[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][master] 9 commits: Add .gitignore to project
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Feb 23 11:50:26 GMT 2022
Timo Aaltonen pushed to branch master at FreeIPA packaging / certmonger
Commits:
fdc5c87c by Christian Heimes at 2021-10-12T09:07:31+02:00
Add .gitignore to project
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
fcb02122 by Rob Crittenden at 2021-11-11T13:12:02-05:00
Reject a certificate with an empty NSS nickname
It technically wasn't NULL initially, it was "", so wasn't being
caught in the NULL check. The value stored was "" which was treated
as NULL when re-read so the request would eventually lead to a
SEGFAULT by doing a strcmp.
https://bugzilla.redhat.com/show_bug.cgi?id=1995681
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
8b0589d1 by Rob Crittenden at 2022-01-05T14:42:58-05:00
Port to OpenSSL 3.0.0
Few API changes were necessary, fortunately.
Change NSS database type default in the tests to sql since dbm
support is dropped in recent versions.
Specify the PKCS#12 key and cipher parameters to be more compatible
between OpenSSL and NSS.
- - - - -
548e5759 by Rob Crittenden at 2022-01-05T14:43:17-05:00
Tag 0.79.15
- - - - -
2b9eea7c by Timo Aaltonen at 2022-02-23T13:23:16+02:00
Merge branch 'upstream'
- - - - -
ffe4d86b by Timo Aaltonen at 2022-02-23T13:23:42+02:00
version bump
- - - - -
7452d578 by Timo Aaltonen at 2022-02-23T13:24:31+02:00
control: Bump debhelper-compat to 13, policy to 4.6.0.
- - - - -
30ffb902 by Timo Aaltonen at 2022-02-23T13:46:19+02:00
0001-candidate-openssl-3.0-compat-fixes.patch: Dropped, upstream.
- - - - -
dfdd9a40 by Timo Aaltonen at 2022-02-23T13:49:42+02:00
releasing package certmonger version 0.79.15-1
- - - - -
30 changed files:
- + .gitignore
- certmonger.spec
- configure.ac
- debian/changelog
- debian/control
- − debian/patches/0001-candidate-openssl-3.0-compat-fixes.patch
- debian/patches/series
- debian/rules
- src/keyiread-o.c
- src/tdbush.c
- src/util-o.c
- tests/001-keyiread-ec/run.sh
- tests/001-keyiread-rsa/run.sh
- tests/001-keyiread/run.sh
- + tests/002-keygen-sql/prequal.sh
- tests/002-keygen/run.sh
- tests/003-csrgen-ec/run.sh
- tests/003-csrgen-rsa/run.sh
- tests/003-csrgen/run.sh
- tests/004-selfsign-ec/run.sh
- tests/004-selfsign-rsa/run.sh
- tests/004-selfsign/run.sh
- tests/025-casave/run.sh
- + tests/026-local/expected.openssl1
- + tests/026-local/expected.openssl3
- tests/026-local/expected.out
- tests/026-local/run.sh
- tests/030-rekey/expected.out
- tests/030-rekey/run.sh
- tests/036-getcert/run.sh
Changes:
=====================================
.gitignore
=====================================
@@ -0,0 +1,123 @@
+# Autotools files - generated by autoreconf -i
+/m4
+
+# gettext infrastructure
+/ABOUT-NLS
+/po/*.gmo
+/po/*~
+/po/Makefile.hack
+/po/Makefile.in.in
+/po/Makevars.template
+/po/POTFILES
+/po/POTFILES.in
+/po/remove-potcdate.sed
+/po/Rules-quot
+/po/stamp-po
+/po/*.header
+/po/*.sin
+/po/*.sed
+
+# In-tree build files
+configure
+config.h
+config.h.in
+Makefile
+Makefile.in
+.deps/
+.libs/
+*.la
+*.a
+*.lo
+*.log
+*.o
+*.trs
+*~
+version.m4
+aclocal.m4
+autom4te.cache/
+config.guess
+config.log
+config.rpath
+config.status
+config.sub
+depcomp
+install-sh
+ltmain.sh
+missing
+stamp-h1
