[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][upstream] 20 commits: Add a PEM validity checker and validate SCEP CA files
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Fri Aug 26 07:57:32 BST 2022
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / certmonger
Commits:
fe0b1a21 by Rob Crittenden at 2022-01-06T15:03:41-05:00
Add a PEM validity checker and validate SCEP CA files
If a non-PEM file was passed into add-scep-ca it would
accept it without question but later fail with:
status: CA_UNREACHABLE
ca-error: Error: failed to verify signature on server response.
Try to do basic validation of user-provided PEM files by:
- stripping BEGIN/END headers
- removing newlines and carriage returns
- using OpenSSL EVP library to base64 decode the block
This isn't fool-proof but it at least does some basic
sanity checking to ensure the file(s) exist and appear
to be PEM files.
The unit tests use some Let's Encrypt CA certificates.
https://bugzilla.redhat.com/show_bug.cgi?id=1492112
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
657c9ab7 by Rob Crittenden at 2022-01-06T15:03:41-05:00
Fix implicit declaration of function ‘PEM_read_bio_X509’
Add an include for openssl/pem.h
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
e92b21d8 by Rob Crittenden at 2022-01-06T15:07:13-05:00
Don't include "NEW" in certificate signing requests
Per https://datatracker.ietf.org/doc/html/rfc7468#section-7
NEW is still acceptable for parsing but generators should no
longer be including it.
I also fixed the dbm test cases which no longer execute in the
off-chance this gets backported to some distribution that has
an NSS version that still supports it.
https://pagure.io/certmonger/issue/228
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
e840b623 by Rob Crittenden at 2022-01-06T15:12:15-05:00
Verify that the AES-128 is used for encrypting the local CA
OpenSSL by default used very old defaults, RC2-CBC and 3DES, for
encryption. This resulted in a credential that was unusable if
FIPS was enabled.
Both values are now hardcoded to AES-128-CBC so that it is both
more modern and will work in all situations. This tests that
nothing has changed.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1950132
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
08bd8ae4 by Rob Crittenden at 2022-03-17T16:44:43-04:00
Replace DER-encoded test file with a base64-encoded one
Some build systems will not allow patches that contain
binaries so switch to a base64-encoded file instead.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1492112
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
9880d591 by Rob Crittenden at 2022-03-17T16:47:32-04:00
Correct a bad date in the spec changelog
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
a80b8aae by Rob Crittenden at 2022-03-17T17:31:05-04:00
Switch to https URLs for Sources, etc.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
0883fd2a by Rob Crittenden at 2022-03-18T13:35:30-04:00
Remove dependency on SHA-1
- - - - -
a38036eb by Andika Triwidada at 2022-03-25T15:50:40+01:00
Translated using Weblate (Indonesian)
Currently translated at 5.0% (24 of 473 strings)
Co-authored-by: Andika Triwidada <andika at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/id/
Translation: certmonger/master
- - - - -
1b173e30 by Charles Lee at 2022-03-25T15:50:40+01:00
Translated using Weblate (Chinese (Simplified) (zh_CN))
Currently translated at 44.8% (212 of 473 strings)
Co-authored-by: Charles Lee <lchopn at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/zh_CN/
Translation: certmonger/master
- - - - -
a0fac270 by Dankaházi (ifj.) István at 2022-03-25T15:50:40+01:00
Translated using Weblate (Hungarian)
Currently translated at 41.4% (196 of 473 strings)
Co-authored-by: Dankaházi (ifj.) István <dankahazi.istvan at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/hu/
Translation: certmonger/master
- - - - -
0dae78f6 by Serena She at 2022-03-25T15:50:40+01:00
Translated using Weblate (Chinese (Simplified) (zh_CN))
Currently translated at 56.8% (269 of 473 strings)
Co-authored-by: Serena She <sheyueming at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/zh_CN/
Translation: certmonger/master
- - - - -
4a33f34a by Temuri Doghonadze at 2022-03-25T15:50:40+01:00
Translated using Weblate (Georgian)
Currently translated at 23.0% (109 of 473 strings)
Added translation using Weblate (Georgian)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ka/
Translation: certmonger/master
- - - - -
8b8af84e by Rob Crittenden at 2022-03-29T15:36:36-04:00
tests: Test that the CA constraint DER encoding is correct
A TRUE value was being set to 1 instead of 255
Also correct a hardcoded test filename for a previous test.
