[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][upstream] 42 commits: No message=<ca ident> from GetCACaps, GetCACert, drop GetCACertChain
Timo Aaltonen
gitlab at salsa.debian.org
Tue Mar 24 09:06:50 GMT 2020
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / certmonger
Commits:
60a4db57 by Rob Crittenden at 2018-07-26T17:46:35-04:00
No message=<ca ident> from GetCACaps, GetCACert, drop GetCACertChain
In the SCEP Gutmann 10 spec there are no message=<ca ident> defined
for the GetCACaps or GetCACert commands. The nourse 23 spec still
defines this but it is optional. Don't send it at all.
GetCACertChain doesn't exist at all in gutmann and was dropped in
revision 19 by nourse.
https://pagure.io/certmonger/issue/103
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
3da0e186 by Rob Crittenden at 2018-09-25T09:08:48-04:00
Use the correct slot when saving certificates in NSS
Certificates were always stored in the NSS certdb.
- - - - -
c029b32c by Rob Crittenden at 2018-09-25T09:08:48-04:00
Include the token name when a PIN is provided but is unused
This improves the output so the user will know which token
the PIN is missing for. Theoretically it should be the token
they asked for but this will show certmogner's view of it.
- - - - -
f396b19b by Rob Crittenden at 2018-09-25T09:08:48-04:00
Add utility function to get the internal token name
The NSS internal token is the default if no token is specified for
the cert or the key.
- - - - -
6ebe5695 by Rob Crittenden at 2018-09-25T09:08:48-04:00
Only de-duplicate certificates within the same token
certmonger may not have read/write access to tokens other than
the one it is examining so don't try to de-duplicate certificates
on other tokens.
- - - - -
697dd085 by Rob Crittenden at 2018-09-25T09:08:48-04:00
Ensure that an OpenSSL random seed file exists when testing
Otherwise some openssl command-line invocations will fail and
because of the way the tests are done the error message is not
shown.
- - - - -
e93ecade by Rob Crittenden at 2018-09-25T09:08:48-04:00
Log test failures of bad pin
Previously this would show a "don't know why" failure.
- - - - -
15d406ee by Rob Crittenden at 2018-09-25T09:08:48-04:00
Use only PK11_ImportCert to import certs, not CERT_ImportCerts
CERT_ImportCerts always imports a given certificate into the
certificate database, whether a token is requested or not.
Using PK11_ImportCert will import the cert, associate the key
properly and will only add the certificate to the appropriate
token.
- - - - -
5d2554ed by Rob Crittenden at 2018-10-04T08:40:52-04:00
Fix memory leak in util_internal_token_name()
Allocate memory using the talloc context instead of relying on
the caller to call free().
- - - - -
648fe749 by Rob Crittenden at 2018-10-04T08:40:52-04:00
clang: Dead assignment
- - - - -
3310a251 by Rob Crittenden at 2018-10-04T08:40:52-04:00
clang: Memory leak
- - - - -
db0f8358 by Rob Crittenden at 2018-10-04T08:40:52-04:00
clang: Uninitialized initial value
- - - - -
753d98b3 by Rob Crittenden at 2018-10-04T08:40:52-04:00
clang: Null pointer passed as an argument to a 'nonnull' parameter
- - - - -
9e44680d by Rob Crittenden at 2018-10-04T08:40:52-04:00
clang: Dead increment
- - - - -
31985812 by Rob Crittenden at 2018-10-04T08:40:52-04:00
clang: Dereference of null pointer
- - - - -
f17b7c0a by Rob Crittenden at 2018-10-04T08:40:52-04:00
Add missing case for cm_prefs_aes192
- - - - -
ba4c5049 by Rob Crittenden at 2018-11-07T14:32:57-05:00
Improve documentation around multiple values for subjectAltName
https://pagure.io/certmonger/issue/105
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
c793d281 by Rob Crittenden at 2018-11-21T11:50:37-05:00
Use ldap_str2dn to convert a subject into a DN
Previously certmonger was parsing the subject itself using
commas which didn't account for escaping. Instead rely on
LDAP DN parsing.
https://pagure.io/certmonger/issue/90
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
47a60740 by Fraser Tweedale at 2018-11-21T11:53:57-05:00
csrgen-o: handle multi-value RDNs and log dropped AVAs
The existing procedure only took the first AVA from each RDN.
