[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][master] 23 commits: Add a PEM validity checker and validate SCEP CA files

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Fri Aug 26 07:57:28 BST 2022 


Timo Aaltonen pushed to branch master at FreeIPA packaging / certmonger


Commits:
fe0b1a21 by Rob Crittenden at 2022-01-06T15:03:41-05:00
Add a PEM validity checker and validate SCEP CA files

If a non-PEM file was passed into add-scep-ca it would
accept it without question but later fail with:

status: CA_UNREACHABLE
ca-error: Error: failed to verify signature on server response.

Try to do basic validation of user-provided PEM files by:

- stripping BEGIN/END headers
- removing newlines and carriage returns
- using OpenSSL EVP library to base64 decode the block

This isn't fool-proof but it at least does some basic
sanity checking to ensure the file(s) exist and appear
to be PEM files.

The unit tests use some Let's Encrypt CA certificates.

https://bugzilla.redhat.com/show_bug.cgi?id=1492112

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
657c9ab7 by Rob Crittenden at 2022-01-06T15:03:41-05:00
Fix implicit declaration of function ‘PEM_read_bio_X509’

Add an include for openssl/pem.h

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
e92b21d8 by Rob Crittenden at 2022-01-06T15:07:13-05:00
Don't include "NEW" in certificate signing requests

Per https://datatracker.ietf.org/doc/html/rfc7468#section-7
NEW is still acceptable for parsing but generators should no
longer be including it.

I also fixed the dbm test cases which no longer execute in the
off-chance this gets backported to some distribution that has
an NSS version that still supports it.

https://pagure.io/certmonger/issue/228

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
e840b623 by Rob Crittenden at 2022-01-06T15:12:15-05:00
Verify that the AES-128 is used for encrypting the local CA

OpenSSL by default used very old defaults, RC2-CBC and 3DES, for
encryption. This resulted in a credential that was unusable if
FIPS was enabled.

Both values are now hardcoded to AES-128-CBC so that it is both
more modern and will work in all situations. This tests that
nothing has changed.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1950132

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
08bd8ae4 by Rob Crittenden at 2022-03-17T16:44:43-04:00
Replace DER-encoded test file with a base64-encoded one

Some build systems will not allow patches that contain
binaries so switch to a base64-encoded file instead.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1492112

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
9880d591 by Rob Crittenden at 2022-03-17T16:47:32-04:00
Correct a bad date in the spec changelog

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
a80b8aae by Rob Crittenden at 2022-03-17T17:31:05-04:00
Switch to https URLs for Sources, etc.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
0883fd2a by Rob Crittenden at 2022-03-18T13:35:30-04:00
Remove dependency on SHA-1

- - - - -
a38036eb by Andika Triwidada at 2022-03-25T15:50:40+01:00
Translated using Weblate (Indonesian)

Currently translated at 5.0% (24 of 473 strings)

Co-authored-by: Andika Triwidada <andika at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/id/
Translation: certmonger/master

- - - - -
1b173e30 by Charles Lee at 2022-03-25T15:50:40+01:00
Translated using Weblate (Chinese (Simplified) (zh_CN))

Currently translated at 44.8% (212 of 473 strings)

Co-authored-by: Charles Lee <lchopn at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/zh_CN/
Translation: certmonger/master

- - - - -
a0fac270 by Dankaházi (ifj.) István at 2022-03-25T15:50:40+01:00
Translated using Weblate (Hungarian)

Currently translated at 41.4% (196 of 473 strings)

Co-authored-by: Dankaházi (ifj.) István <dankahazi.istvan at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/hu/
Translation: certmonger/master

- - - - -
0dae78f6 by Serena She at 2022-03-25T15:50:40+01:00
Translated using Weblate (Chinese (Simplified) (zh_CN))

Currently translated at 56.8% (269 of 473 strings)

Co-authored-by: Serena She <sheyueming at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/zh_CN/
Translation: certmonger/master

- - - - -
4a33f34a by Temuri Doghonadze at 2022-03-25T15:50:40+01:00
Translated using Weblate (Georgian)

Currently translated at 23.0% (109 of 473 strings)

Added translation using Weblate (Georgian)

Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ka/
Translation: certmonger/master

- - - - -
8b8af84e by Rob Crittenden at 2022-03-29T15:36:36-04:00
tests: Test that the CA constraint DER encoding is correct

A TRUE value was being set to 1 instead of 255

Also correct a hardcoded test filename for a previous test.

