[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][master] 22 commits: If stderr is not a tty log to syslog so the helpers can log
Timo Aaltonen
gitlab at salsa.debian.org
Wed Oct 17 08:54:09 BST 2018
Timo Aaltonen pushed to branch master at FreeIPA packaging / certmonger
Commits:
d0e16613 by Rob Crittenden at 2018-04-02T17:48:59Z
If stderr is not a tty log to syslog so the helpers can log
All the helpers were configured to use the log method cm_log_stderr
which when exececuted as a helper from the certmonger daemon would
log nowhere.
If stderr is detected as a tty (e.g. the helper is run directly on
the cli) then logging will go there. Otherwise it will log to
syslog (honoring the log level).
- - - - -
76a0f629 by Rob Crittenden at 2018-04-02T17:49:40Z
On PKCS#7 verify failures log the PKCS#7 file, fix variable used
results was being used in place of results2.
In practice it would be the result of GetCACaps which means it would
log _something_, just not the failed PKCS#7 file.
- - - - -
51acb849 by Trevor Vaughan at 2018-04-11T20:28:16Z
Add additional build deps to RPM spec file
* Add additional required build dependencies to the RPM spec file
Required for testing #89
- - - - -
f68a4b8c by Trevor Vaughan at 2018-04-11T20:28:16Z
Fix C99 build error on EL7 systems
Needed for testing #89
- - - - -
d428aed3 by Trevor Vaughan at 2018-04-11T20:28:16Z
Allow configuration of client SCEP algorithms
* Allow users to set `scep_cipher` and `scep_digest` in their CA
configuration. These settings are authoritative and will override
anything from the server. This was added to support connections to
systems, such as Dogtag, that do not provide a CA capabilities string
and, therefore, are prone to causing incorrect ciphers to be used on the
client side.
* In accordance with the latest SCEP Draft RFC, the default cipher has
been changed to AES-256 and the default digest has been changed to
SHA-256. These were chosen as reasonable defaults for most users and
systems.
* To ease the determination of which configuration file controls what
CA, the output of `getcert list-cas -v` was updated to print a
`config-path` entry which will list the specific configuration
associated with a given CA.
Closes #89
- - - - -
6e4f0f1d by Trevor Vaughan at 2018-04-11T20:28:17Z
Updates per Feedback
Ref: #89
- - - - -
a1194ad0 by Trevor Vaughan at 2018-04-11T20:28:17Z
Updated tests
Worked around the fact that data under the 'cas' directory is
dynamically provisioned by moving from `cmp` to `diff -q -I` in
run-tests.sh and excluding everything in the dynamically generated
space.
Ref #89
- - - - -
6a13fb01 by Trevor Vaughan at 2018-04-11T20:28:17Z
Add cipher and digest difference messages
Ensure that users know that AES is the cipher and SHA is the digest when
CA capabilities are not supported.
Ref #89
- - - - -
31bbc35f by Rob Crittenden at 2018-04-16T20:12:37Z
Switch from libidn to libidn2
https://pagure.io/certmonger/issue/102
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
647aaf59 by Rob Crittenden at 2018-05-08T14:22:54Z
Tag 0.79.6
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
cd38b761 by Timo Aaltonen at 2018-10-17T07:16:12Z
Merge branch 'upstream'
- - - - -
ae2c0262 by Timo Aaltonen at 2018-10-17T07:19:03Z
bump the version
- - - - -
b1e70463 by Timo Aaltonen at 2018-10-17T07:20:47Z
control: Update maintainer address.
- - - - -
cea18c0a by Timo Aaltonen at 2018-10-17T07:21:34Z
control: Update vcs urls.
- - - - -
41746c50 by Timo Aaltonen at 2018-10-17T07:23:21Z
Bump debhelper to 11.
- - - - -
d2b9db02 by Timo Aaltonen at 2018-10-17T07:26:05Z
control: Build-depend on libidn2-dev.
- - - - -
b4c305aa by Timo Aaltonen at 2018-10-17T07:27:00Z
rules: Migrate to dh_missing, use --fail-missing.
- - - - -
584f5461 by Timo Aaltonen at 2018-10-17T07:28:53Z
drop dh-systemd from build-depends
- - - - -
db61c9ca by Timo Aaltonen at 2018-10-17T07:29:24Z
certmonger.upstart: Removed.
- - - - -
f2111e4c by Timo Aaltonen at 2018-10-17T07:29:57Z
Bump policy to 4.2.1, no changes.
- - - - -
728827ca by Timo Aaltonen at 2018-10-17T07:30:55Z
control: Set priority: optional.
