From c47a439f510adffe4e2225408261d0e93059e077 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 7 Aug 2015 13:40:41 +0200 Subject: [PATCH] Remove rekey feature https://bugzilla.redhat.com/show_bug.cgi?id=1250397 --- src/certmonger-scep-submit.8.in | 8 -------- src/certmonger.conf.5.in | 19 ------------------- src/getcert-add-scep-ca.1.in | 8 -------- src/getcert.c | 3 --- src/prefs.c | 27 +-------------------------- src/scep.c | 5 ----- src/submit-e.c | 6 ------ src/tdbush.c | 10 +--------- tests/010-iterate/expected.out | 14 +++++--------- tests/028-dbus/expected.out | 6 ------ tests/036-getcert/expected.out | 26 ++++++++++++++------------ tests/037-rekey2/expected.out | 4 ++-- 12 files changed, 23 insertions(+), 113 deletions(-) diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in index 7319c6a42c090420eb035515d94fd0640d990dda..31203c37fde407d2306de9d7f5aba9d3541eaaa3 100644 --- a/src/certmonger-scep-submit.8.in +++ b/src/certmonger-scep-submit.8.in @@ -80,14 +80,6 @@ When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to specify the CA identifier which is passed to the server as part of the client's request. The default is "0". .TP -\fB\-n\fR -The SCEP Renewal feature allows a client with a previously-issued certificate -to use that certificate and the associated private key to request a new -certificate for a different key pair, and can be used to support -\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for -it. This option forces the \fIscep-submit\fR helper to prefer to issue -requests which do not make use of this feature. -.TP \fB-v\fR Increases the logging level. Use twice for more logging. This option is mainly useful for troubleshooting. diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in index 241f48b07b5045708aa118663b569d5ac3947782..e1220f134c30e760af73fb0abc88a498e94f23d2 100644 --- a/src/certmonger.conf.5.in +++ b/src/certmonger.conf.5.in @@ -72,25 +72,6 @@ These are the trust attributes which are applied to certificates which are not necessarily to be trusted, when they are saved to NSS databases. The default is \fI,,\fP. -.IP max_key_use_count -When attempting to replace a certificate, if \fIcertmonger\fR has previously -obtained at least this number of certificates using the current key pair, it -will generate a new key pair to use before proceeding. There is effectively no -default for this setting. - -.IP max_key_lifetime -The amount of time after a key was first generated when \fIcertmonger\fR will -attempt to generate a new key pair to replace it, as part of the process of -replacing a certificate. -The value is specified as a combination of years (y), months (M), weeks (w), -days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is -specified, seconds are assumed. -The date when a key was generated is not recorded if the key was not generated -by \fIcertmonger\fR, or if the key was generated with a version of -\fIcertmonger\fR older than 0.78, and for those cases, this option has no -effect. -There is effectively no default for this setting. - .SH SELFSIGN Within the \fIselfsign\fR section, these variables and values are recognized: diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in index f07b9002a206526ea7f0334f5ba0071d8fffd3ae..64f0f5e80cd0fa3ae01fcf27828f97935dfb99c7 100644 --- a/src/getcert-add-scep-ca.1.in +++ b/src/getcert-add-scep-ca.1.in @@ -46,14 +46,6 @@ A CA identifier value which will passed to the server when the \fIscep-submit\fR helper is used to retrieve copies of the server's certificates. .TP -\fB\-n\fR -The SCEP Renewal feature allows a client with a previously-issued certificate -to use that certificate and the associated private key to request a new -certificate for a different key pair, and can be used to support -\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for -it. This option forces