,7 @@ for size in 512 1024 1536 2048 3072 4096 ; do + $toolsdir/keyiread entry.nss.$size + done + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a key. + openssl genrsa $size > sample.$size 2> /dev/null + # Check the size of the key. +diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out +index fa3493c04b26eb676700abdab7895fe0a1ee3d6d..727897d14f9a3eb8eab8c3b12964fa7d38cefdef 100644 +--- a/tests/001-keyiread/expected.out ++++ b/tests/001-keyiread/expected.out +@@ -1,10 +1,8 @@ +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). + OK (RSA:3072). + OK (RSA:4096). +-OK (RSA:512). + OK (RSA:1024). + OK (RSA:1536). + OK (RSA:2048). +diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh +index d95043d164e133ed23148719b74513d745ebec66..ce1428edd8d022d8a7f7f735154234bbdc4bf228 100755 +--- a/tests/001-keyiread/run.sh ++++ b/tests/001-keyiread/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a self-signed cert. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -30,7 +30,7 @@ for size in 512 1024 1536 2048 3072 4096 ; do + $toolsdir/keyiread entry.nss.$size + done + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Generate a key. + openssl genrsa $size > sample.$size 2> /dev/null + # Check the size of the key. +diff --git a/tests/002-keygen-dsa/expected.out b/tests/002-keygen-dsa/expected.out +index f2a44d26286605c4186963f6c43b6dbd6e2e81cc..7445bcc2628dd78eef0cea4c90339c79fb3571cf 100644 +--- a/tests/002-keygen-dsa/expected.out ++++ b/tests/002-keygen-dsa/expected.out +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (DSA:512). + [nss:1024] + OK. + OK (DSA:1024). +@@ -20,9 +17,6 @@ OK (DSA:3072). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (DSA:512). + [openssl:1024] + OK. + OK (DSA:1024). +diff --git a/tests/002-keygen-dsa/run.sh b/tests/002-keygen-dsa/run.sh +index fad19de1d365466c0bfd739fbd8be1be9135a291..d9cff0e973bcdffcbeda4c702d3ee86b27d07e43 100755 +--- a/tests/002-keygen-dsa/run.sh ++++ b/tests/002-keygen-dsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +@@ -41,7 +41,7 @@ key_gen_type=DSA + EOF + $toolsdir/keygen entry.$size || true + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[openssl:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out +index 33f0f48ea92e0b7fa17ccc6a1938fe37d7335c8a..3e6e9f3c1b293a0a9c16085bfbf243d44e43e129 100644 +--- a/tests/002-keygen-rsa/expected.out ++++ b/tests/002-keygen-rsa/expected.out +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (RSA:512). + [nss:1024] + OK. + OK (RSA:1024). +@@ -20,9 +17,6 @@ OK (RSA:4096). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (RSA:512). + [openssl:1024] + OK. + OK (RSA:1024). +diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh +index b133edd8535db75804c82f7505e055c9b1bd0aa2..476f412753511772c506e76d8f3bb9c128b8aa1e 100755 +--- a/tests/002-keygen-rsa/run.sh ++++ b/tests/002-keygen-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +@@ -41,7 +41,7 @@ key_gen_type=RSA + EOF + $toolsdir/keygen entry.$size || true + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[openssl:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out +index f47d2d564bfd36d8d944bc388119314ee41c3722..ff56372aac282743f79699b0b381fcf198bd5db4 100644 +--- a/tests/002-keygen/expected.out ++++ b/tests/002-keygen/expected.out +@@ -1,12 +1,3 @@ +-[nss:512] +-OK. +-OK (RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-keyi512 +-keyi512 (candidate (next)) + [nss:1024] + OK. + OK (RSA:1024). +@@ -56,15 +47,6 @@ keyi4096 (candidate (next)) + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-OK. +-OK (RSA:512 after RSA:512). +-${tmpdir}/sample.512 +-${tmpdir}/sample.512.(next).key + [openssl:1024] + OK. + OK (RSA:1024). +diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh +index a0867cf1e3fd0a9f18d275ab308ec93808936b4b..f550feebac5ed10a52500286bb8b779ed8e1526a 100755 +--- a/tests/002-keygen/run.sh ++++ b/tests/002-keygen/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +@@ -49,7 +49,7 @@ key_gen_size=$size + EOF + $toolsdir/keygen entry.$size || true + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + echo "[openssl:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out +index 7b67eab3b9e431b8d22b5a73bb6b5d2952e05d83..e058e8541c2de49fe5f446a7e3432b4138fbb876 100644 +--- a/tests/003-csrgen-rsa/expected.out ++++ b/tests/003-csrgen-rsa/expected.out +@@ -1,9 +1,5 @@ + pk12util: PKCS12 EXPORT SUCCESSFUL + MAC verified OK +-512 OK. +-Signature OK +-pk12util: PKCS12 EXPORT SUCCESSFUL +-MAC verified OK + 1024 OK. + Signature OK + pk12util: PKCS12 EXPORT SUCCESSFUL +@@ -23,70 +19,70 @@ MAC verified OK + 4096 OK. + Signature OK + The last CSR (the one with everything) was: +- 0:d=0 hl=4 l=1019 cons: SEQUENCE +- 4:d=1 hl=4 l= 933 cons: SEQUENCE ++ 0:d=0 hl=4 l=1413 cons: SEQUENCE ++ 4:d=1 hl=4 l=1133 cons: SEQUENCE + 8:d=2 hl=2 l= 1 prim: INTEGER :00 + 11:d=2 hl=2 l= 22 cons: SEQUENCE + 13:d=3 hl=2 l= 20 cons: SET + 15:d=4 hl=2 l= 18 cons: SEQUENCE + 17:d=5 hl=2 l= 3 prim: OBJECT :commonName + 22:d=5 hl=2 l= 11 prim: PRINTABLESTRING :Babs Jensen +- 35:d=2 hl=2 l= 92 cons: SEQUENCE +- 37:d=3 hl=2 l= 13 cons: SEQUENCE +- 39:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption +- 50:d=4 hl=2 l= 0 prim: NULL +- 52:d=3 hl=2 l= 75 prim: BIT STRING +- 129:d=2 hl=4 l= 808 cons: cont [ 0 ] +- 133:d=3 hl=2 l= 52 cons: SEQUENCE +- 135:d=4 hl=2 l= 9 prim: OBJECT :challengePassword +- 146:d=4 hl=2 l= 39 cons: SET +- 148:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText +- 187:d=3 hl=2 l= 61 cons: SEQUENCE +- 189:d=4 hl=2 l= 9 prim: OBJECT :friendlyName +- 200:d=4 hl=2 l= 48 cons: SET +- 202:d=5 hl=2 l= 46 prim: BMPSTRING +- 250:d=3 hl=4 l= 687 cons: SEQUENCE +- 254:d=4 hl=2 l= 9 prim: OBJECT :Extension Request +- 265:d=4 hl=4 l= 672 cons: SET +- 269:d=5 hl=4 l= 668 cons: SEQUENCE +- 273:d=6 hl=2 l= 14 cons: SEQUENCE +- 275:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage +- 280:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 283:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 +- 289:d=6 hl=4 l= 264 cons: SEQUENCE +- 293:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name +- 298:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 301:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 +- 557:d=6 hl=2 l= 32 cons: SEQUENCE +- 559:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage +- 564:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 567:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 +- 591:d=6 hl=2 l= 18 cons: SEQUENCE +- 593:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints +- 598:d=7 hl=2 l= 1 prim: BOOLEAN :255 +- 601:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 +- 611:d=6 hl=2 l= 34 cons: SEQUENCE +- 613:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +- 618:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 621:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D +- 647:d=6 hl=2 l= 32 cons: SEQUENCE +- 649:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +- 654:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 657:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D +- 681:d=6 hl=2 l= 107 cons: SEQUENCE +- 683:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access +- 693:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 696:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 +- 790:d=6 hl=2 l= 96 cons: SEQUENCE +- 792:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points +- 797:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 800:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 +- 888:d=6 hl=2 l= 51 cons: SEQUENCE +- 890:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment +- 901:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 904:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 +- 941:d=1 hl=2 l= 13 cons: SEQUENCE +- 943:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption +- 954:d=2 hl=2 l= 0 prim: NULL +- 956:d=1 hl=2 l= 65 prim: BIT STRING ++ 35:d=2 hl=4 l= 290 cons: SEQUENCE ++ 39:d=3 hl=2 l= 13 cons: SEQUENCE ++ 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption ++ 52:d=4 hl=2 l= 0 prim: NULL ++ 54:d=3 hl=4 l= 271 prim: BIT STRING ++ 329:d=2 hl=4 l= 808 cons: cont [ 0 ] ++ 333:d=3 hl=2 l= 52 cons: SEQUENCE ++ 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword ++ 346:d=4 hl=2 l= 39 cons: SET ++ 348:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText ++ 387:d=3 hl=2 l= 61 cons: SEQUENCE ++ 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName ++ 400:d=4 hl=2 l= 48 cons: SET ++ 402:d=5 hl=2 l= 46 prim: BMPSTRING ++ 450:d=3 hl=4 l= 687 cons: SEQUENCE ++ 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request ++ 465:d=4 hl=4 l= 672 cons: SET ++ 469:d=5 hl=4 l= 668 cons: SEQUENCE ++ 473:d=6 hl=2 l= 14 cons: SEQUENCE ++ 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage ++ 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 ++ 489:d=6 hl=4 l= 264 cons: SEQUENCE ++ 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name ++ 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 ++ 757:d=6 hl=2 l= 32 cons: SEQUENCE ++ 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage ++ 764:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 ++ 791:d=6 hl=2 l= 18 cons: SEQUENCE ++ 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints ++ 798:d=7 hl=2 l= 1 prim: BOOLEAN :255 ++ 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 ++ 811:d=6 hl=2 l= 34 cons: SEQUENCE ++ 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier ++ 818:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D ++ 847:d=6 hl=2 l= 32 cons: SEQUENCE ++ 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier ++ 854:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D ++ 881:d=6 hl=2 l= 107 cons: SEQUENCE ++ 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access ++ 893:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 ++ 990:d=6 hl=2 l= 96 cons: SEQUENCE ++ 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points ++ 997:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 ++ 1088:d=6 hl=2 l= 51 cons: SEQUENCE ++ 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment ++ 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 ++ 1141:d=1 hl=2 l= 13 cons: SEQUENCE ++ 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption ++ 1154:d=2 hl=2 l= 0 prim: NULL ++ 1156:d=1 hl=4 l= 257 prim: BIT STRING + Test complete (32 combinations). +diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh +index c049dd00d411706b1470a1a8a9fb8ae59c36bf8b..7f1e7b41f195b3af429c1ba7129dd00b7ca2ed9d 100755 +--- a/tests/003-csrgen-rsa/run.sh ++++ b/tests/003-csrgen-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -216,7 +216,7 @@ for nscomment in "" "certmonger generated this request" ; do + done + nscomment= + +-size=512 ++size=2048 + subject="CN=Babs Jensen" + hostname=localhost,localhost.localdomain + email=root@localhost,root@localhost.localdomain +diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out +index 7f4586cd2820be6c0a88bd6787c86a532f68643c..51083160df3dd69972292fd23d51e79714290d22 100644 +--- a/tests/003-csrgen/expected.out ++++ b/tests/003-csrgen/expected.out +@@ -1,11 +1,6 @@ + pk12util: PKCS12 EXPORT SUCCESSFUL + MAC verified OK + Signature OK +-minicert.openssl.512.pem: OK +-512 OK. +-pk12util: PKCS12 EXPORT SUCCESSFUL +-MAC verified OK +-Signature OK + minicert.openssl.1024.pem: OK + 1024 OK. + pk12util: PKCS12 EXPORT SUCCESSFUL +@@ -29,86 +24,86 @@ Signature OK + minicert.openssl.4096.pem: OK + 4096 OK. + The last CSR (the one with everything) was: +- 0:d=0 hl=4 l=1241 cons: SEQUENCE +- 4:d=1 hl=4 l=1155 cons: SEQUENCE ++ 0:d=0 hl=4 l=1635 cons: SEQUENCE ++ 4:d=1 hl=4 l=1355 cons: SEQUENCE + 8:d=2 hl=2 l= 1 prim: INTEGER :00 + 11:d=2 hl=2 l= 22 cons: SEQUENCE + 13:d=3 hl=2 l= 20 cons: SET + 15:d=4 hl=2 l= 18 cons: SEQUENCE + 17:d=5 hl=2 l= 3 prim: OBJECT :commonName + 22:d=5 hl=2 l= 11 prim: PRINTABLESTRING :Babs Jensen +- 35:d=2 hl=2 l= 92 cons: SEQUENCE +- 37:d=3 hl=2 l= 13 cons: SEQUENCE +- 39:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption +- 50:d=4 hl=2 l= 0 prim: NULL +- 52:d=3 hl=2 l= 75 prim: BIT STRING +- 129:d=2 hl=4 l=1030 cons: cont [ 0 ] +- 133:d=3 hl=2 l= 52 cons: SEQUENCE +- 135:d=4 hl=2 l= 9 prim: OBJECT :challengePassword +- 146:d=4 hl=2 l= 39 cons: SET +- 148:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText +- 187:d=3 hl=2 l= 61 cons: SEQUENCE +- 189:d=4 hl=2 l= 9 prim: OBJECT :friendlyName +- 200:d=4 hl=2 l= 48 cons: SET +- 202:d=5 hl=2 l= 46 prim: BMPSTRING +- 250:d=3 hl=4 l= 909 cons: SEQUENCE +- 254:d=4 hl=2 l= 9 prim: OBJECT :Extension Request +- 265:d=4 hl=4 l= 894 cons: SET +- 269:d=5 hl=4 l= 890 cons: SEQUENCE +- 273:d=6 hl=2 l= 14 cons: SEQUENCE +- 275:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage +- 280:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 283:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 +- 289:d=6 hl=4 l= 290 cons: SEQUENCE +- 293:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name +- 298:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 301:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 +- 583:d=6 hl=2 l= 32 cons: SEQUENCE +- 585:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage +- 590:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 593:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 +- 617:d=6 hl=2 l= 18 cons: SEQUENCE +- 619:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints +- 624:d=7 hl=2 l= 1 prim: BOOLEAN :255 +- 627:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 +- 637:d=6 hl=2 l= 34 cons: SEQUENCE +- 639:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +- 644:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 647:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D +- 673:d=6 hl=2 l= 32 cons: SEQUENCE +- 675:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +- 680:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 683:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D +- 707:d=6 hl=2 l= 107 cons: SEQUENCE +- 709:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access +- 719:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 722:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 +- 816:d=6 hl=2 l= 96 cons: SEQUENCE +- 818:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points +- 823:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 826:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 +- 914:d=6 hl=2 l= 106 cons: SEQUENCE +- 916:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL +- 921:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 924:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 +- 1022:d=6 hl=2 l= 51 cons: SEQUENCE +- 1024:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment +- 1035:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1038:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 +- 1075:d=6 hl=2 l= 18 cons: SEQUENCE +- 1077:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check +- 1088:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1091:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 +- 1095:d=6 hl=2 l= 44 cons: SEQUENCE +- 1097:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 +- 1108:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1111:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 +- 1141:d=6 hl=2 l= 20 cons: SEQUENCE +- 1143:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type +- 1154:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1157:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 +- 1163:d=1 hl=2 l= 13 cons: SEQUENCE +- 1165:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption +- 1176:d=2 hl=2 l= 0 prim: NULL +- 1178:d=1 hl=2 l= 65 prim: BIT STRING ++ 35:d=2 hl=4 l= 290 cons: SEQUENCE ++ 39:d=3 hl=2 l= 13 cons: SEQUENCE ++ 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption ++ 52:d=4 hl=2 l= 0 prim: NULL ++ 54:d=3 hl=4 l= 271 prim: BIT STRING ++ 329:d=2 hl=4 l=1030 cons: cont [ 0 ] ++ 333:d=3 hl=2 l= 52 cons: SEQUENCE ++ 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword ++ 346:d=4 hl=2 l= 39 cons: SET ++ 348:d=5 hl=2 l= 37 prim: PRINTABLESTRING :ChallengePasswordIsEncodedInPlainText ++ 387:d=3 hl=2 l= 61 cons: SEQUENCE ++ 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName ++ 400:d=4 hl=2 l= 48 cons: SET ++ 402:d=5 hl=2 l= 46 prim: BMPSTRING ++ 450:d=3 hl=4 l= 909 cons: SEQUENCE ++ 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request ++ 465:d=4 hl=4 l= 894 cons: SET ++ 469:d=5 hl=4 l= 890 cons: SEQUENCE ++ 473:d=6 hl=2 l= 14 cons: SEQUENCE ++ 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage ++ 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 ++ 489:d=6 hl=4 l= 290 cons: SEQUENCE ++ 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name ++ 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 ++ 783:d=6 hl=2 l= 32 cons: SEQUENCE ++ 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage ++ 790:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 ++ 817:d=6 hl=2 l= 18 cons: SEQUENCE ++ 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints ++ 824:d=7 hl=2 l= 1 prim: BOOLEAN :255 ++ 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 ++ 837:d=6 hl=2 l= 34 cons: SEQUENCE ++ 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier ++ 844:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D ++ 873:d=6 hl=2 l= 32 cons: SEQUENCE ++ 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier ++ 880:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D ++ 907:d=6 hl=2 l= 107 cons: SEQUENCE ++ 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access ++ 919:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 ++ 1016:d=6 hl=2 l= 96 cons: SEQUENCE ++ 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points ++ 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 ++ 1114:d=6 hl=2 l= 106 cons: SEQUENCE ++ 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL ++ 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 ++ 1222:d=6 hl=2 l= 51 cons: SEQUENCE ++ 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment ++ 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 ++ 1275:d=6 hl=2 l= 18 cons: SEQUENCE ++ 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check ++ 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 ++ 1295:d=6 hl=2 l= 44 cons: SEQUENCE ++ 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 ++ 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 ++ 1341:d=6 hl=2 l= 20 cons: SEQUENCE ++ 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type ++ 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0 ++ 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 ++ 1363:d=1 hl=2 l= 13 cons: SEQUENCE ++ 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption ++ 1376:d=2 hl=2 l= 0 prim: NULL ++ 1378:d=1 hl=4 l= 257 prim: BIT STRING + Test complete (69 combinations). +diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh +index 9a1c027fa7d9da0eec41e5e63e68b05645df9d6b..67b12064b55dd52bd64fbf1b1f9615655913c334 100755 +--- a/tests/003-csrgen/run.sh ++++ b/tests/003-csrgen/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -298,7 +298,7 @@ for ns_certtype in "" client server email objsign reserved sslca emailca objca c + done + ns_certtype= + +-size=512 ++size=2048 + subject="CN=Babs Jensen" + hostname=localhost,localhost.localdomain + email=root@localhost,root@localhost.localdomain +diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out +index c50bd2ee0c1101f2df71738d4152e4fcf3bc9591..dd5029eca4f2b6e2cd354f64cd31b843c5857385 100644 +--- a/tests/004-selfsign-rsa/expected.out ++++ b/tests/004-selfsign-rsa/expected.out +@@ -1,4 +1,3 @@ +-512 OK. + 1024 OK. + 1536 OK. + 2048 OK. +diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh +index 8788bdb02fee287299e4cc389e18c7e0eb5ca91d..6f9285b65d4205fd4f24327fea9d934afc5fd68c 100755 +--- a/tests/004-selfsign-rsa/run.sh ++++ b/tests/004-selfsign-rsa/run.sh +@@ -33,7 +33,7 @@ function setupca() { + EOF + } + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out +index c50bd2ee0c1101f2df71738d4152e4fcf3bc9591..dd5029eca4f2b6e2cd354f64cd31b843c5857385 100644 +--- a/tests/004-selfsign/expected.out ++++ b/tests/004-selfsign/expected.out +@@ -1,4 +1,3 @@ +-512 OK. + 1024 OK. + 1536 OK. + 2048 OK. +diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh +index 7b2ee438d34d539ab7063b0bd1fc004421c97999..7bb368ec39d9675bff05c837c7e9a4cf64c5b714 100755 +--- a/tests/004-selfsign/run.sh ++++ b/tests/004-selfsign/run.sh +@@ -43,7 +43,7 @@ function setupca() { + EOF + } + +-for size in 512 1024 1536 2048 3072 4096 ; do ++for size in 1024 1536 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +-- +2.9.0 + diff --git a/SOURCES/0002-Stop-assuming-RSA-512-works-part-two.patch b/SOURCES/0002-Stop-assuming-RSA-512-works-part-two.patch new file mode 100644 index 0000000..fe0ee2a --- /dev/null +++ b/SOURCES/0002-Stop-assuming-RSA-512-works-part-two.patch @@ -0,0 +1,56 @@ +From e7f5c8bfbcd5e1f9256fe7a256d2f5b9340003a5 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 13 Jan 2016 09:38:13 -0500 +Subject: [PATCH] Stop assuming RSA 512 works, part two + +Catch up a couple of the other valid output sets. +--- + tests/002-keygen-dsa/expected.out.2 | 6 ------ + tests/002-keygen-dsa/expected.out.3 | 6 ------ + 2 files changed, 12 deletions(-) + +diff --git a/tests/002-keygen-dsa/expected.out.2 b/tests/002-keygen-dsa/expected.out.2 +index 9275bafaabb15bfc4829860bc994880c3f8f704d..7445bcc2628dd78eef0cea4c90339c79fb3571cf 100644 +--- a/tests/002-keygen-dsa/expected.out.2 ++++ b/tests/002-keygen-dsa/expected.out.2 +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (DSA:3072). + [nss:1024] + OK. + OK (DSA:1024). +@@ -20,9 +17,6 @@ OK (DSA:3072). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (DSA:512). + [openssl:1024] + OK. + OK (DSA:1024). +diff --git a/tests/002-keygen-dsa/expected.out.3 b/tests/002-keygen-dsa/expected.out.3 +index c8547b4206435a004e0f3a64016e2fb09ff4e25a..0f563e2895a6ef6f455f83cbc235e27213db8415 100644 +--- a/tests/002-keygen-dsa/expected.out.3 ++++ b/tests/002-keygen-dsa/expected.out.3 +@@ -1,6 +1,3 @@ +-[nss:512] +-OK. +-OK (DSA:512). + [nss:1024] + OK. + OK (DSA:1016). +@@ -20,9 +17,6 @@ OK (DSA:3072). + Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] + Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +-[openssl:512] +-OK. +-OK (DSA:512). + [openssl:1024] + OK. + OK (DSA:1024). +-- +2.9.0 + diff --git a/SOURCES/0003-Add-issuer-request-option-for-specifying-issuer.patch b/SOURCES/0003-Add-issuer-request-option-for-specifying-issuer.patch new file mode 100644 index 0000000..ecd29cb --- /dev/null +++ b/SOURCES/0003-Add-issuer-request-option-for-specifying-issuer.patch @@ -0,0 +1,548 @@ +From 2187e205da4fb2fcfdc2d8b9e4a4117f849041f7 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 3 Jun 2016 10:22:23 +1000 +Subject: [PATCH] Add 'issuer' request option for specifying issuer + +FreeIPA is implementing a 'lightweight CAs' feature where a single +Dogtag instance can host multiple CAs. Add the '--issuer' / '-X' +getcert-request option for specifying a particular CA, and the +'CERTMONGER_CA_ISSUER' environment variable for passing the value to +submit helpers. Also update the 'ipa-submit' helper to set the 'ca' +argument if the environment variable is set. + +Reviewed-by: Nalin Dahyabhai +--- + doc/api.txt | 2 ++ + doc/submit.txt | 1 + + src/cadata.c | 1 + + src/getcert-request.1.in | 3 +++ + src/getcert-resubmit.1.in | 3 +++ + src/getcert-start-tracking.1.in | 3 +++ + src/getcert.c | 44 ++++++++++++++++++++++++++++++++++++----- + src/ipa.c | 25 +++++++++++++++++------ + src/store-files.c | 9 +++++++++ + src/store-int.h | 1 + + src/submit-e.c | 1 + + src/submit-e.h | 1 + + src/tdbus.h | 1 + + src/tdbush.c | 25 ++++++++++++++++++++++- + tests/028-dbus/expected.out | 1 + + 15 files changed, 109 insertions(+), 12 deletions(-) + +diff --git a/doc/api.txt b/doc/api.txt +index e11f944de5861663d742c8b91129f7b592e7f72c..31016bec004f0b7f00db4cb3baefd236d485dc85 100644 +--- a/doc/api.txt ++++ b/doc/api.txt +@@ -56,6 +56,7 @@ o object layout + {("template-crldp"),array-of-string (CRL distribution point URIs)} + {("template-ns-comment"),string (Netscape comment)} + {("template-profile"),string (certificate profile)} ++ {("template-issuer"),string (requested issuer)} + {("template-challenge-password"),string (password to add to CSR)} + {("template-challenge-password-file"),string (password file) + {("cert-presave-command"),string} +@@ -164,6 +165,7 @@ o object layout + {("template-crldp"),array-of-string (CRL distribution point URIs)} + {("template-ns-comment"),string (Netscape comment)} + {("template-profile"),string (certificate profile)} ++ {("template-issuer"),string (requested issuer)} + {("template-challenge-password"),string (password to add to CSR)} + {("template-challenge-password-file"),string (password file) + {("cert-presave-command"),string} +diff --git a/doc/submit.txt b/doc/submit.txt +index dbf5319dc29bd9adb4054d4e76e90f028bad5fa6..7444f88c078b7453ae350268482832485259348a 100644 +--- a/doc/submit.txt ++++ b/doc/submit.txt +@@ -13,6 +13,7 @@ An external CA helper has a few jobs: + * $CERTMONGER_REQ_PRINCIPAL -> Kerberos principal name subjectAltName values + * $CERTMONGER_REQ_IP_ADDRESS-> IP address subjectAltName values (since 0.78) + * $CERTMONGER_CA_PROFILE -> requested enrollment profile/template/certtype ++ * $CERTMONGER_CA_ISSUER -> requested issuer for enrollment + * $CERTMONGER_CSR -> certificate signing request + * $CERTMONGER_CERTIFICATE -> previously-issued certificate, if there is one + * $CERTMONGER_CA_NICKNAME -> nickname of CA (since 0.73) +diff --git a/src/cadata.c b/src/cadata.c +index 947b2e68d3e74abf688aebd48344bfbf964e5656..7861fe73104143d6a9135fcb50b3ead583b03bf7 100644 +--- a/src/cadata.c ++++ b/src/cadata.c +@@ -50,6 +50,7 @@ const char *attribute_map[] = { + CM_SUBMIT_REQ_EMAIL_ENV, CM_DBUS_PROP_TEMPLATE_EMAIL, + CM_SUBMIT_REQ_IP_ADDRESS_ENV, CM_DBUS_PROP_TEMPLATE_IP_ADDRESS, + CM_SUBMIT_PROFILE_ENV, CM_DBUS_PROP_TEMPLATE_PROFILE, ++ CM_SUBMIT_ISSUER_ENV, CM_DBUS_PROP_TEMPLATE_ISSUER, + NULL, + }; + +diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in +index f11f1ffa35ccb6eb3d6aeea149353f55d5266534..b6578dce4b06fd60f9e784ba5665489eb3dd3982 100644 +--- a/src/getcert-request.1.in ++++ b/src/getcert-request.1.in +@@ -87,6 +87,9 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. + \fB\-T\fR NAME + Request a certificate using the named profile, template, or certtype, + from the specified CA. ++.TP ++\fB\-X\fR NAME ++Request a certificate using the named issuer from the specified CA. + + .SH SIGNING REQUEST OPTIONS + +diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in +index ad31da9995194280d79c2ce6bb2311291d37072d..165940eab1e625ecd3db63a1cf0bd822ae6abf72 100644 +--- a/src/getcert-resubmit.1.in ++++ b/src/getcert-resubmit.1.in +@@ -48,6 +48,9 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP ++\fB\-X\fR NAME ++Request a certificate using the named issuer from the specified CA. ++.TP + \fB\-I\fR NAME + Assign the specified nickname to this task, replacing the previous nickname. + +diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in +index 6cd24e77dd578662e4b18b8ae18dd26b6faa7122..a46f53578626bc62abaeb22e77500548c34ac3c0 100644 +--- a/src/getcert-start-tracking.1.in ++++ b/src/getcert-start-tracking.1.in +@@ -85,6 +85,9 @@ useful in combination with \fB\-r\fR. + \fB\-T\fR NAME + Request a certificate using the named profile, template, or certtype, + from the specified CA. ++.TP ++\fB\-X\fR NAME ++Request a certificate using the named issuer from the specified CA. + + .SH SIGNING REQUEST OPTIONS + If and when \fIcertmonger\fR attempts to obtain a new certificate to replace +diff --git a/src/getcert.c b/src/getcert.c +index 49840dd968a75929ef55c6b77966187f0c59fa78..cfa36fb1a7ea16c9c9bacc8f40360efa594b7830 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -691,7 +691,7 @@ request(const char *argv0, int argc, const char **argv) + char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; + int keysize = 0, auto_renew = 1, verbose = 0, ku = 0, kubit, c, i, j; + char *ca = DEFAULT_CA, *subject = NULL, **eku = NULL, *oid, *id = NULL; +- char *profile = NULL, kustring[16]; ++ char *profile = NULL, *issuer = NULL, kustring[16]; + char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; +@@ -732,6 +732,7 @@ request(const char *argv0, int argc, const char **argv) + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("set requested extended key usage OID"), HELP_TYPE_EKU}, +@@ -858,6 +859,9 @@ request(const char *argv0, int argc, const char **argv) + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'X': ++ issuer = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'N': + subject = talloc_strdup(globals.tctx, poptarg); + break; +@@ -1289,6 +1293,13 @@ request(const char *argv0, int argc, const char **argv) + params[i] = ¶m[i]; + i++; + } ++ if (issuer != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = issuer; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (precommand != NULL) { + param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; + param[i].value_type = cm_tdbusm_dict_s; +@@ -1480,7 +1491,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + char *key_perms, char *cert_perms, + char *pin, char *pinfile, + char *cpass, char *cpassfile, +- char *ca, char *profile, ++ char *ca, char *profile, char *issuer, + char *precommand, char *postcommand, + char **anchor_dbs, char **anchor_files, + dbus_bool_t auto_renew_stop, int waitreq, +@@ -1644,6 +1655,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + params[i] = ¶m[i]; + i++; + } ++ if (issuer != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = issuer; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (precommand != NULL) { + param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; + param[i].value_type = cm_tdbusm_dict_s; +@@ -1726,7 +1744,7 @@ set_tracking(const char *argv0, const char *category, + char **anchor_dbs = NULL, **anchor_files = NULL; + char *id = NULL, *new_id = NULL, *new_request; + char *keyfile = NULL, *certfile = NULL, *ca = DEFAULT_CA; +- char *profile = NULL; ++ char *profile = NULL, *issuer = NULL; + char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; +@@ -1767,6 +1785,7 @@ set_tracking(const char *argv0, const char *category, + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("override requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("override requested extended key usage OID"), HELP_TYPE_EKU}, + {"principal", 'K', POPT_ARG_STRING, NULL, 'K', _("override requested principal name"), HELP_TYPE_PRINCIPAL}, +@@ -2291,7 +2310,7 @@ set_tracking(const char *argv0, const char *category, + key_perms, cert_perms, + pin, pinfile, + cpass, cpassfile, +- ca, profile, ++ ca, profile, issuer, + precommand, postcommand, + anchor_dbs, anchor_files, + (auto_renew_stop > 0), +@@ -2366,7 +2385,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + char *id = NULL, *new_id = NULL, *ca = NULL, *new_request, *nss_scheme; + char *subject = NULL, **eku = NULL, *oid = NULL; + char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; +- char *profile = NULL, kustring[16]; ++ char *profile = NULL, *issuer = NULL, kustring[16]; + char *key_owner = NULL, *key_perms = NULL; + char *cert_owner = NULL, *cert_perms = NULL; + char *keytype = NULL; +@@ -2403,6 +2422,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the current one"), HELP_TYPE_NAME}, + #endif + {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, ++ {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, + {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, + {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, + {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("set requested extended key usage OID"), HELP_TYPE_EKU}, +@@ -2477,6 +2497,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + case 'T': + profile = talloc_strdup(globals.tctx, poptarg); + break; ++ case 'X': ++ issuer = talloc_strdup(globals.tctx, poptarg); ++ break; + case 'i': + id = talloc_strdup(globals.tctx, poptarg); + break; +@@ -2838,6 +2861,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, + params[i] = ¶m[i]; + i++; + } ++ if (issuer != NULL) { ++ param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ param[i].value_type = cm_tdbusm_dict_s; ++ param[i].value.s = issuer; ++ params[i] = ¶m[i]; ++ i++; ++ } + if (precommand != NULL) { + param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; + param[i].value_type = cm_tdbusm_dict_s; +@@ -4647,6 +4677,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the default\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Parameters for the signing request:\n"), + N_(" -N NAME set requested subject name (default: CN=)\n"), + N_(" -U EXTUSAGE set requested extended key usage OID\n"), +@@ -4695,6 +4726,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the default\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Parameters for the signing request at renewal time:\n"), + N_(" -U EXTUSAGE override requested extended key usage OID\n"), + N_(" -u KEYUSAGE set requested key usage value\n"), +@@ -4773,6 +4805,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the current one\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_("* Bus options:\n"), + N_(" -S connect to the certmonger service on the system bus\n"), + N_(" -s connect to the certmonger service on the session bus\n"), +@@ -4820,6 +4853,7 @@ help(const char *twopartcmd, const char *category) + N_(" -c CA use the specified CA rather than the current one\n"), + #endif + N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), + N_(" -G TYPE type of new key to be generated\n"), + N_(" -g SIZE size of new key to be generated\n"), + N_("* Bus options:\n"), +diff --git a/src/ipa.c b/src/ipa.c +index 5236abb40246c270d1b14c5cfbc467dbd6e8f7a4..72cdda6b07ea5a4850fb404497196c46a6bbbd6d 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -332,7 +332,8 @@ cm_locate_xmlrpc_service(const char *server, + /* Make an XML-RPC request to the "cert_request" method. */ + static int + submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath, +- const char *csr, const char *reqprinc, const char *profile) ++ const char *csr, const char *reqprinc, ++ const char *profile, const char *issuer) + { + struct cm_submit_x_context *ctx; + const char *args[2]; +@@ -366,6 +367,10 @@ submit: + if (profile != NULL) { + cm_submit_x_add_named_arg_s(ctx, "profile_id", profile); + } ++ /* Add the requested CA named argument. */ ++ if (issuer != NULL) { ++ cm_submit_x_add_named_arg_s(ctx, "ca", issuer); ++ } + /* Tell the server to add entries for a principal if one + * doesn't exist yet. */ + cm_submit_x_add_named_arg_b(ctx, "add", 1); +@@ -440,12 +445,14 @@ static int + submit_or_poll(const char *uri, const char *cainfo, const char *capath, + const char *server, int ldap_uri_cmd, const char *ldap_uri, + const char *host, const char *domain, char *basedn, +- const char *csr, const char *reqprinc, const char *profile) ++ const char *csr, const char *reqprinc, ++ const char *profile, const char *issuer) + { + int i, u; + char **uris; + +- i = submit_or_poll_uri(uri, cainfo, capath, csr, reqprinc, profile); ++ i = submit_or_poll_uri(uri, cainfo, capath, csr, reqprinc, profile, ++ issuer); + if ((i == CM_SUBMIT_STATUS_UNREACHABLE) || + (i == CM_SUBMIT_STATUS_UNCONFIGURED)) { + u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri, +@@ -456,7 +463,8 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath, + continue; + } + i = submit_or_poll_uri(uris[u], cainfo, capath, +- csr, reqprinc, profile); ++ csr, reqprinc, profile, ++ issuer); + if ((i != CM_SUBMIT_STATUS_UNREACHABLE) && + (i != CM_SUBMIT_STATUS_UNCONFIGURED)) { + talloc_free(uris); +@@ -556,7 +564,7 @@ main(int argc, const char **argv) + const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile; + int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0; + const char *mode = CM_OP_SUBMIT; +- char ldn[LINE_MAX], *basedn = NULL, *profile = NULL; ++ char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL; + krb5_error_code kret; + poptContext pctx; + struct poptOption popts[] = { +@@ -571,6 +579,7 @@ main(int argc, const char **argv) + {"use-ccache-creds", 'K', POPT_ARG_NONE, NULL, 'K', "use default ccache instead of creating a new one using keytab", NULL}, + {"principal-of-request", 'P', POPT_ARG_STRING, &reqprinc, 0, "principal name in signing request", "PRINCIPAL"}, + {"profile", 'T', POPT_ARG_STRING, &profile, 0, "request enrollment using the specified profile", "NAME"}, ++ {"issuer", 'X', POPT_ARG_STRING, &issuer, 0, "request enrollment using the specified CA", "NAME"}, + {"basedn", 'b', POPT_ARG_STRING, &basedn, 0, "IPA domain LDAP base DN", "DN"}, + {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, + POPT_AUTOHELP +@@ -729,6 +738,10 @@ main(int argc, const char **argv) + (getenv(CM_SUBMIT_PROFILE_ENV) != NULL)) { + profile = strdup(getenv(CM_SUBMIT_PROFILE_ENV)); + } ++ if ((issuer == NULL) && ++ (getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) { ++ issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV)); ++ } + if ((server != NULL) && !xmlrpc_uri_cmd) { + snprintf(uri, sizeof(uri), + "https://%s/ipa/xml", server); +@@ -835,7 +848,7 @@ main(int argc, const char **argv) + return submit_or_poll(uri, cainfo, capath, + server, ldap_uri_cmd, ldap_uri, + host, domain, basedn, +- csr, reqprinc, profile); ++ csr, reqprinc, profile, issuer); + } else + if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) { + return fetch_roots(server, ldap_uri_cmd, ldap_uri, host, +diff --git a/src/store-files.c b/src/store-files.c +index 961d03b7d1724a2cdb1fc4a26d8f1e25e474824f..889829ca62a035a758288aac158cbe17b0fd9e6d 100644 +--- a/src/store-files.c ++++ b/src/store-files.c +@@ -129,6 +129,7 @@ enum cm_store_file_field { + cm_store_entry_field_template_ocsp_location, + cm_store_entry_field_template_ns_comment, + cm_store_entry_field_template_profile, ++ cm_store_entry_field_template_issuer, + cm_store_entry_field_template_no_ocsp_check, + cm_store_entry_field_template_ns_certtype, + +@@ -303,6 +304,7 @@ static struct cm_store_file_field_list { + {cm_store_entry_field_template_ns_comment, "template_ns_comment"}, + {cm_store_entry_field_template_profile, "template_profile"}, /* right */ + {cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */ ++ {cm_store_entry_field_template_issuer, "template_issuer"}, + {cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"}, + {cm_store_entry_field_template_ns_certtype, "template_ns_certtype"}, + +@@ -1127,6 +1129,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) + case cm_store_entry_field_template_profile: + ret->cm_template_profile = free_if_empty(p); + break; ++ case cm_store_entry_field_template_issuer: ++ ret->cm_template_issuer = free_if_empty(p); ++ break; + case cm_store_entry_field_template_no_ocsp_check: + ret->cm_template_no_ocsp_check = atoi(p) != 0; + talloc_free(p); +@@ -1370,6 +1375,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) + case cm_store_entry_field_template_ocsp_location: + case cm_store_entry_field_template_ns_comment: + case cm_store_entry_field_template_profile: ++ case cm_store_entry_field_template_issuer: + case cm_store_entry_field_template_no_ocsp_check: + case cm_store_entry_field_template_ns_certtype: + case cm_store_entry_field_challenge_password: +@@ -1972,6 +1978,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) + entry->cm_template_ns_comment); + cm_store_file_write_str(fp, cm_store_entry_field_template_profile, + entry->cm_template_profile); ++ cm_store_file_write_str(fp, cm_store_entry_field_template_issuer, ++ entry->cm_template_issuer); + cm_store_file_write_int(fp, cm_store_entry_field_template_no_ocsp_check, + entry->cm_template_no_ocsp_check ? 1 : 0); + cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype, +@@ -2735,6 +2743,7 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry) + ret->cm_template_ocsp_location = cm_store_maybe_strdupv(ret, entry->cm_template_ocsp_location); + ret->cm_template_ns_comment = cm_store_maybe_strdup(ret, entry->cm_template_ns_comment); + ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile); ++ ret->cm_template_issuer = cm_store_maybe_strdup(ret, entry->cm_template_issuer); + ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check; + ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret, + entry->cm_template_ns_certtype); +diff --git a/src/store-int.h b/src/store-int.h +index d7d3fc86306b103b0a90faef7396697743b9c8da..2d3a35387516c48ab81a6422e42d57d5741593f6 100644 +--- a/src/store-int.h ++++ b/src/store-int.h +@@ -142,6 +142,7 @@ struct cm_store_entry { + char **cm_template_ocsp_location; + char *cm_template_ns_comment; + char *cm_template_profile; ++ char *cm_template_issuer; + char *cm_template_ns_certtype; + unsigned int cm_template_no_ocsp_check: 1; + /* A challenge password, which may be included (in cleartext form!) in +diff --git a/src/submit-e.c b/src/submit-e.c +index 6997b436e42aa4f77c421040070ee2484467dea5..befd01e0fd00b8f9e239752ffbd80c985fae5057 100644 +--- a/src/submit-e.c ++++ b/src/submit-e.c +@@ -876,6 +876,7 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca, + maybe_setenv(CM_SUBMIT_COOKIE_ENV, entry->cm_ca_cookie); + maybe_setenv(CM_SUBMIT_CA_NICKNAME_ENV, entry->cm_ca_nickname); + maybe_setenv(CM_SUBMIT_PROFILE_ENV, entry->cm_template_profile); ++ maybe_setenv(CM_SUBMIT_ISSUER_ENV, entry->cm_template_issuer); + maybe_setenv(CM_SUBMIT_CERTIFICATE_ENV, entry->cm_cert); + /* Only pass SCEP data to the helper if we haven't used this set of + * nonced data before. It'll ask for fresh data if it needs it. */ +diff --git a/src/submit-e.h b/src/submit-e.h +index 2e325cf7d36436b89287e9933db83a6d853abfd1..0148d4da07507a000d8e6e8aca98f2ed84669eca 100644 +--- a/src/submit-e.h ++++ b/src/submit-e.h +@@ -48,6 +48,7 @@ const char *cm_submit_e_status_text(enum cm_external_status status); + #define CM_SUBMIT_COOKIE_ENV "CERTMONGER_CA_COOKIE" + #define CM_SUBMIT_CA_NICKNAME_ENV "CERTMONGER_CA_NICKNAME" + #define CM_SUBMIT_PROFILE_ENV "CERTMONGER_CA_PROFILE" ++#define CM_SUBMIT_ISSUER_ENV "CERTMONGER_CA_ISSUER" + #define CM_SUBMIT_CERTIFICATE_ENV "CERTMONGER_CERTIFICATE" + #define CM_SUBMIT_SCEP_CA_IDENTIFIER_ENV "CERTMONGER_SCEP_CA_IDENTIFIER" + #define CM_SUBMIT_SCEP_RA_CERTIFICATE_ENV "CERTMONGER_SCEP_RA_CERTIFICATE" +diff --git a/src/tdbus.h b/src/tdbus.h +index c9b3afeb59548c2dc1260cfd7c76b39327a42f89..496f2dd289a0bd9b4d66451ea5eb0acf83d0cf5f 100644 +--- a/src/tdbus.h ++++ b/src/tdbus.h +@@ -108,6 +108,7 @@ + #define CM_DBUS_PROP_TEMPLATE_FRESHEST_CRL "template-freshest-crl" + #define CM_DBUS_PROP_TEMPLATE_NS_COMMENT "template-ns-comment" + #define CM_DBUS_PROP_TEMPLATE_PROFILE "template-profile" ++#define CM_DBUS_PROP_TEMPLATE_ISSUER "template-issuer" + #define CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE "template-ns-certtype" + #define CM_DBUS_SIGNAL_REQUEST_CERT_SAVED "SavedCertificate" + #define CM_DBUS_PROP_CA_PRESAVE_COMMAND "ca-presave-command" +diff --git a/src/tdbush.c b/src/tdbush.c +index 4660f80f26669d31b2629c543384fe95bbec1ea9..05a503e06a553c566dcff5e053cbd8aa16c20f14 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -1562,6 +1562,13 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + param->value.s); + } + param = cm_tdbusm_find_dict_entry(d, ++ CM_DBUS_PROP_TEMPLATE_ISSUER, ++ cm_tdbusm_dict_s); ++ if (param != NULL) { ++ new_entry->cm_template_issuer = maybe_strdup(new_entry, ++ param->value.s); ++ } ++ param = cm_tdbusm_find_dict_entry(d, + CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD, + cm_tdbusm_dict_s); + if ((param != NULL) && +@@ -3306,6 +3313,14 @@ request_modify(DBusConnection *conn, DBusMessage *msg, + } + } else + if ((param->value_type == cm_tdbusm_dict_s) && ++ (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_ISSUER) == 0)) { ++ talloc_free(entry->cm_template_issuer); ++ entry->cm_template_issuer = maybe_strdup(entry, param->value.s); ++ if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) { ++ propname[n_propname++] = CM_DBUS_PROP_TEMPLATE_ISSUER; ++ } ++ } else ++ if ((param->value_type == cm_tdbusm_dict_s) && + (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD) == 0)) { + talloc_free(entry->cm_template_challenge_password); + entry->cm_template_challenge_password = maybe_strdup(entry, +@@ -6712,6 +6727,14 @@ cm_tdbush_iface_request(void) + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL), + make_interface_item(cm_tdbush_interface_property, ++ make_property(CM_DBUS_PROP_TEMPLATE_ISSUER, ++ cm_tdbush_property_string, ++ cm_tdbush_property_readwrite, ++ cm_tdbush_property_char_p, ++ offsetof(struct cm_store_entry, cm_template_issuer), ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL), ++ make_interface_item(cm_tdbush_interface_property, + make_property(CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE, + cm_tdbush_property_string, + cm_tdbush_property_readwrite, +@@ -7156,7 +7179,7 @@ cm_tdbush_iface_request(void) + make_interface_item(cm_tdbush_interface_signal, + make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, + NULL), +- NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); ++ NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + } + return ret; + } +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index ba55dd5ce97c74475dbebb761c41dd2e64e64365..b2660317b3102373f2a5a877a7224f727929412c 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -328,6 +328,7 @@ OK + + + ++ + + + +-- +2.9.0 + diff --git a/SOURCES/0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch b/SOURCES/0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch new file mode 100644 index 0000000..14448f5 --- /dev/null +++ b/SOURCES/0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch @@ -0,0 +1,44 @@ +From f78836266df6fdbdc321e002dc7ae2229866e621 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 14 Jun 2016 15:56:30 -0400 +Subject: [PATCH] Documentation: mark $CERTMONGER_CA_ISSUER as 0.79 + +In documentation that now mentions that we set $CERTMONGER_CA_ISSUER for +helpers, list 0.79 as the first version where we started doing so. +--- + doc/helpers.txt | 5 +++++ + doc/submit.txt | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/doc/helpers.txt b/doc/helpers.txt +index 9d43e2390122c67719d549387b070879bf7e1f2d..975a741eeb76ef6d9005a05e5283ab92a1ccd399 100644 +--- a/doc/helpers.txt ++++ b/doc/helpers.txt +@@ -103,6 +103,11 @@ helper is called. + * CERTMONGER_REQ_IP_ADDRESS + Any iPAddress subject alt name values from the request. + ++ These are also present starting with version 0.79: ++ ++ * CERTMONGER_CA_ISSUER ++ The requested issuer for enrollment. ++ + The helper is expected to use this information, along with whatever + credentials it has or is passed on the command line, to send the signing + request to the CA. +diff --git a/doc/submit.txt b/doc/submit.txt +index 7444f88c078b7453ae350268482832485259348a..b1742c3f2e54adcaa60f58371c9ff1fded0d30b0 100644 +--- a/doc/submit.txt ++++ b/doc/submit.txt +@@ -13,7 +13,7 @@ An external CA helper has a few jobs: + * $CERTMONGER_REQ_PRINCIPAL -> Kerberos principal name subjectAltName values + * $CERTMONGER_REQ_IP_ADDRESS-> IP address subjectAltName values (since 0.78) + * $CERTMONGER_CA_PROFILE -> requested enrollment profile/template/certtype +- * $CERTMONGER_CA_ISSUER -> requested issuer for enrollment ++ * $CERTMONGER_CA_ISSUER -> requested issuer for enrollment (since 0.79) + * $CERTMONGER_CSR -> certificate signing request + * $CERTMONGER_CERTIFICATE -> previously-issued certificate, if there is one + * $CERTMONGER_CA_NICKNAME -> nickname of CA (since 0.73) +-- +2.9.0 + diff --git a/SOURCES/0005-Comment-whitespace-fixup.patch b/SOURCES/0005-Comment-whitespace-fixup.patch new file mode 100644 index 0000000..28bd346 --- /dev/null +++ b/SOURCES/0005-Comment-whitespace-fixup.patch @@ -0,0 +1,39 @@ +From 77977396865f4099dff7143c703301ccea52a276 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 14 Jun 2016 15:57:16 -0400 +Subject: [PATCH] Comment/whitespace fixup + +--- + src/ipa.c | 2 +- + src/tdbush.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/ipa.c b/src/ipa.c +index 72cdda6b07ea5a4850fb404497196c46a6bbbd6d..f2736c6f37948df902b65157480fc0c29ec58c3e 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -367,7 +367,7 @@ submit: + if (profile != NULL) { + cm_submit_x_add_named_arg_s(ctx, "profile_id", profile); + } +- /* Add the requested CA named argument. */ ++ /* Add the requested CA issuer named argument. */ + if (issuer != NULL) { + cm_submit_x_add_named_arg_s(ctx, "ca", issuer); + } +diff --git a/src/tdbush.c b/src/tdbush.c +index 05a503e06a553c566dcff5e053cbd8aa16c20f14..631da3ed2bbb1f6828d576760299ad51d7e41923 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -1566,7 +1566,7 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, + cm_tdbusm_dict_s); + if (param != NULL) { + new_entry->cm_template_issuer = maybe_strdup(new_entry, +- param->value.s); ++ param->value.s); + } + param = cm_tdbusm_find_dict_entry(d, + CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD, +-- +2.9.0 + diff --git a/SOURCES/0006-ipa-submit-Retry-without-ca-on-OptionError.patch b/SOURCES/0006-ipa-submit-Retry-without-ca-on-OptionError.patch new file mode 100644 index 0000000..b089001 --- /dev/null +++ b/SOURCES/0006-ipa-submit-Retry-without-ca-on-OptionError.patch @@ -0,0 +1,35 @@ +From 301e56c06192649bc33ddbda77ac55c0fb69f2a0 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 14 Jun 2016 15:59:10 -0400 +Subject: [PATCH] ipa-submit: Retry without "ca" on OptionError + +Add a fallback for when the IPA server returns error 3005 ("OptionError") +when we've tried to use the "ca" named argument in a request. As we did +with "profile_id" earlier, take a guess that it didn't understand the +most recently-added option that we're setting, and retry without it set. +--- + src/ipa.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/ipa.c b/src/ipa.c +index f2736c6f37948df902b65157480fc0c29ec58c3e..f8abe609a603b614067e56ebe9935472b647ed99 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -387,6 +387,14 @@ submit: + switch (i / 1000) { + case 2: /* authorization error - permanent */ + case 3: /* invocation error - permanent */ ++ if ((i == 3005) && (issuer != NULL)) { ++ /* Most likely the server didn't understand the ++ * "ca" argument. At least, at this ++ * point. Randomly dropping arguments is not ++ * really an extensible solution, though. */ ++ issuer = NULL; ++ goto submit; ++ } + if ((i == 3005) && (profile != NULL)) { + /* Most likely the server didn't understand the + * "profile_id" argument. At least, at this +-- +2.9.0 + diff --git a/SOURCES/0007-getcert-fix-a-potential-out-of-bounds.patch b/SOURCES/0007-getcert-fix-a-potential-out-of-bounds.patch new file mode 100644 index 0000000..91a78d6 --- /dev/null +++ b/SOURCES/0007-getcert-fix-a-potential-out-of-bounds.patch @@ -0,0 +1,41 @@ +From ef0f3c32888165c1a39b078f23ce7e1fc57fec66 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 15 Jun 2016 15:56:38 -0400 +Subject: [PATCH] getcert: fix a potential out-of-bounds + +In getcert, fix a potential out-of-bounds write while gathering +parameters to send to the daemon as part of an "add_request" API +request, present since 20a6536febf0815d0b3d301133820a46fdd6ef21. +--- + src/getcert.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/getcert.c b/src/getcert.c +index cfa36fb1a7ea16c9c9bacc8f40360efa594b7830..c84273a9bfc8730422f18ade87ce174fbbc44634 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -1499,8 +1499,8 @@ add_basic_request(enum cm_tdbus_type bus, char *id, + { + DBusMessage *req, *rep; + int i; +- struct cm_tdbusm_dict param[25]; +- const struct cm_tdbusm_dict *params[26]; ++ struct cm_tdbusm_dict param[26]; ++ const struct cm_tdbusm_dict *params[27]; + dbus_bool_t b; + const char *capath; + char *p; +@@ -1738,8 +1738,8 @@ set_tracking(const char *argv0, const char *category, + enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS; + DBusMessage *req, *rep; + const char *request, *capath; +- struct cm_tdbusm_dict param[25]; +- const struct cm_tdbusm_dict *params[26]; ++ struct cm_tdbusm_dict param[26]; ++ const struct cm_tdbusm_dict *params[27]; + char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL; + char **anchor_dbs = NULL, **anchor_files = NULL; + char *id = NULL, *new_id = NULL, *new_request; +-- +2.9.0 + diff --git a/SOURCES/0008-Document-the-X-option-in-the-ipa-submit-man-page.patch b/SOURCES/0008-Document-the-X-option-in-the-ipa-submit-man-page.patch new file mode 100644 index 0000000..33d08cb --- /dev/null +++ b/SOURCES/0008-Document-the-X-option-in-the-ipa-submit-man-page.patch @@ -0,0 +1,32 @@ +From 3a734708fb96d0fed7850a5615782e27a039cda1 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 15 Jun 2016 17:20:52 -0400 +Subject: [PATCH] Document the -X option in the ipa-submit man page + +Add documentation for the new -X option to certmonger-ipa-submit(8). +--- + src/certmonger-ipa-submit.8.in | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/certmonger-ipa-submit.8.in b/src/certmonger-ipa-submit.8.in +index 62b6991c7e1e13ed02cb04a76e9446b69a01093d..2a986c63f97c117175f84007cb54b63b8e221cf7 100644 +--- a/src/certmonger-ipa-submit.8.in ++++ b/src/certmonger-ipa-submit.8.in +@@ -28,6 +28,14 @@ LDAP server's directory tree, where $BASE defaults to the value of the + Identifies the principal name of the service for which the certificate is being + issued. This setting is required by IPA and must always be specified. + .TP ++\fB\-X\fR issuer ++Requests that the certificate be processed by the specified certificate issuer. ++By default, if this flag is not specified, and the \fBCERTMONGER_CA_ISSUER\fR ++variable is set in the environment, then the value of the environment variable ++will be used. This setting is optional, and if a server returns error 3005, ++indicating that it does not understand multiple profiles, the request will be ++re-submitted without specifying an issuer name. ++.TP + \fB\-T\fR profile + Requests that the certificate be processed using the specified certificate profile. + By default, if this flag is not specified, and the \fBCERTMONGER_CA_PROFILE\fR +-- +2.9.0 + diff --git a/SOURCES/0009-Fix-a-flakiness-in-the-028-dbus-test.patch b/SOURCES/0009-Fix-a-flakiness-in-the-028-dbus-test.patch new file mode 100644 index 0000000..35b3adb --- /dev/null +++ b/SOURCES/0009-Fix-a-flakiness-in-the-028-dbus-test.patch @@ -0,0 +1,59 @@ +From 4f72c02d0f432519f9d5606bd99007fd685482a7 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 29 Jun 2016 17:37:09 -0400 +Subject: [PATCH] Fix a flakiness in the 028-dbus test + +When walking all of the exposed APIs from python, we were calling the +'resubmit' method on a certificate, and not waiting for the churn in +state that doing so would create to settle down before continuing. + +This meant that the test script might have exited before the certmonger +process that was waiting on it finished saving the new certificate that +it obtained from resubmitting the rquest, so the process wouldn't +reliably log that it had obtained a new certificate. + +Spotted by Jan Cholasta. +--- + tests/028-dbus/expected.out | 1 + + tests/028-dbus/walk.py | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index b2660317b3102373f2a5a877a7224f727929412c..93cc4d184524c4b1aeba02a650c94d832462c236 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -1,4 +1,5 @@ + Certificate in file "${tmpdir}/test.crt" issued by CA and saved. ++Certificate in file "${tmpdir}/test.crt" issued by CA and saved. + [[ getcert ]] + State MONITORING, stuck: no. + Number of certificates and requests being tracked: 1. +diff --git a/tests/028-dbus/walk.py b/tests/028-dbus/walk.py +index 0bf54b477220aef901340c1d24100391348226a7..f60ca934fd934e21cec027bad5c53e0f12ccb36d 100644 +--- a/tests/028-dbus/walk.py ++++ b/tests/028-dbus/walk.py +@@ -3,6 +3,7 @@ import dbus + import xml.etree.ElementTree + import os + import sys ++import time + + bus = dbus.SessionBus() + +@@ -110,6 +111,13 @@ def examine_method(objpath, interface, method, idata): + # We're in FIXME territory. + print('FIXME: need support for "%s"' % method) + return False ++ # If we caused things to start churning, wait for them to settle. ++ if method == 'resubmit': ++ props = dbus.Interface(o, 'org.freedesktop.DBus.Properties') ++ prop = props.Get(interface, 'status') ++ while prop != 'MONITORING': ++ time.sleep(1) ++ prop = props.Get(interface, 'status') + return True + + def iget(child, proxy, interface, prop): +-- +2.7.4 + diff --git a/SOURCES/0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch b/SOURCES/0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch new file mode 100644 index 0000000..1c5f0cb --- /dev/null +++ b/SOURCES/0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch @@ -0,0 +1,29 @@ +From c4b456b2c7515fd896d2806d70f3ebc86c7a85ac Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 5 Mar 2018 10:18:38 -0500 +Subject: [PATCH] Set all bits to 1 in local CA Basic Constraint to set TRUE + +This was previously using the value of 1 which OpenSSL didn't +have an issue with but NSS is stricter when it comes to DER +encoding. Section 11.1 in X.690 requires that DER boolean set +all bits to 1 to indicate TRUE. +--- + src/local.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/local.c b/src/local.c +index 8450c9b5..48a9e360 100644 +--- a/src/local.c ++++ b/src/local.c +@@ -85,7 +85,7 @@ set_ca_extensions(void *parent, X509_REQ *req, EVP_PKEY *key) + exts = sk_X509_EXTENSION_new(NULL); + + memset(&basic, 0, sizeof(basic)); +- basic.ca = 1; ++ basic.ca = 255; // set all bits for TRUE + X509V3_add1_i2d(&exts, NID_basic_constraints, &basic, TRUE, 0); + + len = i2d_PUBKEY(key, NULL); +-- +2.13.6 + diff --git a/SOURCES/0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch b/SOURCES/0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch new file mode 100644 index 0000000..38e9115 --- /dev/null +++ b/SOURCES/0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch @@ -0,0 +1,38 @@ +From 42586b51e34519f18fadef2ad3c9c9d77fde0409 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 5 Mar 2018 15:54:10 -0400 +Subject: [PATCH] Fix conversions of bit lengths to byte lengths + +Fix a number of places where we weren't correctly converting from length +in bits to length in bytes, and one in the self-tests where the newest +version of NSS complains if the size of a signature was too large +because it was not converted at all. + +Based on upstream change dd537bcc644dea163b4c8f3de08d73a60876449d +--- + tests/tools/checksig.