- - - - -
164ccd31 by Timo Aaltonen at 2018-10-17T07:45:14Z
releasing package certmonger version 0.79.6-1
- - - - -
24 changed files:
- certmonger.spec
- configure.ac
- − debian/certmonger.upstart
- debian/changelog
- debian/compat
- debian/control
- debian/rules
- src/certext.c
- src/certmaster.c
- src/dogtag.c
- src/getcert.c
- src/ipa.c
- src/local.c
- src/prefs.h
- src/scep.c
- src/scepgen-o.c
- src/srvloc.c
- src/store-files.c
- src/store-int.h
- src/tdbus.h
- src/tdbush.c
- tests/028-dbus/expected.out
- tests/033-scep/run.sh
- tests/run-tests.sh
Changes:
=====================================
certmonger.spec
=====================================
@@ -25,7 +25,7 @@
%endif
Name: certmonger
-Version: 0.79.5
+Version: 0.79.6
Release: 1%{?dist}
Summary: Certificate status monitor and PKI enrollment client
@@ -37,7 +37,8 @@ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: openldap-devel
-BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel
+BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn2-devel
+BuildRequires: autoconf, automake, gcc, gettext-devel
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
BuildRequires: libuuid-devel
%else
@@ -242,6 +243,17 @@ exit 0
%endif
%changelog
+* Tue May 8 2018 Rob Crittenden <rcritten at redhat.com> 0.79.6-1
+- update to 0.79.6:
+ - Better support for NSS SQLite databases
+ - Fix CA creation in local CA, fix DER issue in constraint
+ - If stderr is not a tty log to syslog so the helpers can log
+ - Allow configuration of client SCEP algorithms
+ - Set default SCEP digest to SHA-256, cipher to AES-256 per spec
+
+* Mon Apr 2 2018 Rob Crittenden <rcritten at redhat.com> 0.79.5-2
+- Switch from libidn to libidn2 for better IDNA2008 support
+
* Fri Sep 1 2017 Rob Crittenden <rcritten at redhat.com> 0.79.5-1
- update to 0.79.5:
- getcert start-tracking: use issuer option when specified
=====================================
configure.ac
=====================================
@@ -1,4 +1,4 @@
-AC_INIT(certmonger,0.79.5)
+AC_INIT(certmonger,0.79.6)
AM_INIT_AUTOMAKE([foreign subdir-objects])
AC_CONFIG_MACRO_DIR(m4)
AM_MAINTAINER_MODE([disable])
@@ -788,7 +788,7 @@ if ! ${configure_dist_target_only:-false} ; then
fi,
idn=true)
if $idn ; then
- PKG_CHECK_MODULES(IDN,libidn)
+ PKG_CHECK_MODULES(IDN,libidn2)
AC_DEFINE(CM_USE_IDN,1,[Define if dnsName subjectAltNames should be encoded properly, and if international domain names should be handled during service location.])
fi
=====================================
debian/certmonger.upstart deleted
=====================================
@@ -1,15 +0,0 @@
-# certmonger
-#
-# certmonger is a D-Bus-based service which attempts to simplify
-# interaction with certifying authorities (CAs) on networks which use
-# public-key infrastructure (PKI).
-
-description "Certmonger"
-
-start on net-device-up
-stop on runlevel [06]
-
-expect daemon
-respawn
-
-exec certmonger
=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+certmonger (0.79.6-1) unstable; urgency=medium
+
+ * New upstream release.
+ * control: Update maintainer address.
+ * control: Update vcs urls.
+ * Bump debhelper to 11.
+ * control: Build-depend on libidn2-dev.
+ * rules: Migrate to dh_missing, use --fail-missing.
+ * certmonger.upstart: Removed.
+ * Bump policy to 4.2.1, no changes.
+ * control: Set priority: optional.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 17 Oct 2018 10:45:02 +0300
+
certmonger (0.79.5-3) experimental; urgency=medium
* Merge changes from upstream git to support sqlite nssdb's.
=====================================
debian/compat
=====================================
@@ -1 +1 @@
-9
+11
=====================================
debian/control
=====================================
@@ -1,17 +1,16 @@
Source: certmonger
Section: utils
-Priority: extra
-Maintainer: Debian FreeIPA Team <pkg-freeipa-devel at lists.alioth.debian.org>
+Priority: optional
+Maintainer: Debian FreeIPA Team <pkg-freeipa-devel at alioth-lists.debian.net>
Uploaders: Timo Aaltonen <tjaalton at debian.org>
-Build-Depends: debhelper (>= 9), dh-autoreconf, quilt,
+Build-Depends: debhelper (>= 11), quilt,
autopoint,
dbus (>= 1.8),
- dh-systemd,
dos2unix,
expect,
libdbus-1-dev,
libcurl4-nss-dev,
- libidn11-dev,
+ libidn2-dev,
libkrb5-dev,
libldap2-dev,
libnspr4-dev,
@@ -27,10 +26,10 @@ Build-Depends: debhelper (>= 9), dh-autoreconf, quilt,
openssl,
pkg-config,
uuid-dev,
-Standards-Version: 3.9.6
+Standards-Version: 4.2.1
Homepage: https://pagure.io/certmonger/
-Vcs-Git: git://anonscm.debian.org/pkg-freeipa/certmonger.git
-Vcs-Browser: http://anonscm.debian.org/cgit/pkg-freeipa/certmonger.git
+Vcs-Git: https://salsa.debian.org/freeipa-team/certmonger.git
+Vcs-Browser: https://salsa.debian.org/freeipa-team/certmonger
Package: certmonger
Architecture: any
=====================================
debian/rules
=====================================
@@ -29,12 +29,12 @@ override_dh_auto_install:
override_dh_auto_test:
-override_dh_install:
- dh_install --list-missing
+override_dh_missing:
+ dh_missing --fail-missing
override_dh_clean:
dh_clean
# rm -f po/*.gmo
%:
- dh $@ --parallel --with quilt,autoreconf,systemd --builddirectory=build/
+ dh $@ --with quilt --builddirectory=build/
=====================================
src/certext.c
=====================================
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009,2011,2012,2013,2014,2015,2017 Red Hat, Inc.