+libtool
+build/
+compile
+test-driver
+
+# output
+/dbus/certmonger.conf
+/dbus/certmonger.service
+/src/certmonger
+/src/certmonger-session
+/src/certmonger.conf
+/src/dogtag-ipa-renew-agent-submit
+/src/dogtag-submit
+/src/getcert
+/src/introspect.sh
+/src/ipa-getcert
+/src/ipa-submit
+/src/local-getcert
+/src/local-submit
+/src/nl-check
+/src/scep-submit
+/src/selfsign-getcert
+/src/serial-check
+/src/submit-d
+/src/submit-h
+/src/tdbusm-check
+/src/toklist
+/systemd/certmonger.conf
+/systemd/certmonger.service
+/systemd/org.fedorahosted.certmonger.service
+/sysvinit/certmonger
+
+# man pages
+/src/*.1
+/src/*.5
+/src/*.8
+
+# tests
+actual.err
+actual.out
+/tests/tools/addcinfo
+/tests/tools/base2pem
+/tests/tools/base64
+/tests/tools/cadata
+/tests/tools/canon
+/tests/tools/casave
+/tests/tools/certread
+/tests/tools/certsave
+/tests/tools/checksig
+/tests/tools/citerate
+/tests/tools/csrgen
+/tests/tools/dates
+/tests/tools/dparse
+/tests/tools/fromfile
+/tests/tools/hooks
+/tests/tools/iterate
+/tests/tools/json
+/tests/tools/json-utf8
+/tests/tools/keygen
+/tests/tools/keyiread
+/tests/tools/libexecdir
+/tests/tools/listnicks
+/tests/tools/ls
+/tests/tools/name2oid
+/tests/tools/oid2name
+/tests/tools/payload
+/tests/tools/pem2base
+/tests/tools/pk7decrypt
+/tests/tools/pk7env
+/tests/tools/pk7parse
+/tests/tools/pk7verify
+/tests/tools/prefs
+/tests/tools/printenv
+/tests/tools/scepgen
+/tests/tools/srv
+/tests/tools/submit
=====================================
certmonger.spec
=====================================
@@ -27,7 +27,7 @@
%bcond_with xmlrpc
Name: certmonger
-Version: 0.79.14
+Version: 0.79.15
Release: 1%{?dist}
Summary: Certificate status monitor and PKI enrollment client
@@ -264,6 +264,27 @@ exit 0
%endif
%changelog
+* Wed Jan 5 2022 Rob Crittenden <rcritten at redhat.com> - 0.79.15-1
+- update to 0.79.15
+ - Translated using Weblate (Swedish)
+ - Translated using Weblate (Indonesian)
+ - Translated using Weblate (Indonesian)
+ - Translated using Weblate (Sinhala)
+ - Translated using Weblate (French)
+ - Translated using Weblate (Korean)
+ - Port to OpenSSL 3.0.0
+ - Use extensions template from NSS
+ - Use implicit, empty FALSE for extensions
+ - Add .gitignore to project
+ - If an existing cert exists, use it to decrypt the PKCS#7 envelope
+ - Increase minimum allowed RSA key size to 1024
+ - Make the default RSA key size configurable
+ - Fix file descriptor leak when executing CA helpers
+ - Add compile check for EVP_PKEY_get_id along with EVP_PKEY_id
+ - Update csrgen test to understand OpenSSL 3.0.0 output
+ - Reject a certificate with an empty NSS nickname
+ - Add SCEP config option to treat the challenge password as an OTP
+
* Tue Jun 14 2021 Rob Crittenden <rcritten at redhat.com> - 0.79.14-1
- update to 0.79.14
- Fix local CA to work under FIPS
=====================================
configure.ac
=====================================
@@ -1,4 +1,4 @@
-AC_INIT(certmonger,0.79.14)
+AC_INIT(certmonger,0.79.15)
AM_INIT_AUTOMAKE([foreign subdir-objects])
AC_CONFIG_MACRO_DIR(m4)
AM_MAINTAINER_MODE([disable])
=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+certmonger (0.79.15-1) unstable; urgency=medium
+
+ * New upstream release. (Closes: #1003750)
+ * control: Bump debhelper-compat to 13, policy to 4.6.0.