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/tools/checksig.c b/tests/tools/checksig.c +index e690911..ab8bb11 100644 +--- a/tests/tools/checksig.c ++++ b/tests/tools/checksig.c +@@ -18,6 +18,7 @@ + #include "../../src/config.h" + + #include ++#include + #include + #include + #include +@@ -101,6 +102,7 @@ main(int argc, char **argv) + printf("error finding public key\n"); + return 1; + } ++ signed_data.signature.len = howmany(signed_data.signature.len, 8); + if (VFY_VerifyDataWithAlgorithmID(signed_data.data.data, + signed_data.data.len, + pubkey, +-- +1.8.3.1 + diff --git a/SOURCES/1001-Remove-rekey-feature.patch b/SOURCES/1001-Remove-rekey-feature.patch new file mode 100644 index 0000000..dba4798 --- /dev/null +++ b/SOURCES/1001-Remove-rekey-feature.patch @@ -0,0 +1,374 @@ +From c47a439f510adffe4e2225408261d0e93059e077 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Fri, 7 Aug 2015 13:40:41 +0200 +Subject: [PATCH] Remove rekey feature + +https://bugzilla.redhat.com/show_bug.cgi?id=1250397 +--- + src/certmonger-scep-submit.8.in | 8 -------- + src/certmonger.conf.5.in | 19 ------------------- + src/getcert-add-scep-ca.1.in | 8 -------- + src/getcert.c | 3 --- + src/prefs.c | 27 +-------------------------- + src/scep.c | 5 ----- + src/submit-e.c | 6 ------ + src/tdbush.c | 10 +--------- + tests/010-iterate/expected.out | 14 +++++--------- + tests/028-dbus/expected.out | 6 ------ + tests/036-getcert/expected.out | 26 ++++++++++++++------------ + tests/037-rekey2/expected.out | 4 ++-- + 12 files changed, 23 insertions(+), 113 deletions(-) + +diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in +index 7319c6a42c090420eb035515d94fd0640d990dda..31203c37fde407d2306de9d7f5aba9d3541eaaa3 100644 +--- a/src/certmonger-scep-submit.8.in ++++ b/src/certmonger-scep-submit.8.in +@@ -80,14 +80,6 @@ When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to + specify the CA identifier which is passed to the server as part of the client's + request. The default is "0". + .TP +-\fB\-n\fR +-The SCEP Renewal feature allows a client with a previously-issued certificate +-to use that certificate and the associated private key to request a new +-certificate for a different key pair, and can be used to support +-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for +-it. This option forces the \fIscep-submit\fR helper to prefer to issue +-requests which do not make use of this feature. +-.TP + \fB-v\fR + Increases the logging level. Use twice for more logging. This option + is mainly useful for troubleshooting. +diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in +index 241f48b07b5045708aa118663b569d5ac3947782..e1220f134c30e760af73fb0abc88a498e94f23d2 100644 +--- a/src/certmonger.conf.5.in ++++ b/src/certmonger.conf.5.in +@@ -72,25 +72,6 @@ These are the trust attributes which are applied to certificates which are not + necessarily to be trusted, when they are saved to NSS databases. The default + is \fI,,\fP. + +-.IP max_key_use_count +-When attempting to replace a certificate, if \fIcertmonger\fR has previously +-obtained at least this number of certificates using the current key pair, it +-will generate a new key pair to use before proceeding. There is effectively no +-default for this setting. +- +-.IP max_key_lifetime +-The amount of time after a key was first generated when \fIcertmonger\fR will +-attempt to generate a new key pair to replace it, as part of the process of +-replacing a certificate. +-The value is specified as a combination of years (y), months (M), weeks (w), +-days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is +-specified, seconds are assumed. +-The date when a key was generated is not recorded if the key was not generated +-by \fIcertmonger\fR, or if the key was generated with a version of +-\fIcertmonger\fR older than 0.78, and for those cases, this option has no +-effect. +-There is effectively no default for this setting. +- + .SH SELFSIGN + Within the \fIselfsign\fR section, these variables and values are recognized: + +diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in +index f07b9002a206526ea7f0334f5ba0071d8fffd3ae..64f0f5e80cd0fa3ae01fcf27828f97935dfb99c7 100644 +--- a/src/getcert-add-scep-ca.1.in ++++ b/src/getcert-add-scep-ca.1.in +@@ -46,14 +46,6 @@ A CA identifier value which will passed to the server when the + \fIscep-submit\fR helper is used to retrieve copies of the server's + certificates. + .TP +-\fB\-n\fR +-The SCEP Renewal feature allows a client with a previously-issued certificate +-to use that certificate and the associated private key to request a new +-certificate for a different key pair, and can be used to support +-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for +-it. This option forces the \fIscep-submit\fR helper to issue requests without +-making use of this feature. +-.TP + \fB\-v\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. +diff --git a/src/getcert.c b/src/getcert.c +index c84273a9bfc8730422f18ade87ce174fbbc44634..dcdbdd455dd8c61c1aeaad6a5c7feef21b56feab 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -4625,7 +4625,6 @@ static struct { + {"start-tracking", start_tracking}, + {"stop-tracking", stop_tracking}, + {"resubmit", resubmit}, +- {"rekey", rekey}, + {"refresh", refresh}, + {"list", list}, + {"status", status}, +@@ -5041,8 +5040,6 @@ help(const char *twopartcmd, const char *category) + N_("stop monitoring a certificate\n")}, + {"resubmit", resubmit_help, + N_("resubmit an in-progress enrollment request, or start a new one\n")}, +- {"rekey", rekey_help, +- N_("generate a new private key and replace a certificate\n")}, + {"refresh", refresh_help, + N_("check on the status of an in-progress enrollment request\n")}, + {"list", list_help, +diff --git a/src/prefs.c b/src/prefs.c +index ab363bbc2c08f834e7fc1bede8f1cf2c50229f1c..0a8e166ce30f3b0288cd7430568ae18d0e5ab914 100644 +--- a/src/prefs.c ++++ b/src/prefs.c +@@ -545,36 +545,11 @@ cm_prefs_nss_other_trust(void) + long long + prefs_key_end_of_life(time_t ref) + { +- const char *cfg; +- time_t tmp; +- +- tmp = -1; +- cfg = cm_prefs_config(NULL, "max_key_lifetime"); +- if (cfg != NULL) { +- if (cm_submit_u_delta_from_string(cfg, ref, &tmp) == 0) { +- return tmp; +- } +- } + return -1; + } + + long + prefs_max_key_use_count(void) + { +- static long count = -2; +- long tmp; +- const char *cfg; +- char *p; +- +- if (count == -2) { +- count = -1; +- cfg = cm_prefs_config(NULL, "max_key_use_count"); +- if (cfg != NULL) { +- tmp = strtol(cfg, &p, 10); +- if ((p != NULL) && (*p == '\0')) { +- count = tmp; +- } +- } +- } +- return count; ++ return -1; + } +diff --git a/src/scep.c b/src/scep.c +index d3bbc050947a1a0472187503110682c9028f9c6f..11f9ae3cc193981d3c2bf986a4a5c4c7d81506f5 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -231,7 +231,6 @@ main(int argc, const char **argv) + {"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"}, + {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"}, + {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"}, +- {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL}, + {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, + POPT_AUTOHELP + POPT_TABLEEND +@@ -255,8 +254,6 @@ main(int argc, const char **argv) + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV); + if (message == NULL) { + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); +- } else { +- rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); + } + } else + if (strcasecmp(mode, CM_OP_POLL) == 0) { +@@ -264,8 +261,6 @@ main(int argc, const char **argv) + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV); + if (message == NULL) { + message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); +- } else { +- rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); + } + } else + if (strcasecmp(mode, CM_OP_FETCH_SCEP_CA_CERTS) == 0) { +diff --git a/src/submit-e.c b/src/submit-e.c +index befd01e0fd00b8f9e239752ffbd80c985fae5057..af05efeb762933e31fecc67b1204001b7e81c697 100644 +--- a/src/submit-e.c ++++ b/src/submit-e.c +@@ -446,12 +446,6 @@ cm_submit_e_need_scep_messages(struct cm_submit_state *state) + static int + cm_submit_e_need_rekey(struct cm_submit_state *state) + { +- int status; +- status = cm_subproc_get_exitstatus(state->subproc); +- if (WIFEXITED(status) && +- (WEXITSTATUS(status) == CM_SUBMIT_STATUS_NEED_REKEY)) { +- return 0; +- } + return -1; + } + +diff --git a/src/tdbush.c b/src/tdbush.c +index 631da3ed2bbb1f6828d576760299ad51d7e41923..aec5e9d0a36a7cb5c035e1aefda04c2b32b1e100 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -7117,14 +7117,6 @@ cm_tdbush_iface_request(void) + NULL))), + NULL), + make_interface_item(cm_tdbush_interface_method, +- make_method("rekey", +- request_rekey, +- make_method_arg("working", +- DBUS_TYPE_BOOLEAN_AS_STRING, +- cm_tdbush_method_arg_out, +- NULL), +- NULL), +- make_interface_item(cm_tdbush_interface_method, + make_method("resubmit", + request_resubmit, + make_method_arg("working", +@@ -7179,7 +7171,7 @@ cm_tdbush_iface_request(void) + make_interface_item(cm_tdbush_interface_signal, + make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, + NULL), +- NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); ++ NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + } + return ret; + } +diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out +index bd57a01ba8725418978259018441f6a9a6672758..85d07b3baef83dbafd39c03888881cb665518733 100644 +--- a/tests/010-iterate/expected.out ++++ b/tests/010-iterate/expected.out +@@ -398,19 +398,15 @@ HAVE_CSR + -START- + NEED_TO_SUBMIT + SUBMITTING +-NEED_KEY_PAIR ++NEED_GUIDANCE + -STOP- +-NEED_KEY_PAIR ++NEED_GUIDANCE + -START- +-GENERATING_KEY_PAIR +-HAVE_KEY_PAIR +-NEED_KEYINFO ++NEED_GUIDANCE + -STOP- +-NEED_KEYINFO ++NEED_GUIDANCE + -START- +-READING_KEYINFO +-HAVE_KEYINFO +-NEED_CSR ++NEED_GUIDANCE + -STOP- + + [Enroll until we notice we have no specified CA.] +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index 93cc4d184524c4b1aeba02a650c94d832462c236..26850efaedb966cd94ecd0db42d6adb378b47f37 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -403,9 +403,6 @@ OK + + + +- +- +- + + + +@@ -483,9 +480,6 @@ recently + 1 on /org/fedorahosted/certmonger/requests/Request2 + After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1) + +-[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ] +-1 +- + [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.resubmit ] + 1 + +diff --git a/tests/036-getcert/expected.out b/tests/036-getcert/expected.out +index c1a13c8e058e39285ee842b173356002da2fd0e6..b6d1eaf7c733e04d5b928e7a59edeca43a27a5ef 100644 +--- a/tests/036-getcert/expected.out ++++ b/tests/036-getcert/expected.out +@@ -11,20 +11,21 @@ certs:1 + keys:1 + -----BEGIN PRIVATE KEY----- + [Files, rekey] +-Resubmitting "first" to "local". + certs:1 + -----BEGIN CERTIFICATE----- + keys:1 + -----BEGIN PRIVATE KEY----- ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey + [Files, rekey with preserve=1] +-Resubmitting "first" to "local". + certs:1 + -----BEGIN CERTIFICATE----- +-keys:2 +------BEGIN PRIVATE KEY----- ++keys:1 + -----BEGIN PRIVATE KEY----- ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey ++ERROR: old keys were not saved on rekey + [Files, rekey with jerk CA] +-Resubmitting "first" to "jerkca". + certs:1 + -----BEGIN CERTIFICATE----- + keys:1 +@@ -44,30 +45,31 @@ pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 + [Database, rekey] +-Resubmitting "first" to "local". + certs:1 + keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey + [Database, rekey with preserve=1] +-Resubmitting "first" to "local". + certs:1 +-keys:2 ++keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 ++ERROR: keys were not changed on rekey ++ERROR: cert was not changed on rekey ++ERROR: old keys were not saved on rekey + [Database, rekey with jerk CA] +-Resubmitting "first" to "jerkca". + certs:1 +-keys:3 ++keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 + [Database, rekey with jerk CA, nonpreserving] +-Resubmitting "first" to "jerkca". + certs:1 +-keys:3 ++keys:1 + pk12util: PKCS12 EXPORT SUCCESSFUL + cert:1 + key:1 +diff --git a/tests/037-rekey2/expected.out b/tests/037-rekey2/expected.out +index bd8cca7c3eedb5a02249f450451b651bb270ec24..62a1c746f86bb53fe79d1226ab9194825f7642d8 100644 +--- a/tests/037-rekey2/expected.out ++++ b/tests/037-rekey2/expected.out +@@ -112,7 +112,7 @@ MONITORING + -STOP- + MONITORING + -START- +-NEED_KEY_PAIR ++NEED_CSR + -STOP- + [Uses = 2.] + NEED_KEY_PAIR +@@ -228,6 +228,6 @@ MONITORING + -STOP- + MONITORING + -START- +-NEED_KEY_PAIR ++NEED_CSR + -STOP- + Test complete. +-- +2.7.4 + diff --git a/SOURCES/1002-Fix-CA-option-name-for-ipa-cert-request.patch b/SOURCES/1002-Fix-CA-option-name-for-ipa-cert-request.patch new file mode 100644 index 0000000..7788e9b --- /dev/null +++ b/SOURCES/1002-Fix-CA-option-name-for-ipa-cert-request.patch @@ -0,0 +1,38 @@ +From 6aca3545c847673a7bc3d5120378f896dc420a15 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 18 Aug 2016 18:25:49 +1000 +Subject: [PATCH] Fix CA option name for ipa cert-request + +The cert-request option for specifying the issuer is 'cacn', but +certmonger is sending 'ca'. Use the correct option name. + +Part of: https://fedorahosted.org/certmonger/ticket/51 +--- + src/ipa.