- *
+ *
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
@@ -42,7 +42,7 @@
#include <krb5.h>
#ifdef CM_USE_IDN
-#include <idna.h>
+#include <idn2.h>
#endif
#include "certext.h"
@@ -1620,9 +1620,9 @@ cm_certext_build_certificate_template(
return NULL;
int i = 0;
- char *saveptr, *endptr;
+ char *saveptr, *endptr, *part;
for (
- char *part = strtok_r(template_spec_dup, ":", &saveptr);
+ part = strtok_r(template_spec_dup, ":", &saveptr);
part != NULL;
part = strtok_r(NULL, ":", &saveptr)
) {
=====================================
src/certmaster.c
=====================================
@@ -86,7 +86,10 @@ main(int argc, const char **argv)
bindtextdomain(PACKAGE, MYLOCALEDIR);
#endif
- cm_log_set_method(cm_log_stderr);
+ if (isatty(STDERR_FILENO))
+ cm_log_set_method(cm_log_stderr);
+ else
+ cm_log_set_method(cm_log_syslog);
pctx = poptGetContext(argv[0], argc, argv, popts, 0);
if (pctx == NULL) {
return CM_SUBMIT_STATUS_UNCONFIGURED;
=====================================
src/dogtag.c
=====================================
@@ -296,7 +296,10 @@ main(int argc, const char **argv)
}
umask(S_IRWXG | S_IRWXO);
- cm_log_set_method(cm_log_stderr);
+ if (isatty(STDERR_FILENO))
+ cm_log_set_method(cm_log_stderr);
+ else
+ cm_log_set_method(cm_log_syslog);
cm_log_set_level(verbose);
nctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION,
=====================================
src/getcert.c
=====================================
@@ -4291,6 +4291,12 @@ list_cas(const char *argv0, int argc, const char **argv)
if ((s != NULL) && (strlen(s) > 0)) {
printf(_("\tpost-save command: %s\n"), s);
}
+ if (verbose > 0) {
+ printf(_("\tconfig-path: %s\n"),
+ query_rep_s(bus, cas[i], CM_DBUS_CA_INTERFACE,
+ "get_config_file_path",
+ verbose, globals.tctx));
+ }
}
return 0;
}
=====================================
src/ipa.c
=====================================
@@ -689,7 +689,10 @@ main(int argc, const char **argv)
}
umask(S_IRWXG | S_IRWXO);
- cm_log_set_method(cm_log_stderr);
+ if (isatty(STDERR_FILENO))
+ cm_log_set_method(cm_log_stderr);
+ else
+ cm_log_set_method(cm_log_syslog);
cm_log_set_level(verbose);
/* Start backfilling defaults, both hard-coded and from the IPA
=====================================
src/local.c
=====================================
@@ -488,7 +488,10 @@ main(int argc, const char **argv)
umask(S_IRWXG | S_IRWXO);
- cm_log_set_method(cm_log_stderr);
+ if (isatty(STDERR_FILENO))
+ cm_log_set_method(cm_log_stderr);
+ else
+ cm_log_set_method(cm_log_syslog);
cm_log_set_level(verbose);
if (localdir == NULL) {
=====================================
src/prefs.h
=====================================
@@ -20,9 +20,12 @@
enum cm_prefs_cipher {
cm_prefs_aes128,
+ cm_prefs_aes192,
cm_prefs_aes256,
cm_prefs_des3,
cm_prefs_des,
+ /* This is for the selection logic */
+ cm_prefs_nocipher,
};
enum cm_prefs_digest {
@@ -31,6 +34,8 @@ enum cm_prefs_digest {
cm_prefs_sha512,
cm_prefs_sha1,
cm_prefs_md5,
+ /* This is for the selection logic */
+ cm_prefs_nodigest,
};
enum cm_notification_method;
=====================================
src/scep.c
=====================================
@@ -343,7 +343,10 @@ main(int argc, const char **argv)
}
umask(S_IRWXG | S_IRWXO);
- cm_log_set_method(cm_log_stderr);
+ if (isatty(STDERR_FILENO))
+ cm_log_set_method(cm_log_stderr);
+ else
+ cm_log_set_method(cm_log_syslog);
cm_log_set_level(verbose);
ctx = talloc_new(NULL);
@@ -929,15 +932,18 @@ main(int argc, const char **argv)
if (i != 0) {
printf(_("Error: failed to verify signature on "
"server response.\n"));
+ cm_log(1, "Error: failed to verify signature on "
+ "server response.\n");
while ((error = ERR_get_error()) != 0) {
memset(buf, '\0', sizeof(buf));
ERR_error_string_n(error, buf, sizeof(buf));
cm_log(1, "%s\n", buf);
}
- s = cm_store_base64_from_bin(ctx, (unsigned char *) results,
- results_length);
+ s = cm_store_base64_from_bin(ctx, (unsigned char *) results2,
+ results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "%s", s);
+ cm_log(1, "%s", s);
free(s);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
=====================================
src/scepgen-o.c
=====================================
@@ -422,49 +422,156 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
