diff --git a/SOURCES/0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch b/SOURCES/0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch new file mode 100644 index 0000000..593d4fb --- /dev/null +++ b/SOURCES/0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch @@ -0,0 +1,104 @@ +From 3364f76f5984ff4cbc8e7a1a455cedfa228adc4b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 2 Apr 2018 13:26:39 -0400 +Subject: [PATCH 20/25] If stderr is not a tty log to syslog so the helpers can + log + +All the helpers were configured to use the log method cm_log_stderr +which when exececuted as a helper from the certmonger daemon would +log nowhere. + +If stderr is detected as a tty (e.g. the helper is run directly on +the cli) then logging will go there. Otherwise it will log to +syslog (honoring the log level). +--- + src/certmaster.c | 5 ++++- + src/dogtag.c | 5 ++++- + src/ipa.c | 5 ++++- + src/local.c | 5 ++++- + src/scep.c | 5 ++++- + 5 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/src/certmaster.c b/src/certmaster.c +index 64662fa..dc68ecd 100644 +--- a/src/certmaster.c ++++ b/src/certmaster.c +@@ -86,7 +86,10 @@ main(int argc, const char **argv) + bindtextdomain(PACKAGE, MYLOCALEDIR); + #endif + +- cm_log_set_method(cm_log_stderr); ++ if (isatty(STDERR_FILENO)) ++ cm_log_set_method(cm_log_stderr); ++ else ++ cm_log_set_method(cm_log_syslog); + pctx = poptGetContext(argv[0], argc, argv, popts, 0); + if (pctx == NULL) { + return CM_SUBMIT_STATUS_UNCONFIGURED; +diff --git a/src/dogtag.c b/src/dogtag.c +index 0247cf2..3780a2d 100644 +--- a/src/dogtag.c ++++ b/src/dogtag.c +@@ -296,7 +296,10 @@ main(int argc, const char **argv) + } + + umask(S_IRWXG | S_IRWXO); +- cm_log_set_method(cm_log_stderr); ++ if (isatty(STDERR_FILENO)) ++ cm_log_set_method(cm_log_stderr); ++ else ++ cm_log_set_method(cm_log_syslog); + cm_log_set_level(verbose); + + nctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION, +diff --git a/src/ipa.c b/src/ipa.c +index 13ea4ca..1279d1c 100644 +--- a/src/ipa.c ++++ b/src/ipa.c +@@ -671,7 +671,10 @@ main(int argc, const char **argv) + } + + umask(S_IRWXG | S_IRWXO); +- cm_log_set_method(cm_log_stderr); ++ if (isatty(STDERR_FILENO)) ++ cm_log_set_method(cm_log_stderr); ++ else ++ cm_log_set_method(cm_log_syslog); + cm_log_set_level(verbose); + + /* Start backfilling defaults, both hard-coded and from the IPA +diff --git a/src/local.c b/src/local.c +index 74aee63..004add3 100644 +--- a/src/local.c ++++ b/src/local.c +@@ -484,7 +484,10 @@ main(int argc, const char **argv) + + umask(S_IRWXG | S_IRWXO); + +- cm_log_set_method(cm_log_stderr); ++ if (isatty(STDERR_FILENO)) ++ cm_log_set_method(cm_log_stderr); ++ else ++ cm_log_set_method(cm_log_syslog); + cm_log_set_level(verbose); + + if (localdir == NULL) { +diff --git a/src/scep.c b/src/scep.c +index 11f9ae3..0dbdcd7 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -332,7 +332,10 @@ main(int argc, const char **argv) + } + + umask(S_IRWXG | S_IRWXO); +- cm_log_set_method(cm_log_stderr); ++ if (isatty(STDERR_FILENO)) ++ cm_log_set_method(cm_log_stderr); ++ else ++ cm_log_set_method(cm_log_syslog); + cm_log_set_level(verbose); + + ctx = talloc_new(NULL); +-- +1.8.3.1 + diff --git a/SOURCES/0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch b/SOURCES/0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch new file mode 100644 index 0000000..b1ba4b0 --- /dev/null +++ b/SOURCES/0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch @@ -0,0 +1,42 @@ +From 6627c9d346b887016afa92664f690a0310d4ce00 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 2 Apr 2018 13:31:32 -0400 +Subject: [PATCH 21/25] On PKCS#7 verify failures log the PKCS#7 file, fix + variable used + +results was being used in place of results2. + +In practice it would be the result of GetCACaps which means it would +log _something_, just not the failed PKCS#7 file. +--- + src/scep.