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/ipa.c b/src/ipa.c +index f8abe609a603b614067e56ebe9935472b647ed99..13ea4cadf108a86687ab3f689b1a4dd92e5f8339 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -369,7 +369,7 @@ submit: + } + /* Add the requested CA issuer named argument. */ + if (issuer != NULL) { +- cm_submit_x_add_named_arg_s(ctx, "ca", issuer); ++ cm_submit_x_add_named_arg_s(ctx, "cacn", issuer); + } + /* Tell the server to add entries for a principal if one + * doesn't exist yet. */ +@@ -389,7 +389,7 @@ submit: + case 3: /* invocation error - permanent */ + if ((i == 3005) && (issuer != NULL)) { + /* Most likely the server didn't understand the +- * "ca" argument. At least, at this ++ * "cacn" argument. At least, at this + * point. Randomly dropping arguments is not + * really an extensible solution, though. */ + issuer = NULL; +-- +2.7.4 + diff --git a/SOURCES/certmonger-0.78.4.tar.gz.sig b/SOURCES/certmonger-0.78.4.tar.gz.sig new file mode 100644 index 0000000..cd32a1a Binary files /dev/null and b/SOURCES/certmonger-0.78.4.tar.gz.sig differ diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec new file mode 100644 index 0000000..bb359aa --- /dev/null +++ b/SPECS/certmonger.spec @@ -0,0 +1,1097 @@ +%if 0%{?fedora} > 15 || 0%{?rhel} > 6 +%global systemd 1 +%global sysvinit 0 +%else +%global systemd 0 +%global sysvinit 1 +%endif + +%if 0%{?fedora} > 15 && 0%{?fedora} < 20 +%global systemdsysv 1 +%else +%global systemdsysv 0 +%endif + +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +%global tmpfiles 1 +%else +%global tmpfiles 0 +%endif + +%if 0%{?fedora} > 9 || 0%{?rhel} > 5 +%global sysvinitdir %{_initddir} +%else +%global sysvinitdir %{_initrddir} +%endif + +Name: certmonger +Version: 0.78.4 +Release: 3%{?dist}.1 +Summary: Certificate status monitor and PKI enrollment client + +Group: System Environment/Daemons +License: GPLv3+ +URL: http://certmonger.fedorahosted.org +Source0: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz +Source1: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz.sig +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) + +Patch0001: 0001-Stop-assuming-RSA-512-works.patch +Patch0002: 0002-Stop-assuming-RSA-512-works-part-two.patch +Patch0003: 0003-Add-issuer-request-option-for-specifying-issuer.patch +Patch0004: 0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch +Patch0005: 0005-Comment-whitespace-fixup.patch +Patch0006: 0006-ipa-submit-Retry-without-ca-on-OptionError.patch +Patch0007: 0007-getcert-fix-a-potential-out-of-bounds.patch +Patch0008: 0008-Document-the-X-option-in-the-ipa-submit-man-page.patch +Patch0009: 0009-Fix-a-flakiness-in-the-028-dbus-test.patch +Patch0010: 0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch +Patch0011: 0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch + +Patch1001: 1001-Remove-rekey-feature.patch +Patch1002: 1002-Fix-CA-option-name-for-ipa-cert-request.patch + +BuildRequires: openldap-devel +BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel +%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 +BuildRequires: libuuid-devel +%else +BuildRequires: e2fsprogs-devel +%endif +BuildRequires: libtalloc-devel, libtevent-devel +%if 0%{?rhel} >= 6 || 0%{?fedora} >= 9 +BuildRequires: libcurl-devel +%else +BuildRequires: curl-devel +%endif +BuildRequires: libxml2-devel, xmlrpc-c-devel +%if 0%{?rhel} < 6 +BuildRequires: bind-libbind-devel +%endif +# Required for 'make check': +# for diff and cmp +BuildRequires: diffutils +# for expect +BuildRequires: expect +# for mktemp, which was absorbed into coreutils at some point +BuildRequires: mktemp +# for certutil and pk12util +BuildRequires: nss-tools +# for openssl +BuildRequires: openssl +# for dbus-launch +BuildRequires: /usr/bin/dbus-launch +# for dos2unix +BuildRequires: /usr/bin/dos2unix +BuildRequires: /usr/bin/unix2dos +# for which +BuildRequires: /usr/bin/which +# for dbus tests +BuildRequires: dbus-python +# for popt or popt-devel, depending on the build environment +BuildRequires: /usr/include/popt.h + +# we need a running system bus +Requires: dbus + +%if %{systemd} +BuildRequires: systemd-units +Requires(post): systemd-units +Requires(preun): systemd-units, dbus, sed +Requires(postun): systemd-units +%endif + +%if %{systemdsysv} +Requires(post): systemd-sysv +%global systemdsysvsave \ +# Save the current service runlevel info, in case the user wants \ +# to apply the enabled status manually later, by running \ +# "systemd-sysv-convert --apply certmonger". \ +%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||: +%else +%global systemdsysvsave %{nil} +%endif + +%if %{sysvinit} +Requires(post): /sbin/chkconfig, /sbin/service +Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed +%endif + +%if 0%{?fedora} >= 15 +# Certain versions of libtevent have incorrect internal ABI versions. +Conflicts: libtevent < 0.9.13 +%endif + +%description +Certmonger is a service which is primarily concerned with getting your +system enrolled with a certificate authority (CA) and keeping it enrolled. + +%prep +%autosetup -p1 + +%if 0%{?rhel} > 0 +# Enabled by default for RHEL for bug #765600, still disabled by default for +# Fedora pending a similar bug report there. +sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in +%endif + +%build +%configure \ +%if %{systemd} + --enable-systemd \ +%endif +%if %{sysvinit} + --enable-sysvinit=%{sysvinitdir} \ +%endif +%if %{tmpfiles} + --enable-tmpfiles \ +%endif + --with-homedir=/var/run/certmonger \ + --with-tmpdir=/var/run/certmonger --enable-pie --enable-now +# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just +# tell us about libxmlrpc_client, but we need more. Work around. +make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc" + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/certmonger/{cas,requests} +install -m755 -d $RPM_BUILD_ROOT/var/run/certmonger +%{find_lang} %{name} + +%check +make check + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +if test $1 -eq 1 ; then + killall -HUP dbus-daemon 2>&1 > /dev/null +fi +%if %{systemd} +if test $1 -eq 1 ; then + /bin/systemctl daemon-reload >/dev/null 2>&1 || : +fi +%endif +%if %{sysvinit} +/sbin/chkconfig --add certmonger +%endif + +%triggerin -- certmonger < 0.58 +if test $1 -gt 1 ; then + # If the daemon is running, remove knowledge of the dogtag renewer. + objpath=`dbus-send --system --reply-timeout=10000 --dest=org.fedorahosted.certmonger --print-reply=o /org/fedorahosted/certmonger org.fedorahosted.certmonger.find_ca_by_nickname string:dogtag-ipa-renew-agent 2> /dev/null | sed -r 's,^ +,,g' || true` + if test -n "$objpath" ; then + dbus-send --system --dest=org.fedorahosted.certmonger --print-reply /org/fedorahosted/certmonger org.fedorahosted.certmonger.remove_known_ca objpath:"$objpath" >/dev/null 2> /dev/null + fi + # Remove the data file, in case it isn't running. + for cafile in %{_localstatedir}/lib/certmonger/cas/* ; do + if grep -q '^id=dogtag-ipa-renew-agent$' "$cafile" ; then + rm -f "$cafile" + fi + done +fi +exit 0 + +%postun +%if %{systemd} +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + /bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || : +fi +%endif +%if %{sysvinit} +if test $1 -gt 0 ; then + /sbin/service certmonger condrestart 2>&1 > /dev/null +fi +%endif +exit 0 + +%preun +%if %{systemd} +if test $1 -eq 0 ; then + /bin/systemctl --no-reload disable certmonger.service > /dev/null 2>&1 || : + /bin/systemctl stop certmonger.service > /dev/null 2>&1 || : +fi +%endif +%if %{sysvinit} +if test $1 -eq 0 ; then + /sbin/service certmonger stop 2>&1 > /dev/null + /sbin/chkconfig --del certmonger +fi +%endif +exit 0 + +%if %{systemd} +%triggerun -- certmonger < 0.43 +%{systemdsysvsave} +# Do this because the old package's %%postun doesn't know we need to do it. +/sbin/chkconfig --del certmonger >/dev/null 2>&1 || : +# Do this because the old package's %%postun wouldn't have tried. +/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || : +exit 0 +%endif + +%files -f %{name}.lang +%defattr(-,root,root,-) +%doc README LICENSE STATUS doc/*.txt +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/* +%{_datadir}/dbus-1/services/* +%dir %{_sysconfdir}/certmonger +%config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf +%dir /var/run/certmonger +%{_bindir}/* +%{_sbindir}/certmonger +%{_mandir}/man*/* +%{_libexecdir}/%{name} +%{_localstatedir}/lib/certmonger +%if %{sysvinit} +%{sysvinitdir}/certmonger +%endif +%if %{tmpfiles} +%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/certmonger.conf +%endif +%if %{systemd} +%{_unitdir}/* +%{_datadir}/dbus-1/system-services/* +%endif + +%changelog +* Tue Mar 27 2018 Rob Crittenden - 0.78.4-3.1 +- Use required DER encoding when setting CA basic constraint (#1560961) +- NSS 3.34 more strictly enforces length checking when verifying signatures + (#1560960) + +* Tue Sep 6 2016 Jan Cholasta - 0.78.4-3 +- Resolves: #1367683 getcert request command fails to use Sub CA using -X + argument + - Fix CA option name for ipa cert-request + +* Fri Jul 1 2016 Jan Cholasta - 0.78.4-2 +- Resolves: #1345755 Support for specifying IPA lightweight CA + - Add 'issuer' request option for specifying issuer + - Documentation: mark $CERTMONGER_CA_ISSUER as 0.79 + - Comment/whitespace fixup + - ipa-submit: Retry without "ca" on OptionError + - getcert: fix a potential out-of-bounds + - Document the -X option in the ipa-submit man page +- Resolves: #1351052 certmonger build for RHEL 7.3 failure + - Stop assuming RSA 512 works + - Stop assuming RSA 512 works, part two + - Fix a flakiness in the 028-dbus test + +* Mon Aug 10 2015 Jan Cholasta - 0.78.4-1 +- Resolves: #1249753 challenge password not added in csr using start-tracking +- Resolves: #1250397 Remove certmonger rekey feature in 7.2 + - Remove rekey feature +- Related: #1205756 Rebase certmonger to 0.77 or later + - Update to upstream 0.78.4 + +* Fri Jul 24 2015 Jan Cholasta - 0.78.3-1 +- Resolves: #1244914 scep ca helper does not parse command line options + correctly +- Related: #1205756 Rebase certmonger to 0.77 or later + - Update to upstream 0.78.3 + +* Mon Jun 22 2015 Jan Cholasta - 0.78.1-1 +- Resolves: #1140241 RFE: Add SCEP support to certmonger +- Resolves: #1148001 ipa-getcert killed by SIGABRT +- Resolves: #1205756 Rebase certmonger to 0.77 or later + - Update to upstream 0.78.1 + +* Tue Jan 13 2015 Jan Cholasta - 0.75.14-3 +- backport change from git to correctly retrieve string values from DBus + property interface replies (#1181022) + +* Wed Nov 19 2014 Jan Cholasta - 0.75.14-2 +- backport dogtag-submit: accept additional options to pass to the server when + approving requests using agent creds (#1165155) + +* Thu Aug 28 2014 Nalin Dahyabhai 0.75.14-1 +- make pathname canonicalization slightly smarter, to handle ".." in + locations (#1131758) +- updates to self-tests (#1144082) + +* Thu Aug 21 2014 Kevin Fenzi - 0.75.13-2 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Nalin Dahyabhai 0.75.13-1 +- add a missing test case file (whoops) + +* Mon Aug 18 2014 Nalin Dahyabhai 0.75.12-1 +- correct encoding/decoding of variant-typed data which we receive and send + as part of the org.freedesktop.DBus.Properties interface over the bus, and + add some tests for them (based on patch from David Kupka, ticket #36) + +* Fri Aug 15 2014 Fedora Release Engineering - 0.75.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Aug 12 2014 Nalin Dahyabhai 0.75.11-1 +- when getcert is passed a -a flag, to indicate that CA root certificates + should be stored in the specified database, don't ignore locations which + don't include a storage scheme (#1129537) +- when called to 'start-tracking' with the -a or -F flags, if we have + applicable certificates on-hand for a CA that we're either told to use + or which we decide is the correct one, save the certificates (#1129696) + +* Tue Aug 5 2014 Nalin Dahyabhai 0.75.10-1 +- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in + default.conf, and no "host" is set either, try to construct the server URI + using the "server" setting (#1126985) + +* Thu Jul 31 2014 Nalin Dahyabhai 0.75.9-1 +- avoid potential use-after-free after a CA is removed dynamically (thanks to + Keenan Brock) (#1125342) +- add a "external-helper" property to CA objects + +* Mon Jul 21 2014 Nalin Dahyabhai 0.75.8-1 +- add a 'refresh' option to the getcert command +- add a '-a' flag to the getcert command's 'refresh-ca' option + +* Thu Jul 17 2014 Nalin Dahyabhai 0.75.7-2 +- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older, + conditionalized it so that it's ignored on newer releases, and make + whether or not we call systemd-sysv-convert in triggers depend on that, + too (#1104138) + +* Thu Jul 17 2014 Nalin Dahyabhai 0.75.7-1 +- fix an inconsistency in how we parse cookie values returned by CA helpers, + in that single-line values would lose the end-of-line after a daemon + restart, but not before +- handle timeout values and exit status values when calling CA helpers + in non-SUBMIT, non-POLL modes (#1118468) +- rework how we save CA certificates so that we save CA certificates associated + with end-entity certificates when we save that end-entity certificate, which + requires running all of the involved pre- and post-save commands +- drop package Requires: on systemd-sysv (#1104138) + +* Thu Jun 26 2014 Nalin Dahyabhai 0.75.6-1 +- avoid potential use-after-free and read overrun after a CA is added + dynamically (thanks to Jan Cholasta) + +* Fri Jun 20 2014 Nalin Dahyabhai 0.75.5-1 +- documentation updates + +* Fri Jun 20 2014 Nalin Dahyabhai 0.75.4-2 +- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA + when we detect certmonger versions prior to 0.58 being installed, to + avoid cases where some older versions choke on CAs with nicknames that + contain characters that can't legally be part of a D-Bus name (#948993) + +* Thu Jun 19 2014 Nalin Dahyabhai 0.75.4-1 +- fix creation and packaging of the "local" CA's data directory + +* Wed Jun 18 2014 Nalin Dahyabhai 0.75.3-1 +- read and cache whether or not we saw a noOCSPcheck extension in certificates +- documentation updates + +* Mon Jun 16 2014 Nalin Dahyabhai 0.75.2-1 +- when generating keys using OpenSSL, if key generation fails, try + again with the default key size, in case we're in FIPS mode +- documentation updates + +* Sat Jun 14 2014 Nalin Dahyabhai 0.75.1-1 +- log the state in 'getcert status' verbose mode + +* Fri Jun 13 2014 Nalin Dahyabhai 0.75-1 +- add a -w (wait) flag to the getcert's request/resubmit/start-tracking + commands, and add a non-waiting status command + +* Wed Jun 11 2014 Nalin Dahyabhai 0.74.96-1 +- make the trust settings we apply to CA-supplied certificates while + saving them to NSS databases run-time configurable +- fix compiling against EL5-era OpenSSL +- when saving CA certificates we pull from an IPA server, nickname + it using the realm name with " IPA CA" appended rather than just + naming it "IPA CA" +- fix the local signer so that when it issues itself a new certificate, + it uses the same subject name +- add a -w flag to getcert's request, resubmit, and start-tracking + commands, telling it to wait until either the certificate is issued, + we get to a state where we know that we won't be able to get one, or + we are waiting for a CA + +* Mon Jun 9 2014 Nalin Dahyabhai 0.74.95-1 +- add the "local" signer, a local toy CA that signs anything you'll + ask it to sign + +* Sat Jun 07 2014 Fedora Release Engineering - 0.74-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Jun 6 2014 Nalin