free(pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
- cipher = cm_prefs_des;
- for (i = 0;
- (ca->cm_ca_capabilities != NULL) &&
- (ca->cm_ca_capabilities[i] != NULL);
- i++) {
- capability = ca->cm_ca_capabilities[i];
- if (strcmp(capability, "DES3") == 0) {
- cm_log(1, "Server supports DES3, using that.\n");
+
+ char* scep_cipher = ca->cm_ca_scep_cipher;
+ if (scep_cipher != NULL) {
+ /* Force the cipher to whatever is in the configuration */
+ if (strcmp(scep_cipher, "AES256") == 0) {
+ cipher = cm_prefs_aes256;
+ }
+ else if (strcmp(scep_cipher, "AES192") == 0) {
+ cipher = cm_prefs_aes192;
+ }
+ else if (strcmp(scep_cipher, "AES128") == 0) {
+ cipher = cm_prefs_aes128;
+ }
+ else if (strcmp(scep_cipher, "DES3") == 0) {
cipher = cm_prefs_des3;
- break;
- }
- }
- if (cipher == cm_prefs_des) {
- cm_log(1, "Server does not support DES3, using DES.\n");
- }
- pref_digest = cm_prefs_preferred_digest();
- digest = cm_prefs_md5;
- for (i = 0;
- (ca->cm_ca_capabilities != NULL) &&
- (ca->cm_ca_capabilities[i] != NULL);
- i++) {
- capability = ca->cm_ca_capabilities[i];
- if ((pref_digest == cm_prefs_sha1) &&
- (strcmp(capability, "SHA-1") == 0)) {
- cm_log(1, "Server supports SHA-1, using that.\n");
- digest = cm_prefs_sha1;
- break;
}
- if ((pref_digest == cm_prefs_sha256) &&
- (strcmp(capability, "SHA-256") == 0)) {
- cm_log(1, "Server supports SHA-256, using that.\n");
- digest = cm_prefs_sha256;
- break;
+ else if (strcmp(scep_cipher, "DES") == 0) {
+ cipher = cm_prefs_des;
}
- if ((pref_digest == cm_prefs_sha512) &&
- (strcmp(capability, "SHA-512") == 0)) {
- cm_log(1, "Server supports SHA-512, using that.\n");
- digest = cm_prefs_sha512;
- break;
+ else {
+ cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
+ _exit(1);
+ }
+
+ cm_log(1, "SCEP cipher set from configuration to: '%s'\n", scep_cipher);
+ }
+ else {
+ cipher = cm_prefs_nocipher;
+ for (i = 0;
+ (ca->cm_ca_capabilities != NULL) &&
+ (ca->cm_ca_capabilities[i] != NULL);
+ i++) {
+ capability = ca->cm_ca_capabilities[i];
+ if ((strcmp(capability, "AES-256") == 0) ||
+ (strcmp(capability, "AES256") == 0)) {
+ cm_log(1, "Server supports AES256, using that.\n");
+ cipher = cm_prefs_aes256;
+ break;
+ }
+ if ((strcmp(capability, "AES-192") == 0) ||
+ (strcmp(capability, "AES192") == 0)) {
+ cm_log(1, "Server supports AES192, using that.\n");
+ cipher = cm_prefs_aes192;
+ break;
+ }
+ if ((strcmp(capability, "AES-128") == 0) ||
+ (strcmp(capability, "AES128") == 0)) {
+ cm_log(1, "Server supports AES128, using that.\n");
+ cipher = cm_prefs_aes128;
+ break;
+ }
+ if (strcmp(capability, "AES") == 0) {
+ cm_log(1, "Server supports AES, using AES256.\n");
+ cipher = cm_prefs_aes256;
+ break;
+ }
+ if (strcmp(capability, "DES3") == 0) {
+ cm_log(1, "Server supports DES3, using that.\n");
+ cipher = cm_prefs_des3;
+ break;
+ }
+ /* This remains for backward compatibility */
+ if (strcmp(capability, "DES") == 0) {
+ cm_log(1, "Server supports DES, using that.\n");
+ cipher = cm_prefs_des;
+ break;
+ }
+ }
+ if (cipher == cm_prefs_nocipher) {
+ /* Per the latest Draft RFC */
+ cm_log(1, "Could not determine supported CA capabilities, using cipher AES256.\n");
+ cipher = cm_prefs_aes256;
}
}
- if (digest == cm_prefs_md5) {
- cm_log(1, "Server does not support better digests, using MD5.\n");
+
+ char* scep_digest = ca->cm_ca_scep_digest;
+ if (scep_digest != NULL) {
+ /* Force the digest to whatever is in the configuration */
+ if (strcmp(scep_digest, "SHA512") == 0) {
+ digest = cm_prefs_sha512;
+ }
+ else if (strcmp(scep_digest, "SHA384") == 0) {
+ digest = cm_prefs_sha384;
+ }
+ else if (strcmp(scep_digest, "SHA256") == 0) {
+ digest = cm_prefs_sha256;
+ }
+ else if (strcmp(scep_digest, "SHA1") == 0) {
+ digest = cm_prefs_sha1;
+ }
+ else if (strcmp(scep_digest, "MD5") == 0) {
+ digest = cm_prefs_md5;
+ }
+ else {
+ cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
+ _exit(1);
+ }
+
+ cm_log(1, "SCEP digest set from configuration to: '%s'\n", scep_digest);
+ }
+ else {
+ pref_digest = cm_prefs_preferred_digest();
+ digest = cm_prefs_nodigest;
+ for (i = 0;
+ (ca->cm_ca_capabilities != NULL) &&
+ (ca->cm_ca_capabilities[i] != NULL);
+ i++) {