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/scep.c b/src/scep.c +index 0dbdcd7..5dd362d 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -920,15 +920,18 @@ main(int argc, const char **argv) + if (i != 0) { + printf(_("Error: failed to verify signature on " + "server response.\n")); ++ cm_log(1, "Error: failed to verify signature on " ++ "server response.\n"); + while ((error = ERR_get_error()) != 0) { + memset(buf, '\0', sizeof(buf)); + ERR_error_string_n(error, buf, sizeof(buf)); + cm_log(1, "%s\n", buf); + } +- s = cm_store_base64_from_bin(ctx, (unsigned char *) results, +- results_length); ++ s = cm_store_base64_from_bin(ctx, (unsigned char *) results2, ++ results_length2); + s = cm_submit_u_pem_from_base64("PKCS7", 0, s); + fprintf(stderr, "%s", s); ++ cm_log(1, "%s", s); + free(s); + return CM_SUBMIT_STATUS_UNREACHABLE; + } +-- +1.8.3.1 + diff --git a/SOURCES/0022-Allow-configuration-of-client-SCEP-algorithms.patch b/SOURCES/0022-Allow-configuration-of-client-SCEP-algorithms.patch new file mode 100644 index 0000000..af0d4bd --- /dev/null +++ b/SOURCES/0022-Allow-configuration-of-client-SCEP-algorithms.patch @@ -0,0 +1,561 @@ +From 3523ad7b8b2349ed4ee301b992797902b7288028 Mon Sep 17 00:00:00 2001 +From: Trevor Vaughan +Date: Fri, 23 Feb 2018 16:11:35 -0500 +Subject: [PATCH 22/25] Allow configuration of client SCEP algorithms + +* Allow users to set `scep_cipher` and `scep_digest` in their CA +configuration. These settings are authoritative and will override +anything from the server. This was added to support connections to +systems, such as Dogtag, that do not provide a CA capabilities string +and, therefore, are prone to causing incorrect ciphers to be used on the +client side. + +* In accordance with the latest SCEP Draft RFC, the default cipher has +been changed to AES-256 and the default digest has been changed to +SHA-256. These were chosen as reasonable defaults for most users and +systems. + +* To ease the determination of which configuration file controls what +CA, the output of `getcert list-cas -v` was updated to print a +`config-path` entry which will list the specific configuration +associated with a given CA. + +Closes #89 +--- + src/getcert.c | 6 ++ + src/prefs.h | 5 ++ + src/scepgen-o.c | 182 ++++++++++++++++++++++++++++++++++++++++++------------ + src/store-files.c | 22 +++++++ + src/store-int.h | 4 ++ + src/tdbus.h | 2 + + src/tdbush.c | 149 +++++++++++++++++++++++++++++++++++++++++++- + 7 files changed, 331 insertions(+), 39 deletions(-) + +diff --git a/src/getcert.c b/src/getcert.c +index 35fd0d6..724d125 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -4157,6 +4157,12 @@ list_cas(const char *argv0, int argc, const char **argv) + if ((s != NULL) && (strlen(s) > 0)) { + printf(_("\tpost-save command: %s\n"), s); + } ++ if (verbose > 0) { ++ printf(_("\tconfig-path: %s\n"), ++ query_rep_s(bus, cas[i], CM_DBUS_CA_INTERFACE, ++ "get_config_file_path", ++ verbose, globals.tctx)); ++ } + } + return 0; + } +diff --git a/src/prefs.h b/src/prefs.h +index 231aea7..349ec64 100644 +--- a/src/prefs.h ++++ b/src/prefs.h +@@ -20,9 +20,12 @@ + + enum cm_prefs_cipher { + cm_prefs_aes128, ++ cm_prefs_aes192, + cm_prefs_aes256, + cm_prefs_des3, + cm_prefs_des, ++ /* This is for the selection logic */ ++ cm_prefs_nocipher, + }; + + enum cm_prefs_digest { +@@ -31,6 +34,8 @@ enum cm_prefs_digest { + cm_prefs_sha512, + cm_prefs_sha1, + cm_prefs_md5, ++ /* This is for the selection logic */ ++ cm_prefs_nodigest, + }; + + enum cm_notification_method; +diff --git a/src/scepgen-o.c b/src/scepgen-o.c +index d11e3de..07c2b8b 100644 +--- a/src/scepgen-o.c ++++ b/src/scepgen-o.c +@@ -433,49 +433,155 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + free(pem); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } +- cipher = cm_prefs_des; +- for (i = 0; +- (ca->cm_ca_capabilities != NULL) && +- (ca->cm_ca_capabilities[i] != NULL); +- i++) { +- capability = ca->cm_ca_capabilities[i]; +- if (strcmp(capability, "DES3") == 0) { +- cm_log(1, "Server supports DES3, using that.