From 2187e205da4fb2fcfdc2d8b9e4a4117f849041f7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 3 Jun 2016 10:22:23 +1000 Subject: [PATCH] Add 'issuer' request option for specifying issuer FreeIPA is implementing a 'lightweight CAs' feature where a single Dogtag instance can host multiple CAs. Add the '--issuer' / '-X' getcert-request option for specifying a particular CA, and the 'CERTMONGER_CA_ISSUER' environment variable for passing the value to submit helpers. Also update the 'ipa-submit' helper to set the 'ca' argument if the environment variable is set. Reviewed-by: Nalin Dahyabhai --- doc/api.txt | 2 ++ doc/submit.txt | 1 + src/cadata.c | 1 + src/getcert-request.1.in | 3 +++ src/getcert-resubmit.1.in | 3 +++ src/getcert-start-tracking.1.in | 3 +++ src/getcert.c | 44 ++++++++++++++++++++++++++++++++++++----- src/ipa.c | 25 +++++++++++++++++------ src/store-files.c | 9 +++++++++ src/store-int.h | 1 + src/submit-e.c | 1 + src/submit-e.h | 1 + src/tdbus.h | 1 + src/tdbush.c | 25 ++++++++++++++++++++++- tests/028-dbus/expected.out | 1 + 15 files changed, 109 insertions(+), 12 deletions(-) diff --git a/doc/api.txt b/doc/api.txt index e11f944de5861663d742c8b91129f7b592e7f72c..31016bec004f0b7f00db4cb3baefd236d485dc85 100644 --- a/doc/api.txt +++ b/doc/api.txt @@ -56,6 +56,7 @@ o object layout {("template-crldp"),array-of-string (CRL distribution point URIs)} {("template-ns-comment"),string (Netscape comment)} {("template-profile"),string (certificate profile)} + {("template-issuer"),string (requested issuer)} {("template-challenge-password"),string (password to add to CSR)} {("template-challenge-password-file"),string (password file) {("cert-presave-command"),string} @@ -164,6 +165,7 @@ o object layout {("template-crldp"),array-of-string (CRL distribution point URIs)} {("template-ns-comment"),string (Netscape comment)} {("template-profile"),string (certificate profile)} + {("template-issuer"),string (requested issuer)} {("template-challenge-password"),string (password to add to CSR)} {("template-challenge-password-file"),string (password file) {("cert-presave-command"),string} diff --git a/doc/submit.txt b/doc/submit.txt index dbf5319dc29bd9adb4054d4e76e90f028bad5fa6..7444f88c078b7453ae350268482832485259348a 100644 --- a/doc/submit.txt +++ b/doc/submit.txt @@ -13,6 +13,7 @@ An external CA helper has a few jobs: * $CERTMONGER_REQ_PRINCIPAL -> Kerberos principal name subjectAltName values * $CERTMONGER_REQ_IP_ADDRESS-> IP address subjectAltName values (since 0.78) * $CERTMONGER_CA_PROFILE -> requested enrollment profile/template/certtype + * $CERTMONGER_CA_ISSUER -> requested issuer for enrollment * $CERTMONGER_CSR -> certificate signing request * $CERTMONGER_CERTIFICATE -> previously-issued certificate, if there is one * $CERTMONGER_CA_NICKNAME -> nickname of CA (since 0.73) diff --git a/src/cadata.c b/src/cadata.c index 947b2e68d3e74abf688aebd48344bfbf964e5656..7861fe73104143d6a9135fcb50b3ead583b03bf7 100644 --- a/src/cadata.c +++ b/src/cadata.c @@ -50,6 +50,7 @@ const char *attribute_map[] = { CM_SUBMIT_REQ_EMAIL_ENV, CM_DBUS_PROP_TEMPLATE_EMAIL, CM_SUBMIT_REQ_IP_ADDRESS_ENV, CM_DBUS_PROP_TEMPLATE_IP_ADDRESS, CM_SUBMIT_PROFILE_ENV, CM_DBUS_PROP_TEMPLATE_PROFILE, + CM_SUBMIT_ISSUER_ENV, CM_DBUS_PROP_TEMPLATE_ISSUER, NULL, }; diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in index f11f1ffa35ccb6eb3d6aeea149353f55d5266534..b6578dce4b06fd60f9e784ba5665489eb3dd3982 100644 --- a/src/getcert-request.1.in +++ b/src/getcert-request.1.in @@ -87,6 +87,9 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. \fB\-T\fR NAME Request a certificate using the named profile, template, or certtype, from the specified CA. +.TP +\fB\-X\fR NAME +Request a certificate using the named issuer from the specified CA. .SH SIGNING REQUEST OPTIONS diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in index ad31da9995194280d79c2ce6bb2311291d37072d..165940eab1e625ecd3db63a1cf0bd822ae6abf72 100644 --- a/src/getcert-resubmit.1.in +++ b/src/getcert-resubmit.1.in @@ -48,6 +48,9 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. Request a certificate using the named profile, template, or certtype, from the specified CA. .TP +\fB\-X\fR NAME +Request a certificate using the named issuer from the specified CA. +.TP \fB\-I\fR NAME Assign the specified nickname to this task, replacing the previous nickname. diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in index 6cd24e77dd578662e4b18b8ae18dd26b6faa7122..a46f53578626bc62abaeb22e77500548c34ac3c0 100644 --- a/src/getcert-start-tracking.1.in +++ b/src/getcert-start-tracking.1.in @@ -85,6 +85,9 @@ useful in combination with \fB\-r\fR. \fB\-T\fR NAME Request a certificate using the named profile, template, or certtype, from the specified CA. +.TP +\fB\-X\fR NAME +Request a certificate using the named issuer from the specified CA. .SH SIGNING REQUEST OPTIONS If and when \fIcertmonger\fR attempts to obtain a new certificate to replace diff --git a/src/getcert.c b/src/getcert.c index 49840dd968a75929ef55c6b77966187f0c59fa78..cfa36fb1a7ea16c9c9bacc8f40360efa594b7830 100644 --- a/src/getcert.c +++ b/src/getcert.c @@ -691,7 +691,7 @@ request(const char *argv0, int argc, const char **argv) char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; int keysize = 0, auto_renew = 1, verbose = 0, ku = 0, kubit, c, i, j; char *ca = DEFAULT_CA, *subject = NULL, **eku = NULL, *oid, *id = NULL; - char *profile = NULL, kustring[16]; + char *profile = NULL, *issuer = NULL, kustring[16]; char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; char *key_owner = NULL, *key_perms = NULL; char *cert_owner = NULL, *cert_perms = NULL; @@ -732,6 +732,7 @@ request(const char *argv0, int argc, const char **argv) {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, #endif {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, + {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("set requested extended key usage OID"), HELP_TYPE_EKU}, @@ -858,6 +859,9 @@ request(const char *argv0, int argc, const char **argv) case 'T': profile = talloc_strdup(globals.tctx, poptarg); break; + case 'X': + issuer = talloc_strdup(globals.tctx, poptarg); + break; case 'N': subject = talloc_strdup(globals.tctx, poptarg); break; @@ -1289,6 +1293,13 @@ request(const char *argv0, int argc, const char **argv) params[i] = ¶m[i]; i++; } + if (issuer != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; + param[i].value_type = cm_tdbusm_dict_s; + param[i].value.s = issuer; + params[i] = ¶m[i]; + i++; + } if (precommand != NULL) { param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; param[i].value_type = cm_tdbusm_dict_s; @@ -1480,7 +1491,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id, char *key_perms, char *cert_perms, char *pin, char *pinfile, char *cpass, char *cpassfile, - char *ca, char *profile, + char *ca, char *profile, char *issuer, char *precommand, char *postcommand, char **anchor_dbs, char **anchor_files, dbus_bool_t auto_renew_stop, int waitreq, @@ -1644,6 +1655,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id, params[i] = ¶m[i]; i++; } + if (issuer != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; + param[i].value_type = cm_tdbusm_dict_s; + param[i].value.s = issuer; + params[i] = ¶m[i]; + i++; + } if (precommand != NULL) { param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; param[i].value_type = cm_tdbusm_dict_s; @@ -1726,7 +1744,7 @@ set_tracking(const char *argv0, const char *category, char **anchor_dbs = NULL, **anchor_files = NULL; char *id = NULL, *new_id = NULL, *new_request; char *keyfile = NULL, *certfile = NULL, *ca = DEFAULT_CA; - char *profile = NULL; + char *profile = NULL, *issuer = NULL; char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; char *key_owner = NULL, *key_perms = NULL; char *cert_owner = NULL, *cert_perms = NULL; @@ -1767,6 +1785,7 @@ set_tracking(const char *argv0, const char *category, {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, #endif {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, + {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("override requested key usage value"), HELP_TYPE_KU}, {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("override requested extended key usage OID"), HELP_TYPE_EKU}, {"principal", 'K', POPT_ARG_STRING, NULL, 'K', _("override requested principal name"), HELP_TYPE_PRINCIPAL}, @@ -2291,7 +2310,7 @@ set_tracking(const char *argv0, const char *category, key_perms, cert_perms, pin, pinfile, cpass, cpassfile, - ca, profile, + ca, profile, issuer, precommand, postcommand, anchor_dbs, anchor_files, (auto_renew_stop > 0), @@ -2366,7 +2385,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, char *id = NULL, *new_id = NULL, *ca = NULL, *new_request, *nss_scheme; char *subject = NULL, **eku = NULL, *oid = NULL; char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; - char *profile = NULL, kustring[16]; + char *profile = NULL, *issuer = NULL, kustring[16]; char *key_owner = NULL, *key_perms = NULL; char *cert_owner = NULL, *cert_perms = NULL; char *keytype = NULL; @@ -2403,6 +2422,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the current one"), HELP_TYPE_NAME}, #endif {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, + {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("set requested extended key usage OID"), HELP_TYPE_EKU}, @@ -2477,6 +2497,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, case 'T': profile = talloc_strdup(globals.tctx, poptarg); break; + case 'X': + issuer = talloc_strdup(globals.tctx, poptarg); + break; case 'i': id = talloc_strdup(globals.tctx, poptarg); break; @@ -2838,6 +2861,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, params[i] = ¶m[i]; i++; } + if (issuer != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; + param[i].value_type = cm_tdbusm_dict_s; + param[i].value.s = issuer; + params[i] = ¶m[i]; + i++; + } if (precommand != NULL) { param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND; param[i].value_type = cm_tdbusm_dict_s; @@ -4647,6 +4677,7 @@ help(const char *twopartcmd, const char *category) N_(" -c CA use the specified CA rather than the default\n"), #endif N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), N_("* Parameters for the signing request:\n"), N_(" -N NAME set requested subject name (default: CN=)\n"), N_(" -U EXTUSAGE set requested extended key usage OID\n"), @@ -4695,6 +4726,7 @@ help(const char *twopartcmd, const char *category) N_(" -c CA use the specified CA rather than the default\n"), #endif N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), N_("* Parameters for the signing request at renewal time:\n"), N_(" -U EXTUSAGE override requested extended key usage OID\n"), N_(" -u KEYUSAGE set requested key usage value\n"), @@ -4773,6 +4805,7 @@ help(const char *twopartcmd, const char *category) N_(" -c CA use the specified CA rather than the current one\n"), #endif N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), N_("* Bus options:\n"), N_(" -S connect to the certmonger service on the system bus\n"), N_(" -s connect to the certmonger service on the session bus\n"), @@ -4820,6 +4853,7 @@ help(const char *twopartcmd, const char *category) N_(" -c CA use the specified CA rather than the current one\n"), #endif N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), + N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), N_(" -G TYPE type of new key to be