+ capability = ca->cm_ca_capabilities[i];
+ if ((pref_digest == cm_prefs_sha512) &&
+ ((strcmp(capability, "SHA-512") == 0) ||
+ (strcmp(capability, "SHA512") == 0))) {
+ cm_log(1, "Server supports SHA-512, using that.\n");
+ digest = cm_prefs_sha512;
+ break;
+ }
+ if ((pref_digest == cm_prefs_sha384) &&
+ ((strcmp(capability, "SHA-384") == 0) ||
+ (strcmp(capability, "SHA384") == 0))) {
+ cm_log(1, "Server supports SHA-384, using that.\n");
+ digest = cm_prefs_sha384;
+ break;
+ }
+ if ((pref_digest == cm_prefs_sha256) &&
+ ((strcmp(capability, "SHA-256") == 0) ||
+ (strcmp(capability, "SHA256") == 0))) {
+ cm_log(1, "Server supports SHA-256, using that.\n");
+ digest = cm_prefs_sha256;
+ break;
+ }
+ if ((pref_digest == cm_prefs_sha1) &&
+ ((strcmp(capability, "SHA-1") == 0) ||
+ (strcmp(capability, "SHA1") == 0))) {
+ cm_log(1, "Server supports SHA-1, using that.\n");
+ digest = cm_prefs_sha1;
+ break;
+ }
+ /* This remains for backward compatibility */
+ if ((pref_digest == cm_prefs_sha1) &&
+ (strcmp(capability, "MD5") == 0)) {
+ cm_log(1, "Server supports MD5, using that.\n");
+ digest = cm_prefs_md5;
+ break;
+ }
+ }
+ if (digest == cm_prefs_nodigest) {
+ /* Per SCEP RFC draft-gutmann-scep-10 - March 1, 2018 */
+ /* https://www.ietf.org/id/draft-gutmann-scep-10.txt */
+ cm_log(1, "Could not determine supported CA capabilities, using digest SHA256.\n");
+ digest = cm_prefs_sha256;
+ }
}
if (old_cert != NULL) {
if (cm_pkcs7_envelope_ias(ca->cm_ca_encryption_cert, cipher,
=====================================
src/srvloc.c
=====================================
@@ -34,7 +34,7 @@
#include <unistd.h>
#ifdef CM_USE_IDN
-#include <idna.h>
+#include <idn2.h>
#endif
#ifdef HAVE_OPENSSL
=====================================
src/store-files.c
=====================================
@@ -221,6 +221,8 @@ enum cm_store_file_field {
cm_store_ca_field_other_cert_nssdbs,
cm_store_ca_field_capabilities,
+ cm_store_ca_field_scep_cipher,
+ cm_store_ca_field_scep_digest,
cm_store_ca_field_scep_ca_identifier,
cm_store_ca_field_encryption_cert,
cm_store_ca_field_encryption_issuer_cert,
@@ -400,6 +402,8 @@ static struct cm_store_file_field_list {
{cm_store_ca_field_other_cert_nssdbs, "ca_other_cert_dbs"},
{cm_store_ca_field_capabilities, "ca_capabilities"},
+ {cm_store_ca_field_scep_cipher, "scep_cipher"},
+ {cm_store_ca_field_scep_digest, "scep_digest"},
{cm_store_ca_field_scep_ca_identifier, "scep_ca_identifier"},
{cm_store_ca_field_encryption_cert, "ca_encryption_cert"},
{cm_store_ca_field_encryption_issuer_cert, "ca_encryption_issuer_cert"},
@@ -804,6 +808,8 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp)
case cm_store_ca_field_other_root_cert_nssdbs:
case cm_store_ca_field_other_cert_nssdbs:
case cm_store_ca_field_capabilities:
+ case cm_store_ca_field_scep_cipher:
+ case cm_store_ca_field_scep_digest:
case cm_store_ca_field_scep_ca_identifier:
case cm_store_ca_field_encryption_cert:
case cm_store_ca_field_encryption_issuer_cert:
@@ -1602,6 +1608,14 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp)
ret->cm_ca_capabilities =
free_if_empty_multi(ret, p);
break;
+ case cm_store_ca_field_scep_cipher:
+ ret->cm_ca_scep_cipher =
+ free_if_empty(p);
+ break;
+ case cm_store_ca_field_scep_digest:
+ ret->cm_ca_scep_digest =
+ free_if_empty(p);
+ break;
case cm_store_ca_field_scep_ca_identifier:
ret->cm_ca_scep_ca_identifier =
free_if_empty(p);
@@ -2418,6 +2432,10 @@ cm_store_ca_write(FILE *fp, struct cm_store_ca *ca)
ca->cm_ca_other_cert_store_nssdbs);
cm_store_file_write_strs(fp, cm_store_ca_field_capabilities,
ca->cm_ca_capabilities);
+ cm_store_file_write_str(fp, cm_store_ca_field_scep_cipher,
+ ca->cm_ca_scep_cipher);
+ cm_store_file_write_str(fp, cm_store_ca_field_scep_digest,
+ ca->cm_ca_scep_digest);
cm_store_file_write_str(fp, cm_store_ca_field_scep_ca_identifier,
ca->cm_ca_scep_ca_identifier);
cm_store_file_write_str(fp, cm_store_ca_field_encryption_cert,
@@ -2940,6 +2958,10 @@ cm_store_ca_dup(void *parent, struct cm_store_ca *ca)
ret->cm_ca_capabilities =
cm_store_maybe_strdupv(ret, ca->cm_ca_capabilities);
+ ret->cm_ca_scep_cipher =
+ cm_store_maybe_strdup(ret, ca->cm_ca_scep_cipher);
+ ret->cm_ca_scep_digest =
+ cm_store_maybe_strdup(ret, ca->cm_ca_scep_digest);