\n"); ++ ++ char* scep_cipher = ca->cm_ca_scep_cipher; ++ if (scep_cipher != NULL) { ++ /* Force the cipher to whatever is in the configuration */ ++ if (strcmp(scep_cipher, "AES256") == 0) { ++ cipher = cm_prefs_aes256; ++ } ++ else if (strcmp(scep_cipher, "AES192") == 0) { ++ cipher = cm_prefs_aes192; ++ } ++ else if (strcmp(scep_cipher, "AES128") == 0) { ++ cipher = cm_prefs_aes128; ++ } ++ else if (strcmp(scep_cipher, "DES3") == 0) { + cipher = cm_prefs_des3; +- break; +- } +- } +- if (cipher == cm_prefs_des) { +- cm_log(1, "Server does not support DES3, using DES.\n"); +- } +- pref_digest = cm_prefs_preferred_digest(); +- digest = cm_prefs_md5; +- for (i = 0; +- (ca->cm_ca_capabilities != NULL) && +- (ca->cm_ca_capabilities[i] != NULL); +- i++) { +- capability = ca->cm_ca_capabilities[i]; +- if ((pref_digest == cm_prefs_sha1) && +- (strcmp(capability, "SHA-1") == 0)) { +- cm_log(1, "Server supports SHA-1, using that.\n"); +- digest = cm_prefs_sha1; +- break; + } +- if ((pref_digest == cm_prefs_sha256) && +- (strcmp(capability, "SHA-256") == 0)) { +- cm_log(1, "Server supports SHA-256, using that.\n"); +- digest = cm_prefs_sha256; +- break; ++ else if (strcmp(scep_cipher, "DES") == 0) { ++ cipher = cm_prefs_des; + } +- if ((pref_digest == cm_prefs_sha512) && +- (strcmp(capability, "SHA-512") == 0)) { +- cm_log(1, "Server supports SHA-512, using that.\n"); +- digest = cm_prefs_sha512; +- break; ++ else { ++ cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher); ++ _exit(1); ++ } ++ ++ cm_log(1, "SCEP cipher authoritatively set to: '%s'\n", scep_cipher); ++ } ++ else { ++ cipher = cm_prefs_nocipher; ++ for (i = 0; ++ (ca->cm_ca_capabilities != NULL) && ++ (ca->cm_ca_capabilities[i] != NULL); ++ i++) { ++ capability = ca->cm_ca_capabilities[i]; ++ if ((strcmp(capability, "AES-256") == 0) || ++ (strcmp(capability, "AES256") == 0)) { ++ cm_log(1, "Server supports AES256, using that.\n"); ++ cipher = cm_prefs_aes256; ++ break; ++ } ++ if ((strcmp(capability, "AES-192") == 0) || ++ (strcmp(capability, "AES192") == 0)) { ++ cm_log(1, "Server supports AES192, using that.\n"); ++ cipher = cm_prefs_aes192; ++ break; ++ } ++ if ((strcmp(capability, "AES-128") == 0) || ++ (strcmp(capability, "AES128") == 0)) { ++ cm_log(1, "Server supports AES128, using that.\n"); ++ cipher = cm_prefs_aes128; ++ break; ++ } ++ if (strcmp(capability, "AES") == 0) { ++ cm_log(1, "Server supports AES, using AES256.\n"); ++ cipher = cm_prefs_aes256; ++ break; ++ } ++ if (strcmp(capability, "DES3") == 0) { ++ cm_log(1, "Server supports DES3, using that.\n"); ++ cipher = cm_prefs_des3; ++ break; ++ } ++ /* This remains for backward compatibility */ ++ if (strcmp(capability, "DES") == 0) { ++ cm_log(1, "Server supports DES, using that.\n"); ++ cipher = cm_prefs_des; ++ break; ++ } ++ } ++ if (cipher == cm_prefs_nocipher) { ++ /* Per the latest Draft RFC */ ++ cm_log(1, "Could not determine supported CA capabilities, using AES256.\n"); ++ cipher = cm_prefs_aes256; + } + } +- if (digest == cm_prefs_md5) { +- cm_log(1, "Server does not support better digests, using MD5.\n"); ++ ++ char* scep_digest = ca->cm_ca_scep_digest; ++ if (scep_digest != NULL) { ++ /* Force the digest to whatever is in the configuration */ ++ if (strcmp(scep_digest, "SHA512") == 0) { ++ digest = cm_prefs_sha512; ++ } ++ else if (strcmp(scep_digest, "SHA384") == 0) { ++ digest = cm_prefs_sha384; ++ } ++ else if (strcmp(scep_digest, "SHA256") == 0) { ++ digest = cm_prefs_sha256; ++ } ++ else if (strcmp(scep_digest, "SHA1") == 0) { ++ digest = cm_prefs_sha1; ++ } ++ else if (strcmp(scep_digest, "MD5") == 0) { ++ digest = cm_prefs_md5; ++ } ++ else { ++ cm_log(1, "Option 'scep_digest' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_digest); ++ _exit(1); ++ } ++ ++ cm_log(1, "SCEP digest authoritatively set to: '%s'\n", scep_digest); ++ } ++ else { ++ pref_digest = cm_prefs_preferred_digest(); ++ digest = cm_prefs_nodigest; ++ for (i = 0; ++ (ca->cm_ca_capabilities != NULL) && ++ (ca->cm_ca_capabilities[i] != NULL); ++ i++) { ++ capability = ca->cm_ca_capabilities[i]; ++ if ((pref_digest == cm_prefs_sha512) && ++ ((strcmp(capability, "SHA-512") == 0) || ++ (strcmp(capability, "SHA512") == 0))) { ++ cm_log(1, "Server supports SHA-512, using that.