- - - - -
f9590861 by Rob Crittenden at 2022-04-07T13:52:30-04:00
Disable DSA in the RPM spec

DSA has been disabled in default crypto policy since Fedora 30
and will cause crashes if used in FIPS mode.

Refresh the 028-dbus no-DSA expected output. It was out-of-sync
from previous changes.

https://bugzilla.redhat.com/show_bug.cgi?id=2066439

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
cd5a03e5 by Rob Crittenden at 2022-04-08T14:26:19-04:00
Manually build the srpm for the copr CI

I'm not sure what changed but copr was building the
srpm using the upstream tarball and not the current git
checkout so it wasn't actually testing anything.

copr now uses the manual make srpm method instead, as
documented at
https://docs.pagure.org/copr.copr/user_documentation.html#make-srpm

Use configure.ac to determine the current version.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
3dc66c72 by Rob Crittenden at 2022-06-07T09:53:15-04:00
Require jansson >= 2.12

The ipa-submit code may include NULL values for some optional
attributes. This is broken in prior jansson releases and was
fixed in https://github.com/akheron/jansson/commit/5df5fc5b13cac5212482d36e7f3a78951782cfb5

The options are for profile and issuer.

- - - - -
387d4182 by Rob Crittenden at 2022-06-07T11:20:24-04:00
Mark the current directory as a safe git directory

This was causing failures to build the srpm in CI:

git archive -v --format=tar --prefix=certmonger-0.79.15/ HEAD | gzip > certmonger-0.79.15.tar.gz
fatal: unsafe repository ('/mnt/workdir-xq6ez2vc/certmonger' is owned by someone else)

- - - - -
1c104335 by Rob Crittenden at 2022-08-16T14:13:31-04:00
Fix usage of PKCS#7 ASN1 attribute retrieval for SCEP keygen

Since pre-1.0.0 code should not have used ASN1_ITEM references
directly like &X509_it. It should instead use the macro
ASN1_ITEM_rptr(X509).

This worked up to 3.0.0.

Switch the code to more current usage of ASN1_ITEM and referencing
the PKCS7 signer info object.

Fixes: https://pagure.io/certmonger/issue/244

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
efa89d77 by Rob Crittenden at 2022-08-25T08:28:39-04:00
Tag 0.79.16

- - - - -
e0aba711 by Timo Aaltonen at 2022-08-25T15:54:50+03:00
Merge branch 'upstream'

- - - - -
dad24c66 by Timo Aaltonen at 2022-08-26T09:42:51+03:00
version bump

- - - - -
e1a1f56f by Timo Aaltonen at 2022-08-26T09:43:00+03:00
releasing package certmonger version 0.79.16-1

- - - - -


30 changed files:

- + .copr/Makefile
- certmonger.spec
- configure.ac
- debian/changelog
- po/hu.po
- po/id.po
- + po/ka.po
- po/zh_CN.po
- src/Makefile.am
- src/csrgen-n.c
- src/csrgen-o.c
- src/getcert-add-scep-ca.1.in
- src/getcert.c
- src/scepgen-n.c
- src/submit-n.c
- src/util-o.c
- src/util-o.h
- tests/013-enckey-dbm/expected.out
- tests/013-enckey-sql/expected.out
- tests/013-enckey/expected.out
- tests/015-lockedkey-dbm/expected.out
- tests/015-lockedkey-sql/expected.out
- tests/015-lockedkey/expected.out
- tests/026-local/expected.openssl1
- tests/026-local/expected.openssl3
- tests/026-local/run.sh
- tests/028-dbus/expected.out.nodsa
- tests/033-scep/run.sh
- + tests/040-pem/bad.empty
- + tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/dfdd9a40ea43ee5572644ce44be2a21448b6975d...e1a1f56f9195437525b8f4685abc2745e59b5801

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/dfdd9a40ea43ee5572644ce44be2a21448b6975d...e1a1f56f9195437525b8f4685abc2745e59b5801
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20220826/925618e7/attachment-0001.htm>

More information about the Pkg-freeipa-devel mailing list