generated\n"), N_(" -g SIZE size of new key to be generated\n"), N_("* Bus options:\n"), diff --git a/src/ipa.c b/src/ipa.c index 5236abb40246c270d1b14c5cfbc467dbd6e8f7a4..72cdda6b07ea5a4850fb404497196c46a6bbbd6d 100644 --- a/src/ipa.c +++ b/src/ipa.c @@ -332,7 +332,8 @@ cm_locate_xmlrpc_service(const char *server, /* Make an XML-RPC request to the "cert_request" method. */ static int submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath, - const char *csr, const char *reqprinc, const char *profile) + const char *csr, const char *reqprinc, + const char *profile, const char *issuer) { struct cm_submit_x_context *ctx; const char *args[2]; @@ -366,6 +367,10 @@ submit: if (profile != NULL) { cm_submit_x_add_named_arg_s(ctx, "profile_id", profile); } + /* Add the requested CA named argument. */ + if (issuer != NULL) { + cm_submit_x_add_named_arg_s(ctx, "ca", issuer); + } /* Tell the server to add entries for a principal if one * doesn't exist yet. */ cm_submit_x_add_named_arg_b(ctx, "add", 1); @@ -440,12 +445,14 @@ static int submit_or_poll(const char *uri, const char *cainfo, const char *capath, const char *server, int ldap_uri_cmd, const char *ldap_uri, const char *host, const char *domain, char *basedn, - const char *csr, const char *reqprinc, const char *profile) + const char *csr, const char *reqprinc, + const char *profile, const char *issuer) { int i, u; char **uris; - i = submit_or_poll_uri(uri, cainfo, capath, csr, reqprinc, profile); + i = submit_or_poll_uri(uri, cainfo, capath, csr, reqprinc, profile, + issuer); if ((i == CM_SUBMIT_STATUS_UNREACHABLE) || (i == CM_SUBMIT_STATUS_UNCONFIGURED)) { u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri, @@ -456,7 +463,8 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath, continue; } i = submit_or_poll_uri(uris[u], cainfo, capath, - csr, reqprinc, profile); + csr, reqprinc, profile, + issuer); if ((i != CM_SUBMIT_STATUS_UNREACHABLE) && (i != CM_SUBMIT_STATUS_UNCONFIGURED)) { talloc_free(uris); @@ -556,7 +564,7 @@ main(int argc, const char **argv) const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile; int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0; const char *mode = CM_OP_SUBMIT; - char ldn[LINE_MAX], *basedn = NULL, *profile = NULL; + char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL; krb5_error_code kret; poptContext pctx; struct poptOption popts[] = { @@ -571,6 +579,7 @@ main(int argc, const char **argv) {"use-ccache-creds", 'K', POPT_ARG_NONE, NULL, 'K', "use default ccache instead of creating a new one using keytab", NULL}, {"principal-of-request", 'P', POPT_ARG_STRING, &reqprinc, 0, "principal name in signing request", "PRINCIPAL"}, {"profile", 'T', POPT_ARG_STRING, &profile, 0, "request enrollment using the specified profile", "NAME"}, + {"issuer", 'X', POPT_ARG_STRING, &issuer, 0, "request enrollment using the specified CA", "NAME"}, {"basedn", 'b', POPT_ARG_STRING, &basedn, 0, "IPA domain LDAP base DN", "DN"}, {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, POPT_AUTOHELP @@ -729,6 +738,10 @@ main(int argc, const char **argv) (getenv(CM_SUBMIT_PROFILE_ENV) != NULL)) { profile = strdup(getenv(CM_SUBMIT_PROFILE_ENV)); } + if ((issuer == NULL) && + (getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) { + issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV)); + } if ((server != NULL) && !xmlrpc_uri_cmd) { snprintf(uri, sizeof(uri), "https://%s/ipa/xml", server); @@ -835,7 +848,7 @@ main(int argc, const char **argv) return submit_or_poll(uri, cainfo, capath, server, ldap_uri_cmd, ldap_uri, host, domain, basedn, - csr, reqprinc, profile); + csr, reqprinc, profile, issuer); } else if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) { return fetch_roots(server, ldap_uri_cmd, ldap_uri, host, diff --git a/src/store-files.c