\n"); ++ digest = cm_prefs_sha512; ++ break; ++ } ++ if ((pref_digest == cm_prefs_sha384) && ++ ((strcmp(capability, "SHA-384") == 0) || ++ (strcmp(capability, "SHA384") == 0))) { ++ cm_log(1, "Server supports SHA-384, using that.\n"); ++ digest = cm_prefs_sha384; ++ break; ++ } ++ if ((pref_digest == cm_prefs_sha256) && ++ ((strcmp(capability, "SHA-256") == 0) || ++ (strcmp(capability, "SHA256") == 0))) { ++ cm_log(1, "Server supports SHA-256, using that.\n"); ++ digest = cm_prefs_sha256; ++ break; ++ } ++ if ((pref_digest == cm_prefs_sha1) && ++ ((strcmp(capability, "SHA-1") == 0) || ++ (strcmp(capability, "SHA1") == 0))) { ++ cm_log(1, "Server supports SHA-1, using that.\n"); ++ digest = cm_prefs_sha1; ++ break; ++ } ++ /* This remains for backward compatibility */ ++ if ((pref_digest == cm_prefs_sha1) && ++ (strcmp(capability, "MD5") == 0)) { ++ cm_log(1, "Server supports MD5, using that.\n"); ++ digest = cm_prefs_md5; ++ break; ++ } ++ } ++ if (digest == cm_prefs_nodigest) { ++ /* Per the latest Draft RFC */ ++ cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n"); ++ digest = cm_prefs_sha256; ++ } + } + if (old_cert != NULL) { + if (cm_pkcs7_envelope_ias(ca->cm_ca_encryption_cert, cipher, +diff --git a/src/store-files.c b/src/store-files.c +index 977e896..c7195c4 100644 +--- a/src/store-files.c ++++ b/src/store-files.c +@@ -206,6 +206,8 @@ enum cm_store_file_field { + cm_store_ca_field_other_cert_nssdbs, + + cm_store_ca_field_capabilities, ++ cm_store_ca_field_scep_cipher, ++ cm_store_ca_field_scep_digest, + cm_store_ca_field_scep_ca_identifier, + cm_store_ca_field_encryption_cert, + cm_store_ca_field_encryption_issuer_cert, +@@ -385,6 +387,8 @@ static struct cm_store_file_field_list { + {cm_store_ca_field_other_cert_nssdbs, "ca_other_cert_dbs"}, + + {cm_store_ca_field_capabilities, "ca_capabilities"}, ++ {cm_store_ca_field_scep_cipher, "scep_cipher"}, ++ {cm_store_ca_field_scep_digest, "scep_digest"}, + {cm_store_ca_field_scep_ca_identifier, "scep_ca_identifier"}, + {cm_store_ca_field_encryption_cert, "ca_encryption_cert"}, + {cm_store_ca_field_encryption_issuer_cert, "ca_encryption_issuer_cert"}, +@@ -725,6 +729,8 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) + case cm_store_ca_field_other_root_cert_nssdbs: + case cm_store_ca_field_other_cert_nssdbs: + case cm_store_ca_field_capabilities: ++ case cm_store_ca_field_scep_cipher: ++ case cm_store_ca_field_scep_digest: + case cm_store_ca_field_scep_ca_identifier: + case cm_store_ca_field_encryption_cert: + case cm_store_ca_field_encryption_issuer_cert: +@@ -1523,6 +1529,14 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) + ret->cm_ca_capabilities = + free_if_empty_multi(ret, p); + break; ++ case cm_store_ca_field_scep_cipher: ++ ret->cm_ca_scep_cipher = ++ free_if_empty(p); ++ break; ++ case cm_store_ca_field_scep_digest: ++ ret->cm_ca_scep_digest = ++ free_if_empty(p); ++ break; + case cm_store_ca_field_scep_ca_identifier: + ret->cm_ca_scep_ca_identifier = + free_if_empty(p); +@@ -2339,6 +2353,10 @@ cm_store_ca_write(FILE *fp, struct cm_store_ca *ca) + ca->cm_ca_other_cert_store_nssdbs); + cm_store_file_write_strs(fp, cm_store_ca_field_capabilities, + ca->cm_ca_capabilities); ++ cm_store_file_write_str(fp, cm_store_ca_field_scep_cipher, ++ ca->cm_ca_scep_cipher); ++ cm_store_file_write_str(fp, cm_store_ca_field_scep_digest, ++ ca->cm_ca_scep_digest); + cm_store_file_write_str(fp, cm_store_ca_field_scep_ca_identifier, + ca->cm_ca_scep_ca_identifier); + cm_store_file_write_str(fp, cm_store_ca_field_encryption_cert, +@@ -2861,6 +2879,10 @@ cm_store_ca_dup(void *parent, struct cm_store_ca *ca) + + ret->cm_ca_capabilities = + cm_store_maybe_strdupv(ret, ca->cm_ca_capabilities); ++ ret->cm_ca_scep_cipher = ++ cm_store_maybe_strdup(ret, ca->cm_ca_scep_cipher); ++ ret->cm_ca_scep_digest = ++ cm_store_maybe_strdup(ret, ca->cm_ca_scep_digest); + ret->cm_ca_scep_ca_identifier = + cm_store_maybe_strdup(ret, ca->cm_ca_scep_ca_identifier); + ret->cm_ca_encryption_cert = +diff --git a/src/store-int.h b/src/store-int.h +index 98b37e6..4a40406 100644 +--- a/src/store-int.h ++++ b/src/store-int.h +@@ -349,6 +349,10 @@ struct cm_store_ca { + char **cm_ca_other_cert_store_nssdbs; + /* CA capabilities. Currently only ever SCEP capabilities. */ + char **cm_ca_capabilities; ++ /* SCEP Cipher to use. Overrides CA Capabilities */ ++ char *cm_ca_scep_cipher; ++ /* SCEP Digest to use. Overrides CA Capabilities */ ++ char *cm_ca_scep_digest; + /* An SCEP CA identifier, for use in gathering an RA (and possibly a + * CA) certificate. */ + char *cm_ca_scep_ca_identifier; +diff --git a/src/tdbus.h b/src/tdbus.h +index 7164f11..e63e783 100644 +--- a/src/tdbus.h ++++ b/src/tdbus.h +@@ -119,6 +119,8 @@ + #define CM_DBUS_PROP_ROOT_CERTS "root-certs" + #define CM_DBUS_PROP_OTHER_ROOT_CERTS "root-other-certs" + #define CM_DBUS_PROP_OTHER_CERTS "other-certs" ++#define CM_DBUS_PROP_SCEP_CIPHER "scep-cipher" ++#define CM_DBUS_PROP_SCEP_DIGEST "scep-digest" + #define CM_DBUS_PROP_SCEP_CA_IDENTIFIER "scep-ca-identifier" + #define CM_DBUS_PROP_SCEP_CA_CAPABILITIES "scep-ca-capabilities" + #define CM_DBUS_PROP_SCEP_RA_CERT "scep-ra-cert" +diff --git a/src/tdbush.c b/src/tdbush.c +index 04fe57e..3ce6c40 100644 +--- a/src/tdbush.c ++++ b/src/tdbush.c +@@ -2128,6 +2128,27 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg, + } + } + ++/* org.fedorahosted.certonger.ca.get_config_file_path */ ++ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg, ++ struct cm_client_info *ci, struct cm_context *ctx) ++{ ++ DBusMessage *rep; ++ struct cm_store_ca *ca; ++ ca = get_ca_for_request_message(msg, ctx); ++ if (ca == NULL) { ++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; ++ } ++ rep = dbus_message_new_method_return(msg); ++ if (rep != NULL) { ++ cm_tdbusm_set_s(rep, ca->cm_store_private); ++ dbus_connection_send(conn, rep, NULL); ++ dbus_message_unref(rep); ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return send_internal_ca_error(conn, msg); ++ } ++} ++ + /* org.fedorahosted.certonger.ca.refresh */ + static DBusHandlerResult + ca_refresh(DBusConnection *conn, DBusMessage *msg, +@@ -2262,6 +2283,106 @@ ca_prop_set_external_helper(struct cm_context *ctx, void *parent, + } + + static const char * ++ca_prop_get_scep_cipher(struct cm_context *ctx, void *parent, ++ void *record, const char *name) ++{ ++ struct cm_store_ca *ca = record; ++ ++ if (strcmp(name, CM_DBUS_PROP_SCEP_CIPHER) == 0) { ++ if (ca->cm_ca_type != cm_ca_external) { ++ return ""; ++ } ++ if (ca->cm_ca_scep_cipher != NULL) { ++ return ca->cm_ca_scep_cipher; ++ } else { ++ return ""; ++ } ++ } ++ return NULL; ++} ++ ++static void ++ca_prop_set_scep_cipher(struct cm_context *ctx, void *parent, ++ void *record, const char *name, ++ const char *new_value) ++{ ++ const char *propname[2], *path; ++ struct cm_store_ca *ca = record; ++ enum cm_ca_phase phase; ++ ++ if (strcmp(name, CM_DBUS_PROP_SCEP_CIPHER) == 0) { ++ if (ca->cm_ca_type != cm_ca_external) { ++ return; ++ } ++ talloc_free(ca->cm_ca_scep_cipher); ++ ca->cm_ca_scep_cipher = new_value ? ++ talloc_strdup(ca, new_value) : ++ NULL; ++ for (phase = 0; phase < cm_ca_phase_invalid; phase++) { ++ cm_restart_ca(ctx, ca->cm_nickname, phase); ++ } ++ propname[0] = CM_DBUS_PROP_SCEP_CIPHER; ++ propname[1] = NULL; ++ path = talloc_asprintf(parent, "%s/%s", ++ CM_DBUS_CA_PATH, ++ ca->cm_busname); ++ cm_tdbush_property_emit_changed(ctx, path, ++ CM_DBUS_CA_INTERFACE, ++ propname); ++ } ++} ++ ++static const char * ++ca_prop_get_scep_digest(struct cm_context *ctx, void *parent, ++ void *record, const char *name) ++{ ++ struct cm_store_ca *ca = record; ++ ++ if (strcmp(name, CM_DBUS_PROP_SCEP_DIGEST) == 0) { ++ if (ca->cm_ca_type != cm_ca_external) { ++ return ""; ++ } ++ if (ca->cm_ca_scep_digest != NULL) { ++ return ca->cm_ca_scep_digest; ++ } else { ++ return ""; ++ } ++ } ++ return NULL; ++} ++ ++static void ++ca_prop_set_scep_digest(struct cm_context *ctx, void *parent, ++ void *record, const char *name, ++ const char *new_value) ++{ ++ const char *propname[2], *path; ++ struct cm_store_ca *ca = record; ++ enum cm_ca_phase phase; ++ ++ if (strcmp(name, CM_DBUS_PROP_SCEP_DIGEST) == 0) { ++ if (ca->cm_ca_type != cm_ca_external) { ++ return; ++ } ++ talloc_free(ca->cm_ca_scep_digest); ++ ca->cm_ca_scep_digest = new_value ? ++ talloc_strdup(ca, new_value) : ++ NULL; ++ for (phase = 0; phase < cm_ca_phase_invalid; phase++) { ++ cm_restart_ca(ctx, ca->cm_nickname, phase); ++ } ++ propname[0] = CM_DBUS_PROP_SCEP_DIGEST; ++ propname[1] = NULL; ++ path = talloc_asprintf(parent, "%s/%s", ++ CM_DBUS_CA_PATH, ++ ca->cm_busname); ++ cm_tdbush_property_emit_changed(ctx, path, ++ CM_DBUS_CA_INTERFACE, ++ propname); ++ } ++} ++ ++static const char * + ca_prop_get_scep_ca_identifier(struct cm_context *ctx, void *parent, + void *record, const char *name) + { +@@ -7232,6 +7353,14 @@ cm_tdbush_iface_ca(void) + if (ret == NULL) { + ret = make_interface(CM_DBUS_CA_INTERFACE, + make_interface_item(cm_tdbush_interface_method, ++ make_method("get_config_file_path", ++ ca_get_config_file_path, ++ make_method_arg("path", ++ DBUS_TYPE_STRING_AS_STRING, ++ cm_tdbush_method_arg_out, ++ NULL), ++ NULL), ++ make_interface_item(cm_tdbush_interface_method, + make_method("get_nickname", + ca_get_nickname, + make_method_arg("nickname", +@@ -7483,6 +7612,24 @@ cm_tdbush_iface_ca(void) + NULL, NULL, NULL, NULL, NULL, + NULL), + make_interface_item(cm_tdbush_interface_property, ++ make_property(CM_DBUS_PROP_SCEP_CIPHER, ++ cm_tdbush_property_string, ++ cm_tdbush_property_readwrite, ++ cm_tdbush_property_special, ++ 0, ++ ca_prop_get_scep_cipher, NULL, NULL, NULL, NULL, ++ ca_prop_set_scep_cipher, NULL, NULL, NULL, NULL, ++ NULL), ++ make_interface_item(cm_tdbush_interface_property, ++ make_property(CM_DBUS_PROP_SCEP_DIGEST, ++ cm_tdbush_property_string, ++ cm_tdbush_property_readwrite, ++ cm_tdbush_property_special, ++ 0, ++ ca_prop_get_scep_digest, NULL, NULL, NULL, NULL, ++ ca_prop_set_scep_digest, NULL, NULL, NULL, NULL, ++ NULL), ++ make_interface_item(cm_tdbush_interface_property, + make_property(CM_DBUS_PROP_SCEP_CA_IDENTIFIER, + cm_tdbush_property_string, + cm_tdbush_property_readwrite, +@@ -7527,7 +7674,7 @@ cm_tdbush_iface_ca(void) + NULL, NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, NULL, + NULL), +- NULL)))))))))))))))))))))))))))))))))))); ++ NULL))))))))))))))))))))))))))))))))))))))); + } + return ret; + } +-- +1.8.3.1 + diff --git a/SOURCES/0023-Updates-per-Feedback.patch b/SOURCES/0023-Updates-per-Feedback.patch new file mode 100644 index 0000000..4181934 --- /dev/null +++ b/SOURCES/0023-Updates-per-Feedback.patch @@ -0,0 +1,50 @@ +From 43392d48924d6d50ef2712947ddea424e723e171 Mon Sep 17 00:00:00 2001 +From: Trevor Vaughan +Date: Tue, 27 Mar 2018 09:28:28 -0400 +Subject: [PATCH 23/25] Updates per Feedback + +Ref: #89 +--- + src/scepgen-o.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/scepgen-o.c b/src/scepgen-o.c +index 07c2b8b..05fc437 100644 +--- a/src/scepgen-o.c ++++ b/src/scepgen-o.c +@@ -457,7 +457,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + _exit(1); + } + +- cm_log(1, "SCEP cipher authoritatively set to: '%s'\n", scep_cipher); ++ cm_log(1, "SCEP cipher set from configuration to: '%s'\n", scep_cipher); + } + else { + cipher = cm_prefs_nocipher; +@@ -527,11 +527,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + digest = cm_prefs_md5; + } + else { +- cm_log(1, "Option 'scep_digest' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_digest); ++ cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest); + _exit(1); + } + +- cm_log(1, "SCEP