diff --git a/SOURCES/0003-Temporarily-disable-the-csrgen-tests.patch b/SOURCES/0003-Temporarily-disable-the-csrgen-tests.patch deleted file mode 100644 index 7f82fb9..0000000 --- a/SOURCES/0003-Temporarily-disable-the-csrgen-tests.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0228a6e2d2ef28ab26a722ed893dc8eed4e751fe Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 18 May 2021 18:03:52 -0400 -Subject: [PATCH 2/3] Temporarily disable the csrgen tests - -They fail due to BZ https://bugzilla.redhat.com/show_bug.cgi?id=1961687 ---- - tests/Makefile.am | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 013d34bf..f53bb4cd 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -359,8 +359,6 @@ subdirs = \ - 001-keyiread \ - 001-keyiread-rsa \ - 002-keygen-rsa \ -- 003-csrgen \ -- 003-csrgen-rsa \ - 004-selfsign \ - 004-selfsign-rsa \ - 005-dbusm \ -@@ -425,7 +423,6 @@ if HAVE_EC - subdirs += \ - 001-keyiread-ec \ - 002-keygen-ec \ -- 003-csrgen-ec \ - 004-selfsign-ec - endif - --- -2.26.3 - diff --git a/SOURCES/0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch b/SOURCES/0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch new file mode 100644 index 0000000..2016234 --- /dev/null +++ b/SOURCES/0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch @@ -0,0 +1,46 @@ +From f6672effea3cf9e50d6d3f29c1fbfbf6b1578e06 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 28 Sep 2021 10:01:35 -0400 +Subject: [PATCH] Add compile check for EVP_PKEY_get_id along with EVP_PKEY_id + +EVP_PKEY_id is no longer available as a function, only as a preprocessor +macro, so AC_CHECK_FUNCS cannot recognize it. + +This was changed in OpenSSL 3.0.0-beta2 + +https://bugzilla.redhat.com/show_bug.cgi?id=2008451 + +Signed-off-by: Rob Crittenden +--- + configure.ac | 1 + + src/util-o.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 8bfa3fa..3b413a1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -374,6 +374,7 @@ if ! ${configure_dist_target_only:-false} ; then + AC_CHECK_FUNCS(ASN1_TIME_set) + AC_CHECK_FUNCS(EVP_PKEY_base_id) + AC_CHECK_FUNCS(EVP_PKEY_id) ++ AC_CHECK_FUNCS(EVP_PKEY_get_id) + AC_CHECK_FUNCS(OBJ_get0_data) + AC_CHECK_FUNCS(OBJ_length) + AC_CHECK_FUNCS(X509_ATTRIBUTE_get0_object) +diff --git a/src/util-o.c b/src/util-o.c +index 2208ab6..db45964 100644 +--- a/src/util-o.c ++++ b/src/util-o.c +@@ -329,7 +329,7 @@ util_ASN1_TIME_set(ASN1_TIME *str, time_t t) + int + util_EVP_PKEY_id(const EVP_PKEY *pkey) + { +-#ifdef HAVE_EVP_PKEY_ID ++#if defined(HAVE_EVP_PKEY_ID) || defined(HAVE_EVP_PKEY_GET_ID) + return EVP_PKEY_id(pkey); + #else + return pkey->type; +-- +2.31.1 + diff --git a/SOURCES/0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch b/SOURCES/0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch new file mode 100644 index 0000000..3ebf548 --- /dev/null +++ b/SOURCES/0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch @@ -0,0 +1,123 @@ +From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 9 Jul 2021 20:49:28 +0000 +Subject: [PATCH] Add SCEP config option to treat the challenge password as an + OTP + +SCEP RFC 8894 specifies that a challenge password SHOULD be +removed from subsequent requests but that it MAY be included. + +This adds a new configuration option to treat the challenge password +as a one-time password (OTP) so that it will not be sent on +subsequent requests, like renewals, by removing it completely +from the tracking request. + +This allows certmonger to be able to renew AD-issued SCEP certificates +if the AD registry entry DisableRenewalSubjectNameMatch is set to 1. + +https://bugzilla.redhat.com/show_bug.cgi?id=1577570 + +Signed-off-by: Rob Crittenden +--- + src/certmonger.conf.5.in | 9 +++++++++ + src/certsave.c | 13 +++++++++++++ + src/prefs.c | 15 +++++++++++++++ + src/prefs.h | 4 ++++ + 4 files changed, 41 insertions(+) + +diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in +index 6a42d3cb..1b941b9d 100644 +--- a/src/certmonger.conf.5.in ++++ b/src/certmonger.conf.5.in +@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the + \fIselfsign\fR section, if one is set there, will be used. The default value + is \fI@CM_DEFAULT_CERT_LIFETIME@\fR. + ++.SH SCEP ++Within the \fIscep\fR section, these variables and values are recognized: ++ ++.IP challenge_password_otp ++This controls whether the SCEP challenge password is treated as a one-time ++password. If set to yes then the challenge password and/or challenge password ++file will be removed from the tracking request after the first certificate ++issuance so will not be sent with renewal requests. The default is no. ++ + .SH BUGS + Please file tickets for any that you find at https://fedorahosted.org/certmonger/ + +diff --git a/src/certsave.c b/src/certsave.c +index 6eaafe59..f8503662 100644 +--- a/src/certsave.c ++++ b/src/certsave.c +@@ -18,12 +18,25 @@ + #include "config.h" + #include "certsave.h" + #include "certsave-int.h" ++#include "prefs.h" + #include "store-int.h" ++#include "talloc.h" + + /* Start writing the certificate from the entry to the configured location. */ + struct cm_certsave_state * + cm_certsave_start(struct cm_store_entry *entry) + { ++ /* If saving a SCEP certificate wipe out the challenge password */ ++ if ((cm_prefs_scep_password_otp()) && ++ (entry->cm_template_challenge_password != NULL) && ++ (entry->cm_scep_nonce != NULL)) ++ { ++ talloc_free(entry->cm_template_challenge_password); ++ entry->cm_template_challenge_password = NULL; ++ talloc_free(entry->cm_template_challenge_password_file); ++ entry->cm_template_challenge_password_file = NULL; ++ } ++ + switch (entry->cm_cert_storage_type) { + #ifdef HAVE_OPENSSL + case cm_cert_storage_file: +diff --git a/src/prefs.c b/src/prefs.c +index 669e8f1f..52ffc908 100644 +--- a/src/prefs.c ++++ b/src/prefs.c +@@ -595,3 +595,18 @@ prefs_max_key_use_count(void) + } + return count; + } ++ ++int ++cm_prefs_scep_password_otp(void) ++{ ++ static int populate = -1; ++ if (populate == -1) { ++ const char *val; ++ val = cm_prefs_config("scep", "challenge_password_otp"); ++ if (val == NULL) { ++ val = "no"; ++ } ++ populate = cm_prefs_yesno(val); ++ } ++ return populate != -1 ? populate : 0; ++} +diff --git a/src/prefs.h b/src/prefs.h +index 248e1016..a107fb6c 100644 +--- a/src/prefs.h ++++ b/src/prefs.h +@@ -18,6 +18,8 @@ + #ifndef cmprefs_h + #define cmprefs_h + ++#include ++ + enum cm_prefs_cipher { + cm_prefs_aes128, + cm_prefs_aes192, +@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void); + long long prefs_key_end_of_life(time_t ref); + long prefs_max_key_use_count(void); + ++int cm_prefs_scep_password_otp(void); ++ + #endif +-- +2.31.1 + diff --git a/SOURCES/0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch b/SOURCES/0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch new file mode 100644 index 0000000..fd30ffb --- /dev/null +++ b/SOURCES/0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch @@ -0,0 +1,37 @@ +From b4c090d2e12956a2df6157592839936adf4024f4 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 12 Aug 2021 16:26:09 -0400 +Subject: [PATCH] Fix file descriptor leak when executing CA helpers + +cm_cadata_start_generic() creates a pipe. One half is passed +to fetch(), the function that does all helper calls, +via the cm_cadata_state variable ret. The other half is the +reader and is used to detect execution errors. There is a pair +of write/read on this descriptor which on error would be the +errno. + +This second half wasn't being closed after reading to test for +errors. + +https://bugzilla.redhat.com/show_bug.cgi?id=1992439 + +Signed-off-by: Rob Crittenden +--- + src/cadata.