the \fIscep-submit\fR helper to issue requests without -making use of this feature. -.TP \fB\-v\fR Be verbose about errors. Normally, the details of an error received from the daemon will be suppressed if the client can make a diagnostic suggestion. diff --git a/src/getcert.c b/src/getcert.c index c84273a9bfc8730422f18ade87ce174fbbc44634..dcdbdd455dd8c61c1aeaad6a5c7feef21b56feab 100644 --- a/src/getcert.c +++ b/src/getcert.c @@ -4625,7 +4625,6 @@ static struct { {"start-tracking", start_tracking}, {"stop-tracking", stop_tracking}, {"resubmit", resubmit}, - {"rekey", rekey}, {"refresh", refresh}, {"list", list}, {"status", status}, @@ -5041,8 +5040,6 @@ help(const char *twopartcmd, const char *category) N_("stop monitoring a certificate\n")}, {"resubmit", resubmit_help, N_("resubmit an in-progress enrollment request, or start a new one\n")}, - {"rekey", rekey_help, - N_("generate a new private key and replace a certificate\n")}, {"refresh", refresh_help, N_("check on the status of an in-progress enrollment request\n")}, {"list", list_help, diff --git a/src/prefs.c b/src/prefs.c index ab363bbc2c08f834e7fc1bede8f1cf2c50229f1c..0a8e166ce30f3b0288cd7430568ae18d0e5ab914 100644 --- a/src/prefs.c +++ b/src/prefs.c @@ -545,36 +545,11 @@ cm_prefs_nss_other_trust(void) long long prefs_key_end_of_life(time_t ref) { - const char *cfg; - time_t tmp; - - tmp = -1; - cfg = cm_prefs_config(NULL, "max_key_lifetime"); - if (cfg != NULL) { - if (cm_submit_u_delta_from_string(cfg, ref, &tmp) == 0) { - return tmp; - } - } return -1; } long prefs_max_key_use_count(void) { - static long count = -2; - long tmp; - const char *cfg; - char *p; - - if (count == -2) { - count = -1; - cfg = cm_prefs_config(NULL, "max_key_use_count"); - if (cfg != NULL) { - tmp = strtol(cfg, &p, 10); - if ((p != NULL) && (*p == '\0')) { - count = tmp; - } - } - } - return count; + return -1; } diff --git a/src/scep.c b/src/scep.c index d3bbc050947a1a0472187503110682c9028f9c6f..11f9ae3cc193981d3c2bf986a4a5c4c7d81506f5 100644 --- a/src/scep.c +++ b/src/scep.c @@ -231,7 +231,6 @@ main(int argc, const char **argv) {"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"}, {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"}, {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"}, - {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL}, {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, POPT_AUTOHELP POPT_TABLEEND @@ -255,8 +254,6 @@ main(int argc, const char **argv) message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV); if (message == NULL) { message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); - } else { - rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); } } else if (strcasecmp(mode, CM_OP_POLL) == 0) { @@ -264,8 +261,6 @@ main(int argc, const char **argv) message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV); if (message == NULL) { message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); - } else { - rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV); } } else if (strcasecmp(mode, CM_OP_FETCH_SCEP_CA_CERTS) == 0) { diff --git a/src/submit-e.c b/src/submit-e.c index befd01e0fd00b8f9e239752ffbd80c985fae5057..af05efeb762933e31fecc67b1204001b7e81c697 100644 --- a/src/submit-e.c +++ b/src/submit-e.c @@ -446,12 +446,6 @@ cm_submit_e_need_scep_messages(struct cm_submit_state *state) static int cm_submit_e_need_rekey(struct cm_submit_state *state) { - int status; - status = cm_subproc_get_exitstatus(state->subproc); - if (WIFEXITED(status) && - (WEXITSTATUS(status) == CM_SUBMIT_STATUS_NEED_REKEY)) { - return 0; - } return -1; } diff --git a/src/tdbush.c b/src/tdbush.c index 631da3ed2bbb1f6828d576760299ad51d7e41923..aec5e9d0a36a7cb5c035e1aefda04c2b32b1e100 100644 --- a/src/tdbush.c +++ b/src/tdbush.c @@ -7117,14 +7117,6 @@ cm_tdbush_iface_request(void) NULL))), NULL), make_interface_item(cm_tdbush_interface_method, - make_method("rekey", - request_rekey, - make_method_arg("working", - DBUS_TYPE_BOOLEAN_AS_STRING, - cm_tdbush_method_arg_out, - NULL), - NULL), - make_interface_item(cm_tdbush_interface_method, make_method("resubmit", request_resubmit, make_method_arg("working", @@ -7179,7 +7171,7 @@ cm_tdbush_iface_request(void) make_interface_item(cm_tdbush_interface_signal, make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, NULL), - NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); } return ret; } diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out index bd57a01ba8725418978259018441f6a9a6672758..85d07b3baef83dbafd39c03888881cb665518733 100644 --- a/tests/010-iterate/expected.out +++ b/tests/010-iterate/expected.out @@ -398,19 +398,15 @@ HAVE_CSR -START- NEED_TO_SUBMIT SUBMITTING -NEED_KEY_PAIR +NEED_GUIDANCE -STOP- -NEED_KEY_PAIR +NEED_GUIDANCE -START- -GENERATING_KEY_PAIR -HAVE_KEY_PAIR -NEED_KEYINFO +NEED_GUIDANCE -STOP- -NEED_KEYINFO +NEED_GUIDANCE -START- -READING_KEYINFO -HAVE_KEYINFO -NEED_CSR +NEED_GUIDANCE -STOP- [Enroll until we notice we have no specified CA.] diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out index 93cc4d184524c4b1aeba02a650c94d832462c236..26850efaedb966cd94ecd0db42d6adb378b47f37 100644 --- a/tests/028-dbus/expected.out +++ b/tests/028-dbus/expected.out @@ -403,9 +403,6 @@ OK - - - @@ -483,9 +480,6 @@ recently 1 on /org/fedorahosted/certmonger/requests/Request2 After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1) -[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ] -1 - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.resubmit ] 1 diff --git a/tests/036-getcert/expected.out b/tests/036-getcert/expected.out index c1a13c8e058e39285ee842b173356002da2fd0e6..b6d1eaf7c733e04d5b928e7a59edeca43a27a5ef 100644 --- a/tests/036-getcert/expected.out +++ b/tests/036-getcert/expected.out @@ -11,20 +11,21 @@ certs:1 keys:1 -----BEGIN PRIVATE KEY----- [Files, rekey] -Resubmitting "first" to "local". certs:1 -----BEGIN CERTIFICATE----- keys:1 -----BEGIN PRIVATE KEY----- +ERROR: keys were not changed on rekey +ERROR: cert was not changed on rekey [Files, rekey with preserve=1] -Resubmitting "first" to "local". certs:1 -----BEGIN CERTIFICATE----- -keys:2 ------BEGIN PRIVATE KEY----- +keys:1 -----BEGIN PRIVATE KEY----- +ERROR: keys were not changed on rekey +ERROR: cert was not changed on rekey +ERROR: old keys were not saved on rekey [Files, rekey with jerk CA] -Resubmitting "first" to "jerkca". certs:1 -----BEGIN CERTIFICATE----- keys:1 @@ -44,30 +45,31 @@ pk12util: PKCS12 EXPORT SUCCESSFUL cert:1 key:1 [Database, rekey] -Resubmitting "first" to "local". certs:1 keys:1 pk12util: PKCS12 EXPORT SUCCESSFUL cert:1 key:1 +ERROR: keys were not changed on rekey +ERROR: cert was not changed on rekey [Database, rekey with preserve=1] -Resubmitting "first" to "local". certs:1 -keys:2 +keys:1 pk12util: PKCS12 EXPORT SUCCESSFUL cert:1 key:1 +ERROR: keys were not changed on rekey +ERROR: cert was not changed on rekey +ERROR: old keys were not saved on rekey [Database, rekey with jerk CA] -Resubmitting "first" to "jerkca". certs:1 -keys:3 +keys:1 pk12util: PKCS12 EXPORT SUCCESSFUL cert:1 key:1 [Database, rekey with jerk CA, nonpreserving] -Resubmitting "first" to "jerkca". certs:1 -keys:3 +keys:1 pk12util: PKCS12 EXPORT SUCCESSFUL cert:1 key:1 diff --git a/tests/037-rekey2/expected.out b/tests/037-rekey2/expected.out index bd8cca7c3eedb5a02249f450451b651bb270ec24..62a1c746f86bb53fe79d1226ab9194825f7642d8 100644 --- a/tests/037-rekey2/expected.out +++ b/tests/037-rekey2/expected.out @@ -112,7 +112,7 @@ MONITORING -STOP- MONITORING -START- -NEED_KEY_PAIR +NEED_CSR -STOP- [Uses = 2.] NEED_KEY_PAIR @@ -228,6 +228,6 @@ MONITORING -STOP- MONITORING -START- -NEED_KEY_PAIR +NEED_CSR -STOP- Test complete. -- 2.7.4