Dahyabhai 0.74.94-1 +- fix self-test errors that we trigger with new OpenSSL +- fix a build error that would sometimes happen when we're told to + build PIE binaries +- quiet a compile warning + +* Thu Jun 5 2014 Nalin Dahyabhai 0.74.93-1 +- add some self-tests +- simplify the internal submit-to-CA logic +- fixes for more problems found through static analysis + +* Tue Jun 3 2014 Nalin Dahyabhai 0.74.92-1 +- retrieve CA information from CAs, if the helpers can do so, and + add a command to explicitly refresh that data: "getcert refresh-ca" +- offer to save CA certificates to files and databases, when specified with + new -a and -F flags to getcert request/resubmit/start-tracking (#1098208, + trac #31) +- add IP address subject alternate names when getcert request/resubmit + is passed the -A option (trac #35) +- read and cache the freshestCRL extension in certificates +- properly interpret KDC-unreachable errors encountered in the IPA + submission error as a server-unreachable error that we will retry, + rather than a misconfiguration error which we won't +- don't let tests get tripped up by new formatting used in dos2unix status + messages (#1099080) +- updated translations +- be explicit that we are going to use bashisms in test scripts by calling + the shell interpreter as 'bash' rather than 'sh' (trac #27) + +* Thu Apr 3 2014 Nalin Dahyabhai 0.74-1 +- also save state when we exit due to SIGHUP +- don't get tripped up when enrollment helpers hand us certificates which + include CRLF line terminators (ticket #25) +- be tolerant of certificate issuer names, subject names, DNS, email, and + Kerberos principal namem subjectAltNames, and crl distribution point URLs + that contain newlines +- read and cache the certificate template extension in certificates +- enforce different minimum key sizes depending on the type of key we're + trying to generate +- store DER versions of subject, issuer and template subject, if we have + them (Jan Cholasta, ticket #26) +- when generating signing requests with subject names that don't quite parse + as subject names, encode what we're given as PrintableString rather than + as a UTF8String +- always chdir() to a known location at startup, even if we're not becoming + a daemon +- fix a couple of memory leaks (static analysis) +- add missing buildrequires: on which + +* Thu Feb 20 2014 Nalin Dahyabhai 0.73-1 +- updates to 0.73 + - getcert no longer claims to be stuck when a CA is unreachable, + because the daemon isn't actually stuck + +* Mon Feb 17 2014 Nalin Dahyabhai +- updates to 0.73 + - also pass the key type to enrollment helpers in the environment as + a the value of "CERTMONGER_KEY_TYPE" + +* Mon Feb 10 2014 Nalin Dahyabhai +- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir}, + where it belongs (#1180978) + +* Mon Feb 10 2014 Nalin Dahyabhai +- updates for 0.73 + - set the flag to encode EC public key parameters using named curves + instead of the default of all-the-details when using OpenSSL + - don't break when NSS supports secp521r1 but OpenSSL doesn't + - also pass the CA nickname to enrollment helpers in the environment as + a text value in "CERTMONGER_CA_NICKNAME", so they can use that value + when reading configuration settings + - also pass the SPKAC value to enrollment helpers in the environment as + a base64 value in "CERTMONGER_SPKAC" + - also pass the request's SubjectPublicKeyInfo value to enrollment helpers + in the environment as a base64 value in "CERTMONGER_SPKI" (part of #16) + - when generating signing requests using NSS, be more accommodating of + requested subject names that don't parse properly + +* Mon Feb 3 2014 Nalin Dahyabhai 0.72-1 +- update to 0.72 + - support generating DSA parameters and keys on sufficiently-new OpenSSL + and NSS + - support generating EC keys when OpenSSL and NSS support it, using key + size to select the curve to use from among secp256r1, secp384r1, + secp521r1 (which are the ones that are usually available, though + secp521r1 isn't always, even if the other two are) + - stop trying to cache public key parameters at all and instead cache public + key info properly + - encode the friendlyName attribute in signing requests as a BMPString, + not as a PrintableString + - catch more filesystem permissions problems earlier (more of #996581) + +* Mon Jan 27 2014 Nalin Dahyabhai 0.71-1 +- check for cases where we fail to allocate memory while reading a request + or CA entry from disk (John Haxby) +- only handle one watch at a time, which should avoid abort() during + attempts to reconnect to the message bus after losing our connection + to it (#1055521) + +* Fri Jan 24 2014 Daniel Mach - 0.70-2 +- Mass rebuild 2014-01-24 + +* Thu Jan 2 2014 Nalin Dahyabhai 0.70-1 +- add a --with-homedir option to configure, and use it, since subprocesses + which we run and which use NSS may attempt to write to $HOME/.pki, and + 0.69's strategy of setting that to "/" was rightly hitting SELinux policy + denials (#1047798) + +* Fri Dec 27 2013 Daniel Mach - 0.69-2 +- Mass rebuild 2013-12-27 + +* Mon Dec 9 2013 Nalin Dahyabhai 0.69-1 +- tweak how we decide whether we're on the master or a minion when we're + told to use certmaster as a CA +- clean up one of the tests so that it doesn't have to work around internal + logging producing duplicate messages +- when logging errors while setting up to contact xmlrpc servers, explicitly + note that the error is client-side +- don't abort() due to incorrect locking when an attempt to save an issued + certificate to the designated location fails (part of #1032760/#1033333, + ticket #22) +- when reading an issued certificate from an enrollment helper, ignore + noise before or after the certificate itself (more of #1032760/1033333, + ticket #22) +- run subprocesses in a cleaned-up environment (more of #1032760/1033333, + ticket #22) +- clear the ca-error that we saved when we had an error talking to the CA if we + subsequently succeed in talking to the CA +- various other static-analysis fixes + +* Thu Aug 29 2013 Nalin Dahyabhai 0.68-1 +- notice when the OpenSSL RNG isn't seeded +- notice when saving certificates or keys fails due to filesystem-related + permission denial (#996581) + +* Tue Aug 6 2013 Nalin Dahyabhai 0.67-3 +- pull up a patch from master to adapt self-tests to certutil's diagnostic + output having changed (#992050) + +* Sat Aug 03 2013 Fedora Release Engineering - 0.67-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Mar 11 2013 Nalin Dahyabhai 0.67-1 +- when saving certificates to NSS databases, try to preserve the trust + value assigned to a previously-present certificate with the same nickname + and subject, if one is found +- when saving certificates to NSS databases, also prune certificates from + the database which have both the same nickname and subject as the one + we're adding, to avoid tripping up tools that only fetch one certificate + by nickname + +* Wed Feb 13 2013 Fedora Release Engineering - 0.65-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 23 2013 Nalin Dahyabhai 0.66-1 +- build as position-independent executables with early binding (#883966) +- also don't tag the unit file as a configuration file (internal tooling) + +* Wed Jan 23 2013 Nalin Dahyabhai 0.65-2 +- don't tag the D-Bus session .service file as a configuration file (internal + tooling) + +* Tue Jan 8 2013 Nalin Dahyabhai 0.65-1 +- fix a crash in the self-tests + +* Tue Jan 8 2013 Nalin Dahyabhai 0.64-1 +- at startup, if we resume the state machine for a given certificate to a state + which expects to have the newly-added lock already acquired, acquire it + before moving on with the certificate's work (still aimed at fixing #883484) + +* Tue Dec 18 2012 Nalin Dahyabhai 0.63-1 +- serialize access to NSS databases and the running of pre- and post-save + commands which might also access them (possibly fixing part of #883484) + +* Thu Nov 29 2012 Nalin Dahyabhai 0.62-1 +- add a -u flag to getcert to enable requesting a keyUsage extension value +- request subjectKeyIdentifier extensions from CAs, and include them in + self-signed certificates +- request basicConstraints from CAs, defaulting to requests for end-entity + certificates +- when requesting CA certificates, also request authorityKeyIdentifier +- add support for requesting CRL distribution point and authorityInfoAccess + extensions that specify OCSP responder locations +- don't crash when OpenSSL can't build a template certificate from a request + when we're in FIPS mode +- put NSS in FIPS mode, when the system booted that way, except when we're + trying to write certificates to a database +- fix CSR generation and self-signing in FIPS mode with NSS +- fix self-signing in FIPS mode with OpenSSL +- new languages from the translation team: mai, ml, nn, ga + +* Tue Nov 27 2012 Nalin Dahyabhai 0.61-3 +- backport change from git to not choke if X509_REQ_to_X509() fails when we're + self-signing using OpenSSL +- backport another change from git to represent this as a CA-rejected error + +* Mon Sep 24 2012 Nalin Dahyabhai 0.61-1 +- fix a regression in reading old request tracking files where the + request was in state NEED_TO_NOTIFY or NOTIFYING + +* Wed Sep 5 2012 Nalin Dahyabhai 0.60-1 +- adjust internals of logic for talking to dogtag to at least have a + concept of non-agent cases +- when talking to an IPA server's internal Dogtag instance, infer which + ports the CA is listening on from the "dogtag_version" setting in the + IPA configuration (Ade Lee) +- send a notification (or log a message, whatever) when we save a new + certificate (#766167) + +* Mon Jul 30 2012 Nalin Dahyabhai +- fix a bad %%preun scriptlet + +* Wed Jul 18 2012 Fedora Release Engineering - 0.59-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 29 2012 Nalin Dahyabhai 0.59-1 +- mostly documentation updates + +* Fri Jun 29 2012 Nalin Dahyabhai 0.58-1 +- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using + an IPA server's internal Dogtag instance +- export the requested profile and old certificate to enrollment helpers +- make libxml and libcurl into hard build-time requirements +- serialize all pre/save/post sequences to make sure that stop/save/start + doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping + a service while we muck with more than one of its certificates + +* Fri Jun 15 2012 Nalin Dahyabhai +- add a command option (-T) to getcert for specifying which enrollment + profile to tell a CA that we're using, in case it cares (#10) + +* Thu Jun 14 2012 Nalin Dahyabhai 0.57-1 +- clarify that the command passed to getcert -C is a "post"-save command +- add a "pre"-save command option to getcert, specified with the -B flag (#9) +- after we notify of an impending not-valid-after approaching, don't do it + again immediately + +* Sat Mar 3 2012 Nalin Dahyabhai 0.56-1 +- when a caller sets the is-default flag on a CA, and another CA is no longer + the default, emit the PropertiesChanged signal on the CA which is not the + default, instead on the new default a second time +- drop some dead code from the D-Bus message handlers (static analysis, + #796813) +- cache public keys when we read private keys +- go back to printing an error indicating that we're missing a required + argument when we're missing a required argument, not that the option is + invalid (broken since 0.51, #796542) + +* Wed Feb 15 2012 Nalin Dahyabhai 0.55-1 +- allow root to use our implementation of org.freedesktop.DBus.Properties +- take more care to not emit useless PropertiesChanged signals + +* Wed Feb 15 2012 Nalin Dahyabhai 0.54-1 +- fix setting the group ID when spawning the post-save command + +* Tue Feb 14 2012 Nalin Dahyabhai 0.53-1 +- large changes to the D-Bus glue, exposing a lot of data which we were + providing via D-Bus getter methods as properties, and providing more + accurate introspection data +- emit a signal when the daemon saves a certificate to the destination + location, and provide an option to have the daemon spawn an arbitrary + command at that point, too (#766167) +- enable starting the service by default on RHEL (#765600) + +* Thu Jan 12 2012 Fedora Release Engineering - 0.52-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 16 2011 Nalin Dahyabhai 0.52-1 +- note that SELinux usually confines us to writing only to cert_t in + doc/getting-started.txt (#765599) +- fix crashes when we add a request during our first run when we're + populating the hard-coded CA list +- properly deal with cases where a path is passed to us is "./XXX" +- in session mode, create our data directories as we go + +* Tue Dec 6 2011 Nalin Dahyabhai 0.51-1 +- api: lift restrictions on characters used in request and CA nicknames by + making their object names not incorporate their nicknames +- api: add find_request_by_nickname and find_ca_by_nickname +- certmonger-ipa-submit.8: list -k, -K, -t in the summary, document -K +- getcert: print "invalid option" error messages ourselves (#756291) +- ipa-submit: supply a Referer: header when submitting requests to IPA + (#750617, needed for #747710) + +* Fri Oct 14 2011 Nalin Dahyabhai 0.50-1 +- really fix these this time: + - getcert: error out when "list -c" finds no matching CA (#743488) + - getcert: error out when "list -i" finds no matching request (#743485) + +* Wed Oct 12 2011 Nalin Dahyabhai 0.49-1 +- when using an NSS database, skip loading the module database (#743042) +- when using an NSS database, skip loading root certs +- generate SPKAC values when generating CSRs, though we don't do anything + with SPKAC values yet +- internally maintain and use challenge passwords, if we have them +- behave better when certificates have shorter lifetimes +- add/recognize/handle notification type "none" +- getcert: error out when "list -c" finds no matching CA (#743488) +- getcert: error out when "list -i" finds no matching request (#743485) + +* Thu Sep 29 2011 Nalin Dahyabhai 0.48-1 +- don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated + array (#742348) + +* Tue Sep 27 2011 Nalin Dahyabhai 0.47-1 +- getcert: distinguish between {stat() succeeds but isn't a directory} and + {stat() failed} when printing an error message (#739903) +- getcert resubmit/start-tracking: when we're looking for an existing request + by ID, and we don't find one, note that specifically (#741262) + +* Mon Aug 29 2011 Stephen Gallagher - 0.46-1.1 +- Rebuild against fixed libtevent version + +* Mon Aug 15 2011 Nalin Dahyabhai 0.46-1 +- treat the ability to access keys in an NSS database without using a PIN, + when we've been told we need one, as an error (#692766, really