b/src/store-files.c index 961d03b7d1724a2cdb1fc4a26d8f1e25e474824f..889829ca62a035a758288aac158cbe17b0fd9e6d 100644 --- a/src/store-files.c +++ b/src/store-files.c @@ -129,6 +129,7 @@ enum cm_store_file_field { cm_store_entry_field_template_ocsp_location, cm_store_entry_field_template_ns_comment, cm_store_entry_field_template_profile, + cm_store_entry_field_template_issuer, cm_store_entry_field_template_no_ocsp_check, cm_store_entry_field_template_ns_certtype, @@ -303,6 +304,7 @@ static struct cm_store_file_field_list { {cm_store_entry_field_template_ns_comment, "template_ns_comment"}, {cm_store_entry_field_template_profile, "template_profile"}, /* right */ {cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */ + {cm_store_entry_field_template_issuer, "template_issuer"}, {cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"}, {cm_store_entry_field_template_ns_certtype, "template_ns_certtype"}, @@ -1127,6 +1129,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) case cm_store_entry_field_template_profile: ret->cm_template_profile = free_if_empty(p); break; + case cm_store_entry_field_template_issuer: + ret->cm_template_issuer = free_if_empty(p); + break; case cm_store_entry_field_template_no_ocsp_check: ret->cm_template_no_ocsp_check = atoi(p) != 0; talloc_free(p); @@ -1370,6 +1375,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) case cm_store_entry_field_template_ocsp_location: case cm_store_entry_field_template_ns_comment: case cm_store_entry_field_template_profile: + case cm_store_entry_field_template_issuer: case cm_store_entry_field_template_no_ocsp_check: case cm_store_entry_field_template_ns_certtype: case cm_store_entry_field_challenge_password: @@ -1972,6 +1978,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) entry->cm_template_ns_comment); cm_store_file_write_str(fp, cm_store_entry_field_template_profile, entry->cm_template_profile); + cm_store_file_write_str(fp, cm_store_entry_field_template_issuer, + entry->cm_template_issuer); cm_store_file_write_int(fp, cm_store_entry_field_template_no_ocsp_check, entry->cm_template_no_ocsp_check ? 1 : 0); cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype, @@ -2735,6 +2743,7 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry) ret->cm_template_ocsp_location = cm_store_maybe_strdupv(ret, entry->cm_template_ocsp_location); ret->cm_template_ns_comment = cm_store_maybe_strdup(ret, entry->cm_template_ns_comment); ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile); + ret->cm_template_issuer = cm_store_maybe_strdup(ret, entry->cm_template_issuer); ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check; ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret, entry->cm_template_ns_certtype); diff --git a/src/store-int.h b/src/store-int.h index d7d3fc86306b103b0a90faef7396697743b9c8da..2d3a35387516c48ab81a6422e42d57d5741593f6 100644 --- a/src/store-int.h +++ b/src/store-int.h @@ -142,6 +142,7 @@ struct cm_store_entry { char **cm_template_ocsp_location; char *cm_template_ns_comment; char *cm_template_profile; + char *cm_template_issuer; char *cm_template_ns_certtype; unsigned int cm_template_no_ocsp_check: 1; /* A challenge password, which may be included (in cleartext form!) in diff --git a/src/submit-e.c b/src/submit-e.c index 6997b436e42aa4f77c421040070ee2484467dea5..befd01e0fd00b8f9e239752ffbd80c985fae5057 100644 --- a/src/submit-e.c +++ b/src/submit-e.c @@ -876,6 +876,7 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca, maybe_setenv(CM_SUBMIT_COOKIE_ENV, entry->cm_ca_cookie); maybe_setenv(CM_SUBMIT_CA_NICKNAME_ENV, entry->cm_ca_nickname); maybe_setenv(CM_SUBMIT_PROFILE_ENV, entry->cm_template_profile); + maybe_setenv(CM_SUBMIT_ISSUER_ENV, entry->cm_template_issuer); maybe_setenv(CM_SUBMIT_CERTIFICATE_ENV, entry->cm_cert); /* Only pass SCEP data to the