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cadata.c b/src/cadata.c +index cb9c13e2..c2764d3b 100644 +--- a/src/cadata.c ++++ b/src/cadata.c +@@ -773,6 +773,7 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op, + ca->cm_ca_external_helper, strerror(u)); + /* return the state so the process can be reaped */ + } ++ close(error_fd[0]); + return ret; + } + +-- +2.31.1 + diff --git a/SOURCES/0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch b/SOURCES/0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch new file mode 100644 index 0000000..e8db81a --- /dev/null +++ b/SOURCES/0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch @@ -0,0 +1,80 @@ +From 46cd5a7d9434ed104093152bdf0a55404e6a1c6b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 5 Oct 2021 11:04:10 -0400 +Subject: [PATCH] Update csrgen test to understand OpenSSL 3.0.0 output + +OpenSSL 3.0.0 change a lot of output messages. When verifying +a certificate instead of printing just "verify OK" it prints +"Certificate request self-signature verify OK" + +Modify the check to match both OpenSSL 1.x and 3.x + +Related: https://pagure.io/certmonger/issue/223 + +Signed-off-by: Rob Crittenden +--- + tests/003-csrgen-ec/run.sh | 4 ++-- + tests/003-csrgen-rsa/run.sh | 4 ++-- + tests/003-csrgen/run.sh | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh +index 91117ec8..7c0505f8 100755 +--- a/tests/003-csrgen-ec/run.sh ++++ b/tests/003-csrgen-ec/run.sh +@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss. + openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der + # The RSA tests already verify the contents of the requests, so we really only + # need to care about the signatures passing verification. +-openssl req -verify -noout < csr.nss.$size 2>&1 +-openssl req -verify -noout < csr.openssl.$size 2>&1 ++openssl req -verify -noout -noenc < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //' ++openssl req -verify -noout -noenc < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //' + openssl spkac -verify -noout < spkac.nss.$size 2>&1 + openssl spkac -verify -noout < spkac.openssl.$size 2>&1 + openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1 +diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh +index bb8ebecb..4f0c0ef0 100755 +--- a/tests/003-csrgen-rsa/run.sh ++++ b/tests/003-csrgen-rsa/run.sh +@@ -118,14 +118,14 @@ iterate() { + echo key_pubkey=616263 >> entry.openssl.$size + $toolsdir/csrgen entry.nss.$size > csr.nss.$size + # Both should verify. +- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then ++ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then + echo Signature failed for OpenSSL: + cat csr.openssl.$size + echo Private key: + awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size + exit 1 + fi +- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then ++ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then + echo Signature failed for NSS: + cat csr.nss.$size + echo Private key: +diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh +index d3dfbaf0..093beabf 100755 +--- a/tests/003-csrgen/run.sh ++++ b/tests/003-csrgen/run.sh +@@ -170,14 +170,14 @@ iterate() { + echo key_pubkey=616263 >> entry.openssl.$size + $toolsdir/csrgen entry.nss.$size > csr.nss.$size + # Both should verify. +- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then ++ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then + echo Signature failed for OpenSSL: + cat csr.openssl.$size + echo Private key: + awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size + exit 1 + fi +- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then ++ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then + echo Signature failed for NSS: + cat csr.nss.