+ * 0001-candidate-openssl-3.0-compat-fixes.patch: Dropped, upstream.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 23 Feb 2022 13:48:49 +0200
+
certmonger (0.79.14+git20211010-3) experimental; urgency=medium
* Fix build with OpenSSL 3.0. (Closes: #1001311)
=====================================
debian/control
=====================================
@@ -3,7 +3,7 @@ Section: utils
Priority: optional
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel at alioth-lists.debian.net>
Uploaders: Timo Aaltonen <tjaalton at debian.org>
-Build-Depends: debhelper-compat (= 12), quilt,
+Build-Depends: debhelper-compat (= 13), quilt,
autopoint,
dbus (>= 1.8),
dos2unix,
@@ -26,7 +26,7 @@ Build-Depends: debhelper-compat (= 12), quilt,
openssl,
pkg-config,
uuid-dev,
-Standards-Version: 4.5.0
+Standards-Version: 4.6.0
Homepage: https://pagure.io/certmonger/
Vcs-Git: https://salsa.debian.org/freeipa-team/certmonger.git
Vcs-Browser: https://salsa.debian.org/freeipa-team/certmonger
=====================================
debian/patches/0001-candidate-openssl-3.0-compat-fixes.patch deleted
=====================================
@@ -1,573 +0,0 @@
-From 3fb9420e843694567a4976c6d5fbe4551d6e0c99 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten at redhat.com>
-Date: Tue, 18 May 2021 15:40:53 -0400
-Subject: [PATCH 1/3] candidate openssl 3.0 compat fixes
-
----
- src/keyiread-o.c | 16 +++++--
- src/util-o.c | 2 +
- tests/001-keyiread-ec/run.sh | 2 +-
- tests/001-keyiread-rsa/run.sh | 2 +-
- tests/001-keyiread/run.sh | 2 +-
- tests/002-keygen-sql/prequal.sh | 5 +++
- tests/002-keygen/run.sh | 2 +-
- tests/003-csrgen-ec/run.sh | 2 +-
- tests/003-csrgen-rsa/run.sh | 2 +-
- tests/003-csrgen/run.sh | 2 +-
- tests/004-selfsign-ec/run.sh | 2 +-
- tests/004-selfsign-rsa/run.sh | 2 +-
- tests/004-selfsign/run.sh | 2 +-
- tests/025-casave/run.sh | 2 +-
- tests/026-local/expected.openssl1 | 73 ++++++++++++++++++++++++++++++
- tests/026-local/expected.openssl3 | 68 ++++++++++++++++++++++++++++
- tests/026-local/expected.out | 74 +------------------------------
- tests/026-local/run.sh | 11 ++++-
- tests/030-rekey/expected.out | 4 --
- tests/030-rekey/run.sh | 10 +----
- tests/036-getcert/run.sh | 2 +-
- 21 files changed, 184 insertions(+), 103 deletions(-)
- create mode 100755 tests/002-keygen-sql/prequal.sh
- create mode 100644 tests/026-local/expected.openssl1
- create mode 100644 tests/026-local/expected.openssl3
-
-diff --git a/src/keyiread-o.c b/src/keyiread-o.c
-index 9fceacf6..51f7f829 100644
---- a/src/keyiread-o.c
-+++ b/src/keyiread-o.c
-@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- pubikey = cm_store_hex_from_bin(NULL, tmp, length);
- }
- tmp = NULL;
-- length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
-+ length = i2d_PublicKey(pkey, NULL);
- if (length > 0) {
-- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
-+ tmp = malloc(length);
-+ if (tmp != NULL) {
-+ length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
-+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
-+ }
- }
- }
- fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
-@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- pubikey = cm_store_hex_from_bin(NULL, tmp, length);
- }
- tmp = NULL;
-- length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
-+ length = i2d_PublicKey(nextpkey, NULL);
- if (length > 0) {
-- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
-+ tmp = malloc(length);
-+ if (tmp != NULL) {
-+ length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
-+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
-+ }
- }
- fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
- } else {
-diff --git a/src/util-o.c b/src/util-o.c
-index 0415014a..2208ab64 100644
---- a/src/util-o.c
-+++ b/src/util-o.c
-@@ -46,6 +46,7 @@
- void
- util_o_init(void)
- {
-+#if OPENSSL_VERSION_MAJOR < 3
- #if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
- OpenSSL_add_all_algorithms();
- #elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS
-@@ -53,6 +54,7 @@ util_o_init(void)
- #else
- SSL_library_init();
- #endif
-+#endif
- }
-
- char *
-diff --git a/tests/001-keyiread-ec/run.sh b/tests/001-keyiread-ec/run.sh
-index 3045f6d0..8a810d15 100755
---- a/tests/001-keyiread-ec/run.sh
-+++ b/tests/001-keyiread-ec/run.sh
-@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do
- EOF
- $toolsdir/keyiread entry.nss.$size
- # Export the key.