helper if we haven't used this set of * nonced data before. It'll ask for fresh data if it needs it. */ diff --git a/src/submit-e.h b/src/submit-e.h index 2e325cf7d36436b89287e9933db83a6d853abfd1..0148d4da07507a000d8e6e8aca98f2ed84669eca 100644 --- a/src/submit-e.h +++ b/src/submit-e.h @@ -48,6 +48,7 @@ const char *cm_submit_e_status_text(enum cm_external_status status); #define CM_SUBMIT_COOKIE_ENV "CERTMONGER_CA_COOKIE" #define CM_SUBMIT_CA_NICKNAME_ENV "CERTMONGER_CA_NICKNAME" #define CM_SUBMIT_PROFILE_ENV "CERTMONGER_CA_PROFILE" +#define CM_SUBMIT_ISSUER_ENV "CERTMONGER_CA_ISSUER" #define CM_SUBMIT_CERTIFICATE_ENV "CERTMONGER_CERTIFICATE" #define CM_SUBMIT_SCEP_CA_IDENTIFIER_ENV "CERTMONGER_SCEP_CA_IDENTIFIER" #define CM_SUBMIT_SCEP_RA_CERTIFICATE_ENV "CERTMONGER_SCEP_RA_CERTIFICATE" diff --git a/src/tdbus.h b/src/tdbus.h index c9b3afeb59548c2dc1260cfd7c76b39327a42f89..496f2dd289a0bd9b4d66451ea5eb0acf83d0cf5f 100644 --- a/src/tdbus.h +++ b/src/tdbus.h @@ -108,6 +108,7 @@ #define CM_DBUS_PROP_TEMPLATE_FRESHEST_CRL "template-freshest-crl" #define CM_DBUS_PROP_TEMPLATE_NS_COMMENT "template-ns-comment" #define CM_DBUS_PROP_TEMPLATE_PROFILE "template-profile" +#define CM_DBUS_PROP_TEMPLATE_ISSUER "template-issuer" #define CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE "template-ns-certtype" #define CM_DBUS_SIGNAL_REQUEST_CERT_SAVED "SavedCertificate" #define CM_DBUS_PROP_CA_PRESAVE_COMMAND "ca-presave-command" diff --git a/src/tdbush.c b/src/tdbush.c index 4660f80f26669d31b2629c543384fe95bbec1ea9..05a503e06a553c566dcff5e053cbd8aa16c20f14 100644 --- a/src/tdbush.c +++ b/src/tdbush.c @@ -1562,6 +1562,13 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, param->value.s); } param = cm_tdbusm_find_dict_entry(d, + CM_DBUS_PROP_TEMPLATE_ISSUER, + cm_tdbusm_dict_s); + if (param != NULL) { + new_entry->cm_template_issuer = maybe_strdup(new_entry, + param->value.s); + } + param = cm_tdbusm_find_dict_entry(d, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD, cm_tdbusm_dict_s); if ((param != NULL) && @@ -3306,6 +3313,14 @@ request_modify(DBusConnection *conn, DBusMessage *msg, } } else if ((param->value_type == cm_tdbusm_dict_s) && + (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_ISSUER) == 0)) { + talloc_free(entry->cm_template_issuer); + entry->cm_template_issuer = maybe_strdup(entry, param->value.s); + if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) { + propname[n_propname++] = CM_DBUS_PROP_TEMPLATE_ISSUER; + } + } else + if ((param->value_type == cm_tdbusm_dict_s) && (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD) == 0)) { talloc_free(entry->cm_template_challenge_password); entry->cm_template_challenge_password = maybe_strdup(entry, @@ -6712,6 +6727,14 @@ cm_tdbush_iface_request(void) NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL), make_interface_item(cm_tdbush_interface_property, + make_property(CM_DBUS_PROP_TEMPLATE_ISSUER, + cm_tdbush_property_string, + cm_tdbush_property_readwrite, + cm_tdbush_property_char_p, + offsetof(struct cm_store_entry, cm_template_issuer), + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL), + make_interface_item(cm_tdbush_interface_property, make_property(CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE, cm_tdbush_property_string, cm_tdbush_property_readwrite, @@ -7156,7 +7179,7 @@ cm_tdbush_iface_request(void) make_interface_item(cm_tdbush_interface_signal, make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, NULL), - NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); } return ret; } diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out index ba55dd5ce97c74475dbebb761c41dd2e64e64365..b2660317b3102373f2a5a877a7224f727929412c 100644 --- a/tests/028-dbus/expected.out +++ b/tests/028-dbus/expected.out @@ -328,6 +328,7 @@ OK + -- 2.9.0