$size + echo Private key: +-- +2.31.1 + diff --git a/SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch b/SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch new file mode 100644 index 0000000..9264e87 --- /dev/null +++ b/SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch @@ -0,0 +1,280 @@ +From e3e4679693efc60bc7a25983909ddfa6883ab2ec Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 4 Oct 2021 18:52:53 +0200 +Subject: [PATCH] Use implicit, empty FALSE for extensions + +Cemplate had a bug that caused certmonger to create CSRs with invalid DER. +It was encoding extension's critical element even for default value FALSE. + +Fixes: https://pagure.io/certmonger/issue/223 +Signed-off-by: Christian Heimes +--- + src/certext.c | 7 +- + tests/003-csrgen-rsa/expected.out | 82 ++++++++++------------ + tests/003-csrgen/expected.out | 110 +++++++++++++----------------- + 3 files changed, 91 insertions(+), 108 deletions(-) + +diff --git a/src/certext.c b/src/certext.c +index 0d66971e..e5e0b4dc 100644 +--- a/src/certext.c ++++ b/src/certext.c +@@ -1706,9 +1706,12 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, + CERTCertExtension ext[13], *exts[14], **exts_ptr; + SECOidData *oid; + SECItem *item, encoded; ++ /* X509v3 extension's critical element has an implicit default, ++ * see https://pagure.io/certmonger/issue/223 ++ */ + SECItem der_false = { +- .len = 1, +- .data = (unsigned char *) "\000", ++ .len = 0, ++ .data = NULL, + }; + SECItem der_true = { + .len = 1, +diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out +index def53fe4..0fb88323 100644 +--- a/tests/003-csrgen-rsa/expected.out ++++ b/tests/003-csrgen-rsa/expected.out +@@ -8,8 +8,8 @@ pk12util: PKCS12 EXPORT SUCCESSFUL + 4096 OK. + Signature OK + The last CSR (the one with everything) was: +- 0:d=0 hl=4 l=1413 cons: SEQUENCE +- 4:d=1 hl=4 l=1133 cons: SEQUENCE ++ 0:d=0 hl=4 l=1389 cons: SEQUENCE ++ 4:d=1 hl=4 l=1109 cons: SEQUENCE + 8:d=2 hl=2 l= 1 prim: INTEGER :00 + 11:d=2 hl=2 l= 22 cons: SEQUENCE + 13:d=3 hl=2 l= 20 cons: SET +@@ -21,7 +21,7 @@ The last CSR (the one with everything) was: + 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption + 52:d=4 hl=2 l= 0 prim: NULL + 54:d=3 hl=4 l= 271 prim: BIT STRING +- 329:d=2 hl=4 l= 808 cons: cont [ 0 ] ++ 329:d=2 hl=4 l= 784 cons: cont [ 0 ] + 333:d=3 hl=2 l= 52 cons: SEQUENCE + 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword + 346:d=4 hl=2 l= 39 cons: SET +@@ -30,48 +30,40 @@ The last CSR (the one with everything) was: + 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName + 400:d=4 hl=2 l= 48 cons: SET + 402:d=5 hl=2 l= 46 prim: BMPSTRING +- 450:d=3 hl=4 l= 687 cons: SEQUENCE ++ 450:d=3 hl=4 l= 663 cons: SEQUENCE + 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request +- 465:d=4 hl=4 l= 672 cons: SET +- 469:d=5 hl=4 l= 668 cons: SEQUENCE +- 473:d=6 hl=2 l= 14 cons: SEQUENCE ++ 465:d=4 hl=4 l= 648 cons: SET ++ 469:d=5 hl=4 l= 644 cons: SEQUENCE ++ 473:d=6 hl=2 l= 11 cons: SEQUENCE + 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage +- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 +- 489:d=6 hl=4 l= 264 cons: SEQUENCE +- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name +- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 +- 757:d=6 hl=2 l= 32 cons: SEQUENCE +- 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage +- 764:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 +- 791:d=6 hl=2 l= 18 cons: SEQUENCE +- 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints +- 798:d=7 hl=2 l= 1 prim: BOOLEAN :255 +- 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 +- 811:d=6 hl=2 l= 34 cons: SEQUENCE +- 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +- 818:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D +- 847:d=6 hl=2 l= 32 cons: SEQUENCE +- 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +- 854:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D +- 881:d=6 hl=2 l= 107 cons: SEQUENCE +- 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access +- 893:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 +- 990:d=6 hl=2 l= 96 cons: SEQUENCE +- 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points +- 997:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 +- 1088:d=6 hl=2 l= 51 cons: SEQUENCE +- 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment +- 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 +- 1141:d=1 hl=2 l= 13 cons: SEQUENCE +- 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption +- 1154:d=2 hl=2 l= 0 prim: NULL +- 1156:d=1 hl=4 l= 257 prim: BIT STRING ++ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 ++ 486:d=6 hl=4 l= 261 cons: SEQUENCE ++ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name ++ 495:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 ++ 751:d=6 hl=2 l= 29 cons: SEQUENCE ++ 753:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage ++ 758:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 ++ 782:d=6 hl=2 l= 18 cons: SEQUENCE ++ 784:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints ++ 789:d=7 hl=2 l= 1 prim: BOOLEAN :255 ++ 792:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 ++ 802:d=6 hl=2 l= 31 cons: SEQUENCE ++ 804:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier ++ 809:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D ++ 835:d=6 hl=2 l= 29 cons: SEQUENCE ++ 837:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier ++ 842:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D ++ 866:d=6 hl=2 l= 104 cons: SEQUENCE ++ 868:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access ++ 878:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 ++ 972:d=6 hl=2 l= 93 cons: SEQUENCE ++ 974:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points ++ 979:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 ++ 1067:d=6 hl=2 l= 48 cons: SEQUENCE ++ 1069:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment ++ 1080:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 ++ 1117:d=1 hl=2 l= 13 cons: SEQUENCE ++ 1119:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption ++ 1130:d=2 hl=2 l= 0 prim: NULL ++ 1132:d=1 hl=4 l= 257 prim: BIT STRING + Test complete (32 combinations). +diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out +index 46e010cf..1081a678 100644 +--- a/tests/003-csrgen/expected.out ++++ b/tests/003-csrgen/expected.out +@@ -11,8 +11,8 @@ Signature OK + minicert.openssl.4096.pem: OK + 4096 OK. + The last CSR (the one with everything) was: +- 0:d=0 hl=4 l=1635 cons: SEQUENCE +- 4:d=1 hl=4 l=1355 cons: SEQUENCE ++ 0:d=0 hl=4 l=1599 cons: SEQUENCE ++ 4:d=1 hl=4 l=1319 cons: SEQUENCE + 8:d=2 hl=2 l= 1 prim: INTEGER :00 + 11:d=2 hl=2 l= 22 cons: SEQUENCE + 13:d=3 hl=2 l= 20 cons: SET +@@ -24,7 +24,7 @@ The last CSR (the one with everything) was: + 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption + 52:d=4 hl=2 l= 0 prim: NULL + 54:d=3 hl=4 l= 271 prim: BIT STRING +- 329:d=2 hl=4 l=1030 cons: cont [ 0 ] ++ 329:d=2 hl=4 l= 994 cons: cont [ 0 ] + 333:d=3 hl=2 l= 52 cons: SEQUENCE + 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword + 346:d=4 hl=2 l= 39 cons: SET +@@ -33,64 +33,52 @@ The last CSR (the one with everything) was: + 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName + 400:d=4 hl=2 l= 48 cons: SET + 402:d=5 hl=2 l= 46 prim: BMPSTRING +- 450:d=3 hl=4 l= 909 cons: SEQUENCE ++ 450:d=3 hl=4 l= 873 cons: SEQUENCE + 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request +- 465:d=4 hl=4 l= 894 cons: SET +- 469:d=5 hl=4 l= 890 cons: SEQUENCE +- 473:d=6 hl=2 l= 14 cons: SEQUENCE ++ 465:d=4 hl=4 l= 858 cons: SET ++ 469:d=5 hl=4 l= 854 cons: SEQUENCE ++ 473:d=6 hl=2 l= 11 cons: SEQUENCE + 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage +- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 +- 489:d=6 hl=4 l= 290 cons: SEQUENCE +- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name +- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 +- 783:d=6 hl=2 l= 32 cons: SEQUENCE +- 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage +- 790:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 +- 817:d=6 hl=2 l= 18 cons: SEQUENCE +- 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints +- 824:d=7 hl=2 l= 1 prim: BOOLEAN :255 +- 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 +- 837:d=6 hl=2 l= 34 cons: SEQUENCE +- 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier +- 844:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D +- 873:d=6 hl=2 l= 32 cons: SEQUENCE +- 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier +- 880:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D +- 907:d=6 hl=2 l= 107 cons: SEQUENCE +- 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access +- 919:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 +- 1016:d=6 hl=2 l= 96 cons: SEQUENCE +- 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points +- 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 +- 1114:d=6 hl=2 l= 106 cons: SEQUENCE +- 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL +- 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 +- 1222:d=6 hl=2 l= 51 cons: SEQUENCE +- 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment +- 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 +- 1275:d=6 hl=2 l= 18 cons: SEQUENCE +- 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check +- 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 +- 1295:d=6 hl=2 l= 44 cons: SEQUENCE +- 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 +- 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 +- 1341:d=6 hl=2 l= 20 cons: SEQUENCE +- 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type +- 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0 +- 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 +- 1363:d=1 hl=2 l= 13 cons: SEQUENCE +- 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption +- 1376:d=2 hl=2 l= 0 prim: NULL +- 1378:d=1 hl=4 l= 257 prim: BIT STRING ++ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 ++ 486:d=6 hl=4 l= 287 cons: SEQUENCE ++ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name ++ 495:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 ++ 777:d=6 hl=2 l= 29 cons: SEQUENCE ++ 779:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage ++ 784:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 ++ 808:d=6 hl=2 l= 18 cons: SEQUENCE ++ 810:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints ++ 815:d=7 hl=2 l= 1 prim: BOOLEAN :255 ++ 818:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 ++ 828:d=6 hl=2 l= 31 cons: SEQUENCE ++ 830:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier ++ 835:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D ++ 861:d=6 hl=2 l= 29 cons: SEQUENCE ++ 863:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier ++ 868:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D ++ 892:d=6 hl=2 l= 104 cons: SEQUENCE ++ 894:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access ++ 904:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 ++ 998:d=6 hl=2 l= 93 cons: SEQUENCE ++ 1000:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points ++ 1005:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 ++ 1093:d=6 hl=2 l= 103 cons: SEQUENCE ++ 1095:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL ++ 1100:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 ++ 1198:d=6 hl=2 l= 48 cons: SEQUENCE ++ 1200:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment ++ 1211:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 ++ 1248:d=6 hl=2 l= 15 cons: SEQUENCE ++ 1250:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check ++ 1261:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 ++ 1265:d=6 hl=2 l= 41 cons: SEQUENCE ++ 1267:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 ++ 1278:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 ++ 1308:d=6 hl=2 l= 17 cons: SEQUENCE ++ 1310:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type ++ 1321:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 ++ 1327:d=1 hl=2 l= 13 cons: SEQUENCE ++ 1329:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption ++ 1340:d=2 hl=2 l= 0 prim: NULL ++ 1342:d=1 hl=4 l= 257 prim: BIT STRING + Test complete (69 combinations). +-- +2.31.1 + diff --git a/SOURCES/0009-Use-extensions-template-from-NSS.patch b/SOURCES/0009-Use-extensions-template-from-NSS.patch new file mode 100644 index 0000000..99e98c3 --- /dev/null +++ b/SOURCES/0009-Use-extensions-template-from-NSS.patch @@ -0,0 +1,80 @@ +From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 