digest authoritatively set to: '%s'\n", scep_digest); ++ cm_log(1, "SCEP digest set from configuration to: '%s'\n", scep_digest); + } + else { + pref_digest = cm_prefs_preferred_digest(); +@@ -578,7 +578,8 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + } + } + if (digest == cm_prefs_nodigest) { +- /* Per the latest Draft RFC */ ++ /* Per SCEP RFC draft-gutmann-scep-10 - March 1, 2018 */ ++ /* https://www.ietf.org/id/draft-gutmann-scep-10.txt */ + cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n"); + digest = cm_prefs_sha256; + } +-- +1.8.3.1 + diff --git a/SOURCES/0024-Updated-tests.patch b/SOURCES/0024-Updated-tests.patch new file mode 100644 index 0000000..9abebc1 --- /dev/null +++ b/SOURCES/0024-Updated-tests.patch @@ -0,0 +1,224 @@ +From 151699403803230e6d420b422cca13380b36e2a8 Mon Sep 17 00:00:00 2001 +From: Trevor Vaughan +Date: Tue, 27 Mar 2018 18:04:34 -0400 +Subject: [PATCH 24/25] Updated tests + +Worked around the fact that data under the 'cas' directory is +dynamically provisioned by moving from `cmp` to `diff -q -I` in +run-tests.sh and excluding everything in the dynamically generated +space. + +Ref #89 +--- + tests/028-dbus/expected.out | 42 +++++++++++++++++++++++++++++++++++++++++- + tests/033-scep/run.sh | 6 +++--- + tests/run-tests.sh | 4 +++- + 3 files changed, 47 insertions(+), 5 deletions(-) + +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index 4c33e9a..dd9cac1 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -536,6 +536,9 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri + + + ++ ++ ++ + + + +@@ -580,6 +583,8 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri + + + ++ ++ + + + +@@ -588,6 +593,9 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri + + + ++[ /org/fedorahosted/certmonger/cas/CA1: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/local ++ + [ /org/fedorahosted/certmonger/cas/CA1: org.fedorahosted.certmonger.ca.get_nickname ] + local + +@@ -641,6 +649,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ ++ + + + +@@ -685,6 +696,8 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ + + + +@@ -693,6 +706,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/20180327134236 ++ + [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ] + SelfSign + +@@ -715,7 +731,7 @@ dbus.Array([], signature=dbus.Signature('s')) + [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.refresh ] + 1 + +-/org/fedorahosted/certmonger/cas/CA2: warning: property org.fedorahosted.certmonger.ca.scep-ca-identifier not settable on this object ++/org/fedorahosted/certmonger/cas/CA2: property org.fedorahosted.certmonger.ca.scep-cipher not set: (, x) + [ /org/fedorahosted/certmonger/cas/CA3: org.freedesktop.DBus.Introspectable.Introspect ] + +@@ -748,6 +764,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ ++ + + + +@@ -792,6 +811,8 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ + + + +@@ -800,6 +821,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/20180327134236-1 ++ + [ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ] + IPA + +@@ -853,6 +877,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ ++ + + + +@@ -897,6 +924,8 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ + + + +@@ -905,6 +934,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/20180327134236-2 ++ + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ] + certmaster + +@@ -958,6 +990,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ ++ + + + +@@ -1002,6 +1037,8 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++ ++ + + + +@@ -1010,6 +1047,9 @@ dbus.Array([], signature=dbus.Signature('s')) + + + ++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/20180327134236-3 ++ + [ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ] + dogtag-ipa-renew-agent + +diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh +index 15480ac..f270a49 100755 +--- a/tests/033-scep/run.sh ++++ b/tests/033-scep/run.sh +@@ -103,7 +103,7 @@ check_nonce() { + fi + } + +-set_digest md5 ++set_digest sha256 + $toolsdir/scepgen ca entry > scepdata + + echo "[req, no trust root]" +@@ -135,7 +135,7 @@ grep ^gic: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r mini. + check_failed + echo OK + echo "[req, old root]" +-set_digest md5 ++set_digest sha256 + $toolsdir/scepgen ca entry > scepdata + if test x`grep ^req: scepdata | cut -f2- -d:` = x ; then + echo missing req +@@ -145,7 +145,7 @@ check_verified + check_msgtype $SCEP_MSGTYPE_PKCSREQ + check_txid + check_nonce +-check_digest md5 ++check_digest sha256 + echo OK + echo "[gic, old trust root]" + set_digest sha1 +diff --git a/tests/run-tests.sh b/tests/run-tests.sh +index a0f7c2d..266ddc6 100755 +--- a/tests/run-tests.sh ++++ b/tests/run-tests.sh +@@ -77,7 +77,9 @@ for testid in "$@" $subdirs ; do + if ! test -s "$i" ; then + break + fi +- if cmp -s "$tmpfile" "$i" 2> /dev/null ; then ++ # This regex needs to be ignored since it is dynamically created at ++ # every CA creation ++ if diff -q -I "tmpdir/cas/[[:digit:]]\+" "$tmpfile" "$i" 2> /dev/null ; then + stat=0 + echo "OK" + cp $tmpfile "$builddir"/"$testid"/actual.out +-- +1.8.3.1 + diff --git a/SOURCES/0025-Add-cipher-and-digest-difference-messages.patch b/SOURCES/0025-Add-cipher-and-digest-difference-messages.patch new file mode 100644 index 0000000..f4ec184 --- /dev/null +++ b/SOURCES/0025-Add-cipher-and-digest-difference-messages.patch @@ -0,0 +1,38 @@ +From 8ee05aae1f0a85bcd763cde1dfcc8a33be85c35c Mon Sep 17 00:00:00 2001 +From: Trevor Vaughan +Date: Wed, 11 Apr 2018 16:01:13 -0400 +Subject: [PATCH 25/25] Add cipher and digest difference messages + +Ensure that users know that AES is the cipher and SHA is the digest when +CA capabilities are not supported. + +Ref #89 +--- + src/scepgen-o.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/scepgen-o.c b/src/scepgen-o.c +index 05fc437..7120ade 100644 +--- a/src/scepgen-o.c ++++ b/src/scepgen-o.c +@@ -503,7 +503,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + } + if (cipher == cm_prefs_nocipher) { + /* Per the latest Draft RFC */ +- cm_log(1, "Could not determine supported CA capabilities, using AES256.\n"); ++ cm_log(1, "Could not determine supported CA capabilities, using cipher AES256.\n"); + cipher = cm_prefs_aes256; + } + } +@@ -580,7 +580,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + if (digest == cm_prefs_nodigest) { + /* Per SCEP RFC draft-gutmann-scep-10 - March 1, 2018 */ + /* https://www.ietf.org/id/draft-gutmann-scep-10.txt */ +- cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n"); ++ cm_log(1, "Could not determine supported CA capabilities, using digest SHA256.\n"); + digest = cm_prefs_sha256; + } + } +-- +1.8.3.1 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index f817f50..bc3d46e 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -26,7 +26,7 @@ Name: certmonger Version: 0.78.4 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -55,6 +55,13 @@ Patch0016: 0016-MS-cert-template-add-option-to-command-line-programs.patch Patch0017: 0017-MS-cert-template-validate-argument.patch Patch0018: 0018-MS-cert-template-add-tests.patch Patch0019: 0019-Fix-C99-build-error-on-EL7-systems.patch +Patch0020: 0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch +Patch0021: 0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch +Patch0022: 0022-Allow-configuration-of-client-SCEP-algorithms.patch +Patch0023: 0023-Updates-per-Feedback.patch +Patch0024: 0024-Updated-tests.patch +Patch0025: 0025-Add-cipher-and-digest-difference-messages.patch + Patch1001: 1001-Remove-rekey-feature.patch Patch1002: 1002-Fix-CA-option-name-for-ipa-cert-request.patch @@ -275,6 +282,10 @@ exit 0 %endif %changelog +* Tue Feb 12 2019 Rob Crittenden - 0.78.4-11 +- Increase SCEP spec compliance, set more secure default cipher and hash. + (#1533216) + * Fri Aug 24 2018 Rob Crittenden - 0.78.4-10 - Backport patches to add support for the MS Certificate Template V2 extension (#1622184)