ret->cm_ca_scep_ca_identifier =
cm_store_maybe_strdup(ret, ca->cm_ca_scep_ca_identifier);
ret->cm_ca_encryption_cert =
=====================================
src/store-int.h
=====================================
@@ -349,6 +349,10 @@ struct cm_store_ca {
char **cm_ca_other_cert_store_nssdbs;
/* CA capabilities. Currently only ever SCEP capabilities. */
char **cm_ca_capabilities;
+ /* SCEP Cipher to use. Overrides CA Capabilities */
+ char *cm_ca_scep_cipher;
+ /* SCEP Digest to use. Overrides CA Capabilities */
+ char *cm_ca_scep_digest;
/* An SCEP CA identifier, for use in gathering an RA (and possibly a
* CA) certificate. */
char *cm_ca_scep_ca_identifier;
=====================================
src/tdbus.h
=====================================
@@ -119,6 +119,8 @@
#define CM_DBUS_PROP_ROOT_CERTS "root-certs"
#define CM_DBUS_PROP_OTHER_ROOT_CERTS "root-other-certs"
#define CM_DBUS_PROP_OTHER_CERTS "other-certs"
+#define CM_DBUS_PROP_SCEP_CIPHER "scep-cipher"
+#define CM_DBUS_PROP_SCEP_DIGEST "scep-digest"
#define CM_DBUS_PROP_SCEP_CA_IDENTIFIER "scep-ca-identifier"
#define CM_DBUS_PROP_SCEP_CA_CAPABILITIES "scep-ca-capabilities"
#define CM_DBUS_PROP_SCEP_RA_CERT "scep-ra-cert"
=====================================
src/tdbush.c
=====================================
@@ -2128,6 +2128,27 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg,
}
}
+/* org.fedorahosted.certonger.ca.get_config_file_path */
+ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg,
+ struct cm_client_info *ci, struct cm_context *ctx)
+{
+ DBusMessage *rep;
+ struct cm_store_ca *ca;
+ ca = get_ca_for_request_message(msg, ctx);
+ if (ca == NULL) {
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+ rep = dbus_message_new_method_return(msg);
+ if (rep != NULL) {
+ cm_tdbusm_set_s(rep, ca->cm_store_private);
+ dbus_connection_send(conn, rep, NULL);
+ dbus_message_unref(rep);
+ return DBUS_HANDLER_RESULT_HANDLED;
+ } else {
+ return send_internal_ca_error(conn, msg);
+ }
+}
+
/* org.fedorahosted.certonger.ca.refresh */
static DBusHandlerResult
ca_refresh(DBusConnection *conn, DBusMessage *msg,
@@ -2261,6 +2282,106 @@ ca_prop_set_external_helper(struct cm_context *ctx, void *parent,
}
}
+static const char *
+ca_prop_get_scep_cipher(struct cm_context *ctx, void *parent,
+ void *record, const char *name)
+{
+ struct cm_store_ca *ca = record;
+
+ if (strcmp(name, CM_DBUS_PROP_SCEP_CIPHER) == 0) {
+ if (ca->cm_ca_type != cm_ca_external) {
+ return "";
+ }
+ if (ca->cm_ca_scep_cipher != NULL) {
+ return ca->cm_ca_scep_cipher;
+ } else {
+ return "";
+ }
+ }
+ return NULL;
+}
+
+static void
+ca_prop_set_scep_cipher(struct cm_context *ctx, void *parent,
+ void *record, const char *name,
+ const char *new_value)
+{
+ const char *propname[2], *path;
+ struct cm_store_ca *ca = record;
+ enum cm_ca_phase phase;
+
+ if (strcmp(name, CM_DBUS_PROP_SCEP_CIPHER) == 0) {
+ if (ca->cm_ca_type != cm_ca_external) {
+ return;
+ }
+ talloc_free(ca->cm_ca_scep_cipher);
+ ca->cm_ca_scep_cipher = new_value ?
+ talloc_strdup(ca, new_value) :
+ NULL;
+ for (phase = 0; phase < cm_ca_phase_invalid; phase++) {
+ cm_restart_ca(ctx, ca->cm_nickname, phase);
+ }
+ propname[0] = CM_DBUS_PROP_SCEP_CIPHER;
+ propname[1] = NULL;
+ path = talloc_asprintf(parent, "%s/%s",
+ CM_DBUS_CA_PATH,
+ ca->cm_busname);
+ cm_tdbush_property_emit_changed(ctx, path,
+ CM_DBUS_CA_INTERFACE,
+ propname);
+ }
+}
+
+static const char *
+ca_prop_get_scep_digest(struct cm_context *ctx, void *parent,
+ void *record, const char *name)
+{
+ struct cm_store_ca *ca = record;
+
+ if (strcmp(name, CM_DBUS_PROP_SCEP_DIGEST) == 0) {
+ if (ca->cm_ca_type != cm_ca_external) {
+ return "";
+ }
+ if (ca->cm_ca_scep_digest != NULL) {
+ return ca->cm_ca_scep_digest;
+ } else {
+ return "";
+ }
+ }
+ return NULL;
+}
+
+static void
+ca_prop_set_scep_digest(struct cm_context *ctx, void *parent,
+ void *record, const char *name,
+ const char *new_value)
+{
+ const char *propname[2], *path;
+ struct cm_store_ca *ca = record;
+ enum cm_ca_phase phase;
+
+ if (strcmp(name, CM_DBUS_PROP_SCEP_DIGEST) == 0) {
+ if (ca->cm_ca_type != cm_ca_external) {
+ return;
+ }
+ talloc_free(ca->cm_ca_scep_digest);
+ ca->cm_ca_scep_digest = new_value ?