Update the X509_NAME construction procedure to preserve multi-valued
RDNs.
X509_NAME_add_entry_by_txt() requires attribute short names ("CN",
"O", etc) to be in upper case, otherwise it fails to add the
attribute. Explicitly convert the user input to an Object ID
(ASN1_OBJECT) and if it fails, upper case the string and retry.
Log when an AVA cannot be added to the X509_NAME (typically because
the attribute type is not recognised).
- - - - -
bf91c284 by Fraser Tweedale at 2018-11-21T11:54:30-05:00
csrgen-o: extract X509_NAME creation subroutines
The codes that turns a string into an X509_NAME are big, complex and
way too deeply indented. Extract these to two separate subroutines.
`ldap_dn_to_X509_NAME` tries to turn a string DN into an X509_NAME.
`cn_to_X509_NAME` take a whole string and uses it as the CN in a
single-AVA X509_NAME.
- - - - -
632fc96c by Fraser Tweedale at 2019-02-11T13:33:15+11:00
test handling of DNs with escaped chars
We were not testing handling of DNs with escaped characters. Update
the csrgen test to check this.
Part of: https://pagure.io/certmonger/issue/90
- - - - -
d4e43d20 by Rob Crittenden at 2019-02-21T08:10:44-05:00
Tag 0.79.7
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
c2687bdf by Orion Poplawski at 2019-05-20T10:05:34-06:00
Change /var/run -> /run in systemd service file
systemd 239 complains about the legacy of certmonger's PID file which is
located in /var/run.
Signed-off-by: Orion Poplawski <orion at nwra.com>
- - - - -
3ea833df by Rob Crittenden at 2019-05-21T10:21:32-04:00
Drop tests for 1024 and 1536-bit keys
Nobody should be using keys this small at this point so there is
no need to test for them. Also, on Fedora and RHEL they are
disallowed by system-wide crypto policy.
- - - - -
7736d393 by Rob Crittenden at 2019-05-22T14:56:37-04:00
Move systemd tmpfiles from /var/run to /run
systemd 239 complains about the legacy of certmonger's tmpfiles
which are located in /var/run.
https://pagure.io/certmonger/issue/111
- - - - -
ff0bce09 by Rob Crittenden at 2019-07-17T17:11:38+00:00
Display profile, MS template and requested issuer if available
Include more optional fields in the getcert list output.
https://pagure.io/certmonger/issue/117
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
c9b7c40f by Rob Crittenden at 2019-07-17T13:15:33-04:00
Tag 0.79.8
- - - - -
8c4ace52 by Rob Crittenden at 2019-07-26T13:40:02+00:00
Document key/cert file owner and mode options
The owner and permission options were available but not
documented either on the command-line or in the man page.
Affects request, resubmit and start-tracking commands.
https://bugzilla.redhat.com/show_bug.cgi?id=1549585
- - - - -
bcd76416 by Stanislav Levin at 2019-08-14T12:34:39+03:00
Sync nodsa expectations in dbus tests
Fixes: https://pagure.io/certmonger/issue/122
Signed-off-by: Stanislav Levin <slev at altlinux.org>
- - - - -
7b065fba by Rob Crittenden at 2019-09-03T10:31:05-04:00
Allow principal to be set during start-tracking
It was previously silently dropped by start-tracking.
This is handy in an IPA environment for tracking certificates
that don't have the principal encoded into the certificate
itself.
https://pagure.io/certmonger/issue/127
- - - - -
59df833c by Rob Crittenden at 2019-09-04T14:06:51-04:00
Update tests to include the security module DB in expected output
certmonger was previously always initializing the databases with
the flag NSS_INIT_NOMODDB but in at elast NSS 3.44 this doesn't
seem to initialize external modules (tested with SoftHSM2).
https://pagure.io/certmonger/issue/125
- - - - -
34c120f0 by Rob Crittenden at 2019-09-04T14:06:51-04:00
Remove NOMODDB flag flag from context init, look for full tokens
The NSS databases were almost universally initialized with the
NOMODDB flag. I'm not sure if something changed in NSS but the
PKCS#11 modules were not being initialized. Adding this back after
permission checks are done results in tokens working again.