-- if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
-+ if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
- echo Error exporting key for $size, continuing.
- continue
- fi
-diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
-index c6b4d38b..997ce000 100755
---- a/tests/001-keyiread-rsa/run.sh
-+++ b/tests/001-keyiread-rsa/run.sh
-@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
- -s "cn=T$size" -c "cn=T$size" \
- -x -t u -k rsa
- # Export the key.
-- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
-+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
- openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
- cat > entry.openssl.$size <<- EOF
- key_storage_type=FILE
-diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
-index 25acdbd8..3a2502a6 100755
---- a/tests/001-keyiread/run.sh
-+++ b/tests/001-keyiread/run.sh
-@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
- -s "cn=T$size" -c "cn=T$size" \
- -x -t u
- # Export the key.
-- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
-+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
- openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
- cat > entry.openssl.$size <<- EOF
- key_storage_type=FILE
-diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
-new file mode 100755
-index 00000000..d146a650
---- /dev/null
-+++ b/tests/002-keygen-sql/prequal.sh
-@@ -0,0 +1,5 @@
-+#!/bin/sh
-+if test `id -u` -eq 0 ; then
-+ echo "This test won't work right if run as root."
-+ exit 1
-+fi
-diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
-index 8bb609c5..e7e6525f 100755
---- a/tests/002-keygen/run.sh
-+++ b/tests/002-keygen/run.sh
-@@ -2,7 +2,7 @@
-
- cd "$tmpdir"
-
--scheme="${scheme:-dbm:}"
-+scheme="${scheme:-sql:}"
-
- source "$srcdir"/functions
- initnssdb "$scheme$tmpdir"
-diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
-index 91117ec8..408ea526 100755
---- a/tests/003-csrgen-ec/run.sh
-+++ b/tests/003-csrgen-ec/run.sh
-@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
- -s "cn=T$size" -c "cn=T$size" \
- -x -t u -k ec -q $size
- # Export the key.
--pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
-+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
- openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : )
- # Read the public key and cache it.
- cat > entry.openssl.$size <<- EOF
-diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
-index bb8ebecb..9c11c708 100755
---- a/tests/003-csrgen-rsa/run.sh
-+++ b/tests/003-csrgen-rsa/run.sh
-@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
- -s "cn=T$size" -c "cn=T$size" \
- -x -t u -k rsa
- # Export the key.
-- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
-+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
- openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : )
- # Read the public key and cache it.
- cat > entry.openssl.$size <<- EOF
-diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
-index d3dfbaf0..2a674679 100755
---- a/tests/003-csrgen/run.sh
-+++ b/tests/003-csrgen/run.sh
-@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
- -s "cn=T$size" -c "cn=T$size" \
- -x -t u
- # Export the key.
-- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
-+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
- openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : )
- # Read the public key and cache it.