+ talloc_strdup(ca, new_value) :
+ NULL;
+ for (phase = 0; phase < cm_ca_phase_invalid; phase++) {
+ cm_restart_ca(ctx, ca->cm_nickname, phase);
+ }
+ propname[0] = CM_DBUS_PROP_SCEP_DIGEST;
+ propname[1] = NULL;
+ path = talloc_asprintf(parent, "%s/%s",
+ CM_DBUS_CA_PATH,
+ ca->cm_busname);
+ cm_tdbush_property_emit_changed(ctx, path,
+ CM_DBUS_CA_INTERFACE,
+ propname);
+ }
+}
+
static const char *
ca_prop_get_scep_ca_identifier(struct cm_context *ctx, void *parent,
void *record, const char *name)
@@ -7277,6 +7398,14 @@ cm_tdbush_iface_ca(void)
static struct cm_tdbush_interface *ret;
if (ret == NULL) {
ret = make_interface(CM_DBUS_CA_INTERFACE,
+ make_interface_item(cm_tdbush_interface_method,
+ make_method("get_config_file_path",
+ ca_get_config_file_path,
+ make_method_arg("path",
+ DBUS_TYPE_STRING_AS_STRING,
+ cm_tdbush_method_arg_out,
+ NULL),
+ NULL),
make_interface_item(cm_tdbush_interface_method,
make_method("get_nickname",
ca_get_nickname,
@@ -7528,6 +7657,24 @@ cm_tdbush_iface_ca(void)
NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
NULL),
+ make_interface_item(cm_tdbush_interface_property,
+ make_property(CM_DBUS_PROP_SCEP_CIPHER,
+ cm_tdbush_property_string,
+ cm_tdbush_property_readwrite,
+ cm_tdbush_property_special,
+ 0,
+ ca_prop_get_scep_cipher, NULL, NULL, NULL, NULL,
+ ca_prop_set_scep_cipher, NULL, NULL, NULL, NULL,
+ NULL),
+ make_interface_item(cm_tdbush_interface_property,
+ make_property(CM_DBUS_PROP_SCEP_DIGEST,
+ cm_tdbush_property_string,
+ cm_tdbush_property_readwrite,
+ cm_tdbush_property_special,
+ 0,
+ ca_prop_get_scep_digest, NULL, NULL, NULL, NULL,
+ ca_prop_set_scep_digest, NULL, NULL, NULL, NULL,
+ NULL),
make_interface_item(cm_tdbush_interface_property,
make_property(CM_DBUS_PROP_SCEP_CA_IDENTIFIER,
cm_tdbush_property_string,
@@ -7573,7 +7720,7 @@ cm_tdbush_iface_ca(void)
NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
NULL),
- NULL))))))))))))))))))))))))))))))))))));
+ NULL)))))))))))))))))))))))))))))))))))))));
}
return ret;
}
=====================================
tests/028-dbus/expected.out
=====================================
@@ -542,6 +542,9 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
</signal>
</interface>
<interface name="org.fedorahosted.certmonger.ca">
+ <method name="get_config_file_path">
+ <arg name="path" type="s" direction="out"/>
+ </method>
<method name="get_nickname">
<arg name="nickname" type="s" direction="out"/>
</method>
@@ -586,6 +589,8 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
<property name="ca-presave-uid" type="s" access="read"/>
<property name="ca-postsave-command" type="s" access="read"/>
<property name="ca-postsave-uid" type="s" access="read"/>
+ <property name="scep-cipher" type="s" access="readwrite"/>
+ <property name="scep-digest" type="s" access="readwrite"/>
<property name="scep-ca-identifier" type="s" access="readwrite"/>
<property name="scep-ca-capabilities" type="as" access="read"/>
<property name="scep-ra-cert" type="s" access="read"/>
@@ -594,6 +599,9 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
</interface>
</node>
+[ /org/fedorahosted/certmonger/cas/CA1: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/local
+
[ /org/fedorahosted/certmonger/cas/CA1: org.fedorahosted.certmonger.ca.get_nickname ]
local
@@ -647,6 +655,9 @@ dbus.Array([], signature=dbus.Signature('s'))
</signal>
</interface>
<interface name="org.fedorahosted.certmonger.ca">
+ <method name="get_config_file_path">
+ <arg name="path" type="s" direction="out"/>
+ </method>
<method name="get_nickname">
<arg name="nickname" type="s" direction="out"/>
</method>
@@ -691,6 +702,8 @@ dbus.Array([], signature=dbus.Signature('s'))
<property name="ca-presave-uid" type="s" access="read"/>
<property name="ca-postsave-command" type="s" access="read"/>
<property name="ca-postsave-uid" type="s" access="read"/>
+ <property name="scep-cipher" type="s" access="readwrite"/>
+ <property name="scep-digest" type="s" access="readwrite"/>
<property name="scep-ca-identifier" type="s" access="readwrite"/>
<property name="scep-ca-capabilities" type="as" access="read"/>
<property name="scep-ra-cert" type="s" access="read"/>
@@ -699,6 +712,9 @@ dbus.Array([], signature=dbus.Signature('s'))
</interface>
</node>
+[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/20180327134236
+
[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ]
SelfSign
@@ -721,7 +737,7 @@ dbus.Array([], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.refresh ]
1
-/org/fedorahosted/certmonger/cas/CA2: warning: property org.fedorahosted.certmonger.ca.scep-ca-identifier not settable on this object
+/org/fedorahosted/certmonger/cas/CA2: property org.fedorahosted.certmonger.ca.scep-cipher not set: (, x)
[ /org/fedorahosted/certmonger/cas/CA3: org.freedesktop.DBus.Introspectable.Introspect ]
<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