this time) + +* Thu Aug 11 2011 Nalin Dahyabhai 0.45-1 +- modify the systemd .service file to be a proper 'dbus' service (more + of #718172) + +* Thu Aug 11 2011 Nalin Dahyabhai 0.44-1 +- check specifically for cases where a specified token that we need to + use just isn't present for whatever reason (#697058) + +* Wed Aug 10 2011 Nalin Dahyabhai 0.43-1 +- add a -K option to ipa-submit, to use the current ccache, which makes + it easier to test + +* Fri Aug 5 2011 Nalin Dahyabhai +- if xmlrpc-c's struct xmlrpc_curl_xportparms has a gss_delegate field, set + it to TRUE when we're doing Negotiate auth (#727864, #727863, #727866) + +* Wed Jul 13 2011 Nalin Dahyabhai +- treat the ability to access keys in an NSS database without using a PIN, + when we've been told we need one, as an error (#692766) +- when handling "getcert resubmit" requests, if we don't have a key yet, + make sure we go all the way back to generating one (#694184) +- getcert: try to clean up tests for NSS and PEM file locations (#699059) +- don't try to set reconnect-on-exit policy unless we managed to connect + to the bus (#712500) +- handle cases where we specify a token but the storage token isn't + known (#699552) +- getcert: recognize -i and storage options to narrow down which requests + the user wants to know about (#698772) +- output hints when the daemon has startup problems, too (#712075) +- add flags to specify whether we're bus-activated or not, so that we can + exit if we have nothing to do after handling a request received over + the bus if some specified amount of time has passed +- explicitly disallow non-root access in the D-Bus configuration (#712072) +- migrate to systemd on releases newer than Fedora 15 or RHEL 6 (#718172) +- fix a couple of incorrect calls to talloc_asprintf() (#721392) + +* Wed Apr 13 2011 Nalin Dahyabhai 0.42-1 +- getcert: fix a buffer overrun preparing a request for the daemon when + there are more parameters to encode than space in the array (#696185) +- updated translations: de, es, id, pl, ru, uk + +* Mon Apr 11 2011 Nalin Dahyabhai 0.41-1 +- read information about the keys we've just generated before proceeding + to generating a CSR (part of #694184, part of #695675) +- when processing a "resubmit" request from getcert, go back to key + generation if we don't have keys yet, else go back to CSR generation as + before (#694184, #695675) +- configure with --with-tmpdir=/var/run/certmonger and own /var/run/certmonger + (#687899), and add a systemd tmpfiles.d control file for creating + /var/run/certmonger on Fedora 15 and later +- let session instances exit when they get disconnected from the bus +- use a lock file to make sure there's only one session instance messing + around with the user's files at a time +- fix errors saving certificates to NSS databases when there's already a + certificate there with the same nickname (#695672) +- make key and certificate location output from 'getcert list' more properly + translatable (#7) + +* Mon Mar 28 2011 Nalin Dahyabhai 0.40-1 +- update to 0.40 + - fix validation check on EKU OIDs in getcert (#691351) + - get session bus mode sorted + - add a list of recognized EKU values to the getcert-request man page + +* Fri Mar 25 2011 Nalin Dahyabhai 0.39-1 +- update to 0.39 + - fix use of an uninitialized variable in the xmlrpc-based submission + helpers (#690886) + +* Thu Mar 24 2011 Nalin Dahyabhai 0.38-1 +- update to 0.38 + - catch cases where we can't read a PIN file, but we never have to log + in to the token to access the private key (more of #688229) + +* Tue Mar 22 2011 Nalin Dahyabhai 0.37-1 +- update to 0.37 + - be more careful about checking if we can read a PIN file successfully + before we even call an API that might need us to try (#688229) + - fix strict aliasing warnings + +* Tue Mar 22 2011 Nalin Dahyabhai 0.36-1 +- update to 0.36 + - fix some use-after-free bugs in the daemon (#689776) + - fix a copy/paste error in certmonger-ipa-submit(8) + - getcert now suppresses error details when not given its new -v option + (#683926, more of #681641/#652047) + - updated translations + - de, es, pl, ru, uk + - indonesian translation is now for "id" rather than "in" + +* Wed Mar 2 2011 Nalin Dahyabhai 0.35.1-1 +- fix a self-test that broke because one-year-from-now is now a day's worth + of seconds further out than it was a few days ago + +* Mon Feb 14 2011 Nalin Dahyabhai 0.35-1 +- update to 0.35 + - self-test fixes to rebuild properly in mock (#670322) + +* Tue Feb 08 2011 Fedora Release Engineering - 0.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Jan 14 2011 Nalin Dahyabhai 0.34-1 +- update to 0.34 + - explicitly note the number of requests we're tracking in the output of + "getcert list" (#652049) + - try to offer some suggestions when we get certain specific errors back + in "getcert" (#652047) + - updated translations + - es + +* Thu Dec 23 2010 Nalin Dahyabhai 0.33-1 +- update to 0.33 + - new translations + - id by Okta Purnama Rahadian! + - updated translations + - pl, uk + - roll up assorted fixes for defects + +* Fri Nov 12 2010 Nalin Dahyabhai 0.32-2 +- depend on the e2fsprogs libuuid on Fedora and RHEL releases where it's + not part of util-linux-ng + +* Wed Oct 13 2010 Nalin Dahyabhai 0.32-1 +- oops, rfc5280 says we shouldn't be populating unique identifiers, so + make it a configuration option and default the behavior to off + +* Tue Oct 12 2010 Nalin Dahyabhai 0.31-1 +- start populating the optional unique identifier fields in self-signed + certificates + +* Thu Sep 30 2010 Nalin Dahyabhai 0.30-4 +- explicitly require "dbus" to try to ensure we have a running system bus + when we get started (#639126) + +* Wed Sep 29 2010 jkeating - 0.30-3 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Nalin Dahyabhai 0.30-2 +- try to SIGHUP the messagebus daemon at first install so that it'll + let us claim our service name if it isn't restarted before we are + first started (#636876) + +* Wed Aug 25 2010 Nalin Dahyabhai 0.30-1 +- update to 0.30 + - fix errors computing the time at the end of an interval that were + caught by self-tests + +* Mon Aug 23 2010 Nalin Dahyabhai 0.29-1 +- update to 0.29 + - fix 64-bit cleanliness issue using libdbus + - actually include the full set of tests in tarballs + +* Tue Aug 17 2010 Nalin Dahyabhai 0.28-1 +- update to 0.28 + - fix self-signing certificate notBefore and notAfter values on 32-bit + machines + +* Tue Aug 17 2010 Nalin Dahyabhai 0.27-1 +- update to 0.27 + - portability and test fixes + +* Fri Aug 13 2010 Nalin Dahyabhai 0.26-1 +- update to 0.26 + - when canceling a submission request that's being handled by a helper, + reap the child process's status after killing it (#624120) + +* Fri Aug 13 2010 Nalin Dahyabhai 0.25-1 +- update to 0.25 + - new translations + - in by Okta Purnama Rahadian! + - fix detection of cases where we can't access a private key in an NSS + database because we don't have the PIN + - teach '*getcert start-tracking' about the -p and -P options which the + '*getcert request' commands already understand (#621670), and also + the -U, -K, -E, and -D flags + - double-check that the nicknames of keys we get back from + PK11_ListPrivKeysInSlot() match the desired nickname before accepting + them as matches, so that our tests won't all blow up on EL5 + - fix dynamic addition and removal of CAs implemented through helpers + +* Mon Jun 28 2010 Nalin Dahyabhai 0.24-4 +- init script: ensure that the subsys lock is created whenever we're called to + "start" when we're already running (even more of #596719) + +* Tue Jun 15 2010 Nalin Dahyabhai 0.24-3 +- more gracefully handle manual daemon startups and cleaning up of unexpected + crashes (still more of #596719) + +* Thu Jun 10 2010 Nalin Dahyabhai 0.24-2 +- don't create the daemon pidfile until after we've connected to the D-Bus + (still more of #596719) + +* Tue Jun 8 2010 Nalin Dahyabhai 0.24-1 +- update to 0.24 + - keep the lock on the pid file, if we have one, when we fork, and cancel + daemon startup if we can't gain ownership of the lock (the rest of #596719) + - make the man pages note which external configuration files we consult when + submitting requests to certmaster and ipa CAs + +* Thu May 27 2010 Nalin Dahyabhai 0.23-1 +- update to 0.23 + - new translations + - pl by Piotr Drąg! + - cancel daemon startup if we can't gain ownership of our well-known + service name on the DBus (#596719) + +* Fri May 14 2010 Nalin Dahyabhai 0.22-1 +- update to 0.22 + - new translations + - de by Fabian Affolter! + - certmaster-submit: don't fall over when we can't find a certmaster.conf + or a minion.conf (i.e., certmaster isn't installed) (#588932) + - when reading extension values from certificates, prune out duplicate + principal names, email addresses, and hostnames + +* Tue May 4 2010 Nalin Dahyabhai 0.21-1 +- update to 0.21 + - getcert/*-getcert: relay the desired CA to the local service, whether + specified on the command line (in getcert) or as a built-in hard-wired + default (in *-getcert) (#584983) + - flesh out the default certmonger.conf so that people can get a feel for + the expected formatting (Jenny Galipeau) + +* Wed Apr 21 2010 Nalin Dahyabhai 0.20-1 +- update to 0.20 + - correctly parse certificate validity periods given in years (spotted by + Stephen Gallagher) + - setup for translation + - es by Héctor Daniel Cabrera! + - ru by Yulia Poyarkova! + - uk by Yuri Chornoivan! + - fix unpreprocessed defaults in certmonger.conf's man page + - tweak the IPA-specific message that indicates a principal name also needs + to be specified if we're not using the default subject name (#579542) + - make the validity period of self-signed certificates into a configuration + setting and not a piece of the state information we track about the signer + - init script: exit with status 2 instead of 1 when invoked with an + unrecognized argument (#584517) + +* Tue Mar 23 2010 Nalin Dahyabhai 0.19-1 +- update to 0.19 + - correctly initialize NSS databases that need to be using a PIN + - add certmonger.conf, for customizing notification timings and settings, + and use of digests other than the previously-hard-coded SHA256, and + drop those settings from individual requests + - up the default self-sign validity interval from 30 days to 365 days + - drop the first default notification interval from 30 days to 28 days + (these two combined to create a fun always-reissuing loop earlier) + - record the token which contains the key or certificate when we're + storing them in an NSS database, and report it + - improve handling of cases where we're supposed to use a PIN but we + either don't have one or we have the wrong one + - teach getcert to accept a PIN file's name or a PIN value when adding + a new entry + - update the IPA submission helper to use the new 'request_cert' signature + that's landing soon + - more tests + +* Fri Feb 12 2010 Nalin Dahyabhai 0.18-1 +- update to 0.18 + - add support for using encrypted storage for keys, using PIN values + supplied directly or read from files whose names are supplied + - don't choke on NSS database locations that use the "sql:" or "dbm:" + prefix + +* Mon Jan 25 2010 Nalin Dahyabhai 0.17-2 +- make the D-Bus configuration file (noreplace) (#541072) +- make the %%check section and the deps we have just for it conditional on + the same macro (#541072) + +* Wed Jan 6 2010 Nalin Dahyabhai 0.17-1 +- update to 0.17 + - fix a hang in the daemon (Rob Crittenden) + - documentation updates + - fix parsing of submission results from IPA (Rob Crittenden) + +* Fri Dec 11 2009 Nalin Dahyabhai 0.16-1 +- update to 0.16 + - set a umask at startup (Dan Walsh) + +* Tue Dec 8 2009 Nalin Dahyabhai 0.15-1 +- update to 0.15 + - notice that a directory with a trailing '/' is the same location as the + directory without it + - fix handling of the pid file when we write one (by actually giving it + contents) + +* Wed Nov 25 2009 Nalin Dahyabhai 0.14-1 +- update to 0.14 + - check key and certificate location at add-time to make sure they're + absolute paths to files or directories, as appropriate + - IPA: dig into the 'result' item if the named result value we're looking + for isn't in the result struct + +* Tue Nov 24 2009 Nalin Dahyabhai 0.13-1 +- update to 0.13 + - change the default so that we default to trying to auto-refresh + certificates unless told otherwise + - preemptively enforce limitations on request nicknames so that they + make valid D-Bus object path components + +* Tue Nov 24 2009 Nalin Dahyabhai 0.12-1 +- update to 0.12 + - add a crucial bit of error reporting when CAs reject our requests + - count the number of configured CAs correctly + +* Mon Nov 23 2009 Nalin Dahyabhai 0.11-1 +- update to 0.11 + - add XML-RPC submission for certmaster and IPA + - prune entries with duplicate names from the data store + +* Fri Nov 13 2009 Nalin Dahyabhai 0.10-1 +- update to 0.10 + - add some compiler warnings and then fix them + +* Fri Nov 13 2009 Nalin Dahyabhai 0.9-1 +- update to 0.9 + - run external submission helpers correctly + - fix signing of signing requests generated for keys stored in files + - only care about new interface and route notifications from netlink, + and ignore notifications that don't come from pid 0 + - fix logic for determining expiration status + - correct the version number in self-signed certificates + +* Tue Nov 10 2009 Nalin Dahyabhai 0.8-1 +- update to 0.8 + - encode windows UPN values in requests correctly + - watch for netlink routing changes and restart stalled submission requests + - 'getcert resubmit' can force a regeneration of the CSR and submission + +* Fri Nov 6 2009 Nalin Dahyabhai 0.7-1 +- update to 0.7 + - first cut at a getting-started document + - refactor some internal key handling with NSS + - check for duplicate request nicknames at add-time + +* Tue Nov 3 2009 Nalin Dahyabhai 0.6-1 +- update to 0.6 + - man pages + - 'getcert stop-tracking' actually makes the server forget now + - 'getcert request -e' was redundant, dropped the -e option + - 'getcert request -i' now sets the request nickname + - 'getcert start-tracking -i' now sets the request nickname + +* Mon Nov 2 2009 Nalin Dahyabhai 0.5-1 +- update to 0.5 + - packaging fixes + - add a selfsign-getcert client + - self-signed certs now get basic constraints and their own serial numbers + - accept id-ms-kp-sc-logon as a named EKU value in a request + +* Thu Oct 29 2009 Nalin Dahyabhai 0.4-1 +- update to 0.4 + +* Thu Oct 22 2009 Nalin Dahyabhai 0.1-1 +- update to 0.1 + +* Sun Oct 18 2009 Nalin Dahyabhai 0.0-1 +- initial package