4 Oct 2021 15:55:44 +0200 +Subject: [PATCH] Use extensions template from NSS + +Drop certmonger's custom extension template and use the sequence of X509v3 +extensions template from NSS. + +The certmonger template had a bug that caused certmonger to create CSRs +with invalid DER. It was encoding extension's critical element even for +default value FALSE. + +Fixes: https://pagure.io/certmonger/issue/223 +Signed-off-by: Christian Heimes +--- + src/certext.c | 41 +---------------------------------------- + 1 file changed, 1 insertion(+), 40 deletions(-) + +diff --git a/src/certext.c b/src/certext.c +index be536987..0d66971e 100644 +--- a/src/certext.c ++++ b/src/certext.c +@@ -203,45 +203,6 @@ cm_ms_template_template[] = { + {0, 0, NULL, 0}, + }; + +-/* RFC 5280, 4.1 */ +-const SEC_ASN1Template +-cm_certext_cert_extension_template[] = { +- { +- .kind = SEC_ASN1_SEQUENCE, +- .offset = 0, +- .sub = NULL, +- .size = sizeof(CERTCertExtension), +- }, +- { +- .kind = SEC_ASN1_OBJECT_ID, +- .offset = offsetof(CERTCertExtension, id), +- .sub = NULL, +- .size = sizeof(SECItem), +- }, +- { +- .kind = SEC_ASN1_BOOLEAN, +- .offset = offsetof(CERTCertExtension, critical), +- .sub = NULL, +- .size = sizeof(SECItem), +- }, +- { +- .kind = SEC_ASN1_OCTET_STRING, +- .offset = offsetof(CERTCertExtension, value), +- .sub = NULL, +- .size = sizeof(SECItem), +- }, +- {0, 0, NULL, 0}, +-}; +-const SEC_ASN1Template +-cm_certext_sequence_of_cert_extension_template[] = { +- { +- .kind = SEC_ASN1_SEQUENCE_OF, +- .offset = 0, +- .sub = cm_certext_cert_extension_template, +- .size = sizeof(CERTCertExtension **), +- }, +-}; +- + /* Windows 2000-style UPN */ + static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03}; + static const SECOidData oid_ms_upn_name = { +@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, + /* Encode the sequence. */ + memset(&encoded, 0, sizeof(encoded)); + if (i > 1) { +- template = cm_certext_sequence_of_cert_extension_template; ++ template = CERT_SequenceOfCertExtensionTemplate; + if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr, + template) == &encoded) { + *extensions = talloc_memdup(entry, encoded.data, +-- +2.31.1 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 1e19431..d40f591 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -28,7 +28,7 @@ Name: certmonger Version: 0.79.14 -Release: 3%{?dist} +Release: 5%{?dist} Summary: Certificate status monitor and PKI enrollment client License: GPLv3+ @@ -36,8 +36,14 @@ URL: http://pagure.io/certmonger/ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz #Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig -Patch0002: 0002-candidate-openssl-3.0-compat-fixes.patch -Patch0003: 0003-Temporarily-disable-the-csrgen-tests.patch +Patch0002: 0002-candidate-openssl-3.0-compat-fixes.patch +Patch0004: 0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch +Patch0005: 0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch +Patch0006: 0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch +Patch0007: 0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch +Patch0008: 0008-Use-implicit-empty-FALSE-for-extensions.patch +Patch0009: 0009-Use-extensions-template-from-NSS.patch + BuildRequires: autoconf BuildRequires: automake @@ -86,6 +92,7 @@ BuildRequires: /usr/bin/which # for dbus tests BuildRequires: python3-dbus BuildRequires: popt-devel +BuildRequires: sed # we need a running system bus Requires: dbus @@ -266,6 +273,15 @@ exit 0 %endif %changelog +* Thu Oct 07 2021 Rob Crittenden - 0.79.14-5 +- Certmonger SCEP renewal should not use old challenges (#1990926) +- Certmonger certificates stuck in NEED_GUIDANCE (#2001082) +- certmonger creates CSRs with invalid DER syntax for X509v3 extensions + with critical=FALSE (#2012261) + +* Tue Sep 28 2021 Rob Crittenden - 0.79.14-4 +- Fix FTBFS due to change in OpenSSL 3.0.0-beta2 API (#2008451) + * Mon Aug 09 2021 Mohan Boddu - 0.79.14-3 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688