When looking for certs and keys try the full token:nickname string
as well as just nickname when comparing values.
https://pagure.io/certmonger/issue/125
- - - - -
c10e0f6f by Rob Crittenden at 2019-09-06T13:43:13-04:00
Pass the CA identifier to the SCEP submit helper
Patch contributed by Alexy Dotsenko
https://pagure.io/certmonger/issue/58
- - - - -
023cfd2a by Rob Crittenden at 2019-09-06T13:44:16-04:00
Fix re-key after importing existing private key
If the key_gen size and algorithm are not set then set it
with the current key. This is important when generating a
certificate using a pre-existing private key.
Previously a resubmit would cause certmonger to generate a new
2048-bit key regardless of the previous key size.
https://pagure.io/certmonger/issue/124
- - - - -
9bbb6286 by Rob Crittenden at 2019-09-06T13:45:30-04:00
Optimize closing open file descriptors
When forking, the code would close all unused file descriptors up
to maximum number of files. In the default case this is 1024. In
the container case this is 1048576. Huge delays in startup were
seen due to this.
Even in a default 1024 ulimit case this drastically reduces the
number of file descriptors to mark FD_CLOEXEC but in the container
default case this saves another order of magnitude of work.
This patch takes inspiration from systemd[1] and walks /proc/self/fd
if it is available to determine the list of open descriptors. It
falls back to the "close all fds we don't care about up to limit"
method.
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
[1] https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
- - - - -
b7bcb1b3 by Rob Crittenden at 2019-10-10T16:28:18-04:00
Don't close STDOUT when calling the CA fetch_roots function
cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.
This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.
- - - - -
64702b25 by Rob Crittenden at 2019-10-16T16:19:14-04:00
Try to pull the entire CA chain from IPA
IPA originally stored a single cert in cn=cacert which is
what certmonger has always retrieved in fetch_roots. It was
replaced to store cn=certificates as separate entries in order
to more easily support chains and to include additional
metadata about certificates.
Try to pull the chain from that location first and fall back
to cn=cacert if no entries are found.
https://bugzilla.redhat.com/show_bug.cgi?id=1710632
- - - - -
205775f7 by Rob Crittenden at 2019-10-25T16:44:43-04:00
Don't close STDERR when submitting request
cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.
This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.
- - - - -
e1f582e3 by Rob Crittenden at 2019-11-08T09:17:45-05:00
Convert tests to use python3
- drop or change shebang to python3
- use $PYTHON when available, default to python3
- convert print statements to the print() function
- remove u"..." literals
- remove Integer literals l and L
- xml Element.getchildren() method is deprecated
- sys.stdout.write -> sys.stdout.buffer.write
https://pagure.io/certmonger/issue/138
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
With contributions from Stanislav Levin <slev at altlinux.org>
- - - - -
720922b8 by Rob Crittenden at 2020-01-31T10:38:19-05:00
Fix use-after-free issue
The basedn value was freed after the first search but a second
one could be initiated.
- - - - -
13abd68c by Rob Crittenden at 2020-01-31T10:38:19-05:00
Remove DSA testing for NSS which disables it in crypto policy
DSA is disabled in DEFAULT crypto policy in F30+
- - - - -
e433bea8 by Rob Crittenden at 2020-01-31T10:38:19-05:00
Tag 0.79.9
- - - - -
30 changed files:
- certmonger.spec
- configure.ac
- doc/helpers.txt
- src/Makefile.am
- src/cadata.c
- src/casave.c
- src/certmaster.c
- src/certread-n.c
- src/certsave-n.c
- src/certsave-o.c
- src/csrgen-o.c
- src/dogtag.c
- src/getcert-request.1.in
- src/getcert-resubmit.1.in
- src/getcert-start-tracking.1.in
- src/getcert.c
- src/ipa.c
- src/keygen-n.c
- src/keyiread-n.c
- src/keyiread.c
- src/local.c
- src/prefs-o.c
- src/scep.c
- src/scepgen-n.c
- src/srvloc.c
- src/store-files.c
- src/store-gen.c
- src/submit-e.c
- src/submit-n.c
- src/submit-sn.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/647aaf59dcba62530e1c607bb82fdfd2c3a4aa5b...e433bea8cfccdefbf0d2b58059eb914ee1a3e01e
--
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/647aaf59dcba62530e1c607bb82fdfd2c3a4aa5b...e433bea8cfccdefbf0d2b58059eb914ee1a3e01e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200324/d10d1af6/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list