@@ -754,6 +770,9 @@ dbus.Array([], signature=dbus.Signature('s'))
</signal>
</interface>
<interface name="org.fedorahosted.certmonger.ca">
+ <method name="get_config_file_path">
+ <arg name="path" type="s" direction="out"/>
+ </method>
<method name="get_nickname">
<arg name="nickname" type="s" direction="out"/>
</method>
@@ -798,6 +817,8 @@ dbus.Array([], signature=dbus.Signature('s'))
<property name="ca-presave-uid" type="s" access="read"/>
<property name="ca-postsave-command" type="s" access="read"/>
<property name="ca-postsave-uid" type="s" access="read"/>
+ <property name="scep-cipher" type="s" access="readwrite"/>
+ <property name="scep-digest" type="s" access="readwrite"/>
<property name="scep-ca-identifier" type="s" access="readwrite"/>
<property name="scep-ca-capabilities" type="as" access="read"/>
<property name="scep-ra-cert" type="s" access="read"/>
@@ -806,6 +827,9 @@ dbus.Array([], signature=dbus.Signature('s'))
</interface>
</node>
+[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/20180327134236-1
+
[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ]
IPA
@@ -859,6 +883,9 @@ dbus.Array([], signature=dbus.Signature('s'))
</signal>
</interface>
<interface name="org.fedorahosted.certmonger.ca">
+ <method name="get_config_file_path">
+ <arg name="path" type="s" direction="out"/>
+ </method>
<method name="get_nickname">
<arg name="nickname" type="s" direction="out"/>
</method>
@@ -903,6 +930,8 @@ dbus.Array([], signature=dbus.Signature('s'))
<property name="ca-presave-uid" type="s" access="read"/>
<property name="ca-postsave-command" type="s" access="read"/>
<property name="ca-postsave-uid" type="s" access="read"/>
+ <property name="scep-cipher" type="s" access="readwrite"/>
+ <property name="scep-digest" type="s" access="readwrite"/>
<property name="scep-ca-identifier" type="s" access="readwrite"/>
<property name="scep-ca-capabilities" type="as" access="read"/>
<property name="scep-ra-cert" type="s" access="read"/>
@@ -911,6 +940,9 @@ dbus.Array([], signature=dbus.Signature('s'))
</interface>
</node>
+[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/20180327134236-2
+
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
certmaster
@@ -964,6 +996,9 @@ dbus.Array([], signature=dbus.Signature('s'))
</signal>
</interface>
<interface name="org.fedorahosted.certmonger.ca">
+ <method name="get_config_file_path">
+ <arg name="path" type="s" direction="out"/>
+ </method>
<method name="get_nickname">
<arg name="nickname" type="s" direction="out"/>
</method>
@@ -1008,6 +1043,8 @@ dbus.Array([], signature=dbus.Signature('s'))
<property name="ca-presave-uid" type="s" access="read"/>
<property name="ca-postsave-command" type="s" access="read"/>
<property name="ca-postsave-uid" type="s" access="read"/>
+ <property name="scep-cipher" type="s" access="readwrite"/>
+ <property name="scep-digest" type="s" access="readwrite"/>
<property name="scep-ca-identifier" type="s" access="readwrite"/>
<property name="scep-ca-capabilities" type="as" access="read"/>
<property name="scep-ra-cert" type="s" access="read"/>
@@ -1016,6 +1053,9 @@ dbus.Array([], signature=dbus.Signature('s'))
</interface>
</node>
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/20180327134236-3
+
[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
dogtag-ipa-renew-agent
=====================================
tests/033-scep/run.sh
=====================================
@@ -103,7 +103,7 @@ check_nonce() {
fi
}
-set_digest md5
+set_digest sha256
$toolsdir/scepgen ca entry > scepdata
echo "[req, no trust root]"
@@ -135,7 +135,7 @@ grep ^gic: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r mini.
check_failed
echo OK
echo "[req, old root]"
-set_digest md5
+set_digest sha256
$toolsdir/scepgen ca entry > scepdata
if test x`grep ^req: scepdata | cut -f2- -d:` = x ; then
echo missing req
@@ -145,7 +145,7 @@ check_verified
check_msgtype $SCEP_MSGTYPE_PKCSREQ
check_txid
check_nonce
-check_digest md5
+check_digest sha256
echo OK
echo "[gic, old trust root]"
set_digest sha1
=====================================
tests/run-tests.sh
=====================================
@@ -78,7 +78,9 @@ for testid in "$@" $subdirs ; do
if ! test -s "$i" ; then
break
fi
- if cmp -s "$tmpfile" "$i" 2> /dev/null ; then
+ # This regex needs to be ignored since it is dynamically created at
+ # every CA creation
+ if diff -q -I "tmpdir/cas/[[:digit:]]\+" "$tmpfile" "$i" 2> /dev/null ; then
stat=0
echo "OK"
cp $tmpfile "$builddir"/"$testid"/actual.out
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/compare/3880e06b0a78b3f1548f5ac0a70f730d8f2eff25...164ccd313b4475d999a25991d8c99a5850ec4509
--
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/compare/3880e06b0a78b3f1548f5ac0a70f730d8f2eff25...164ccd313b4475d999a25991d8c99a5850ec4509
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20181017/867e99b5/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list