- - - - -
f9590861 by Rob Crittenden at 2022-04-07T13:52:30-04:00
Disable DSA in the RPM spec
DSA has been disabled in default crypto policy since Fedora 30
and will cause crashes if used in FIPS mode.
Refresh the 028-dbus no-DSA expected output. It was out-of-sync
from previous changes.
https://bugzilla.redhat.com/show_bug.cgi?id=2066439
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
cd5a03e5 by Rob Crittenden at 2022-04-08T14:26:19-04:00
Manually build the srpm for the copr CI
I'm not sure what changed but copr was building the
srpm using the upstream tarball and not the current git
checkout so it wasn't actually testing anything.
copr now uses the manual make srpm method instead, as
documented at
https://docs.pagure.org/copr.copr/user_documentation.html#make-srpm
Use configure.ac to determine the current version.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
3dc66c72 by Rob Crittenden at 2022-06-07T09:53:15-04:00
Require jansson >= 2.12
The ipa-submit code may include NULL values for some optional
attributes. This is broken in prior jansson releases and was
fixed in https://github.com/akheron/jansson/commit/5df5fc5b13cac5212482d36e7f3a78951782cfb5
The options are for profile and issuer.
- - - - -
387d4182 by Rob Crittenden at 2022-06-07T11:20:24-04:00
Mark the current directory as a safe git directory
This was causing failures to build the srpm in CI:
git archive -v --format=tar --prefix=certmonger-0.79.15/ HEAD | gzip > certmonger-0.79.15.tar.gz
fatal: unsafe repository ('/mnt/workdir-xq6ez2vc/certmonger' is owned by someone else)
- - - - -
1c104335 by Rob Crittenden at 2022-08-16T14:13:31-04:00
Fix usage of PKCS#7 ASN1 attribute retrieval for SCEP keygen
Since pre-1.0.0 code should not have used ASN1_ITEM references
directly like &X509_it. It should instead use the macro
ASN1_ITEM_rptr(X509).
This worked up to 3.0.0.
Switch the code to more current usage of ASN1_ITEM and referencing
the PKCS7 signer info object.
Fixes: https://pagure.io/certmonger/issue/244
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
efa89d77 by Rob Crittenden at 2022-08-25T08:28:39-04:00
Tag 0.79.16
- - - - -
30 changed files:
- + .copr/Makefile
- certmonger.spec
- configure.ac
- po/hu.po
- po/id.po
- + po/ka.po
- po/zh_CN.po
- src/Makefile.am
- src/csrgen-n.c
- src/csrgen-o.c
- src/getcert-add-scep-ca.1.in
- src/getcert.c
- src/scepgen-n.c
- src/submit-n.c
- src/util-o.c
- src/util-o.h
- tests/013-enckey-dbm/expected.out
- tests/013-enckey-sql/expected.out
- tests/013-enckey/expected.out
- tests/015-lockedkey-dbm/expected.out
- tests/015-lockedkey-sql/expected.out
- tests/015-lockedkey/expected.out
- tests/026-local/expected.openssl1
- tests/026-local/expected.openssl3
- tests/026-local/run.sh
- tests/028-dbus/expected.out.nodsa
- tests/033-scep/run.sh
- + tests/040-pem/bad.empty
- + tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
- + tests/040-pem/expected.out
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/548e5759858a88d1d6f9f9db079dd74b5feb7f0a...efa89d77282cb02c0b67b4fea316a6e3ec9c0956
--
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/548e5759858a88d1d6f9f9db079dd74b5feb7f0a...efa89d77282cb02c0b67b4fea316a6e3ec9c0956
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20220826/f8229aab/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list