- cat > entry.openssl.$size <<- EOF
-diff --git a/tests/004-selfsign-ec/run.sh b/tests/004-selfsign-ec/run.sh
-index 9d5bd11f..d1161fe5 100755
---- a/tests/004-selfsign-ec/run.sh
-+++ b/tests/004-selfsign-ec/run.sh
-@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
- -s "cn=T$size" -c "cn=T$size" \
- -x -t u -k ec -q $size
- # Export the certificate and key.
--pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
-+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
- openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
- # Read that OpenSSL key.
- cat > entry.$size <<- EOF
-diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
-index c1dd4c80..b0cc71d2 100755
---- a/tests/004-selfsign-rsa/run.sh
-+++ b/tests/004-selfsign-rsa/run.sh
-@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do
- -s "cn=T$size" -c "cn=T$size" \
- -x -t u -k rsa
- # Export the certificate and key.
-- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
-+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
- openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
- # Read that OpenSSL key.
- cat > entry.$size <<- EOF
-diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
-index eb1df4ee..ea00f4d7 100755
---- a/tests/004-selfsign/run.sh
-+++ b/tests/004-selfsign/run.sh
-@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do
- -s "cn=T$size" -c "cn=T$size" \
- -x -t u
- # Export the certificate and key.
-- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
-+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
- openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
- # Read that OpenSSL key.
- cat > entry.$size <<- EOF
-diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh
-index d81df82f..089d8223 100755
---- a/tests/025-casave/run.sh
-+++ b/tests/025-casave/run.sh
-@@ -2,7 +2,7 @@
-
- cd $tmpdir
-
--scheme="${scheme:-dbm}"
-+scheme="${scheme:-sql}"
- cat > $tmpdir/entrycb1 <<- EOF
- id=EntryCB1
- ca_name=CAB1
-diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1
-new file mode 100644
-index 00000000..1f81c7ce
---- /dev/null
-+++ b/tests/026-local/expected.openssl1
-@@ -0,0 +1,73 @@
-+[key]
-+OK.
-+[csr]
-+Certificate Request:
-+ Data:
-+ Version: 1 (0x0)
-+ Subject: CN=Babs Jensen's Signer
-+ Attributes:
-+ friendlyName :unable to print attribute
-+ Requested Extensions:
-+ X509v3 Key Usage:
-+ Digital Signature, Certificate Sign, CRL Sign
-+ X509v3 Subject Alternative Name:
-+ email:root at localhost, email:root at localhost.localdomain
-+ X509v3 Basic Constraints: critical
-+ CA:TRUE
-+ X509v3 Authority Key Identifier:
-+ keyid:(160 bits)
-+
-+ X509v3 Subject Key Identifier:
-+ (160 bits)
-+ Authority Information Access:
-+ OCSP - URI:http://ocsp-1.example.com:12345
-+ OCSP - URI:http://ocsp-2.example.com:12345
-+
-+ OCSP No Check:
-+
-+[issue]
-+[issuer]
-+Certificate:
-+ Data:
-+ Version: 3 (0x2)
-+ Signature Algorithm: sha256WithRSAEncryption
-+ Issuer: CN=Local Signing Authority, CN=$UUID
-+ Subject: CN=Local Signing Authority, CN=$UUID
-+ X509v3 extensions:
-+ X509v3 Basic Constraints: critical
-+ CA:TRUE
-+ X509v3 Subject Key Identifier:
-+ (160 bits)
-+ X509v3 Authority Key Identifier:
-+ keyid:(160 bits)
-+
-+ X509v3 Key Usage: critical
-+ Digital Signature, Certificate Sign, CRL Sign
-+[subject]
-+Certificate:
-+ Data:
-+ Version: 3 (0x2)
-+ Signature Algorithm: sha256WithRSAEncryption
-+ Issuer: CN=Local Signing Authority, CN=$UUID
-+ Subject: CN=Babs Jensen's Signer
-+ X509v3 extensions:
-+ X509v3 Key Usage:
-+ Digital Signature, Certificate Sign, CRL Sign
-+ X509v3 Subject Alternative Name:
-+ email:root at localhost, email:root at localhost.localdomain
-+ X509v3 Basic Constraints: critical
-+ CA:TRUE
-+ X509v3 Authority Key Identifier:
-+ keyid:(160 bits)
-+
-+ X509v3 Subject Key Identifier:
-+ (160 bits)
-+ Authority Information Access:
-+ OCSP - URI:http://ocsp-1.example.com:12345
-+ OCSP - URI:http://ocsp-2.example.com:12345
-+
-+ OCSP No Check:
-+
-+[verify]
-+cert: OK
-+OK.
-diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3
-new file mode 100644
-index 00000000..05666ccc
---- /dev/null
-+++ b/tests/026-local/expected.openssl3
-@@ -0,0 +1,68 @@
-+[key]
-+OK.
-+[csr]
-+Certificate Request:
-+ Data:
-+ Version: 1 (0x0)
-+ Subject: CN=Babs Jensen's Signer
-+ Attributes:
-+ friendlyName :unable to print attribute
-+ Requested Extensions:
-+ X509v3 Key Usage:
-+ Digital Signature, Certificate Sign, CRL Sign
-+ X509v3 Subject Alternative Name:
-+ email:root at localhost, email:root at localhost.localdomain
-+ X509v3 Basic Constraints: critical
-+ CA:TRUE
-+ X509v3 Authority Key Identifier:
-+ (160 bits)
-+ X509v3 Subject Key Identifier:
-+ (160 bits)
-+ Authority Information Access:
-+ OCSP - URI:http://ocsp-1.example.com:12345
-+ OCSP - URI:http://ocsp-2.example.com:12345
-+ OCSP No Check:
-+
-+[issue]
-+[issuer]
-+Certificate:
-+ Data:
-+ Version: 3 (0x2)
-+ Signature Algorithm: sha256WithRSAEncryption
-+ Issuer: CN=Local Signing Authority, CN=$UUID
-+ Subject: CN=Local Signing Authority, CN=$UUID
-+ X509v3 extensions:
-+ X509v3 Basic Constraints: critical
-+ CA:TRUE
-+ X509v3 Subject Key Identifier:
-+ (160 bits)
-+ X509v3 Authority Key Identifier:
-+ (160 bits)
-+ X509v3 Key Usage: critical
-+ Digital Signature, Certificate Sign, CRL Sign
-+[subject]
-+Certificate:
-+ Data:
-+ Version: 3 (0x2)
-+ Signature Algorithm: sha256WithRSAEncryption
-+ Issuer: CN=Local Signing Authority, CN=$UUID
-+ Subject: CN=Babs Jensen's Signer
-+ X509v3 extensions:
-+ X509v3 Key Usage:
-+ Digital Signature, Certificate Sign, CRL Sign
-+ X509v3 Subject Alternative Name:
-+ email:root at localhost, email:root at localhost.localdomain
-+ X509v3 Basic Constraints: critical
-+ CA:TRUE
-+ X509v3 Authority Key Identifier:
-+ (160 bits)
-+ X509v3 Subject Key Identifier:
-+ (160 bits)
-+ Authority Information Access:
-+ OCSP - URI:http://ocsp-1.example.com:12345
-+ OCSP - URI:http://ocsp-2.example.com:12345
-+ OCSP No Check:
-+
-+[verify]
-+cert: OK
-+OK.
-diff --git a/tests/026-local/expected.out b/tests/026-local/expected.out
-index 1f81c7ce..64afb8f5 100644
---- a/tests/026-local/expected.out
-+++ b/tests/026-local/expected.out
-@@ -1,73 +1 @@
--[key]
--OK.
--[csr]
--Certificate Request:
-- Data:
-- Version: 1 (0x0)
-- Subject: CN=Babs Jensen's Signer
-- Attributes:
-- friendlyName :unable to print attribute
-- Requested Extensions:
-- X509v3 Key Usage:
-- Digital Signature, Certificate Sign, CRL Sign
-- X509v3 Subject Alternative Name:
-- email:root at localhost, email:root at localhost.localdomain
-- X509v3 Basic Constraints: critical
-- CA:TRUE
-- X509v3 Authority Key Identifier:
-- keyid:(160 bits)
--
-- X509v3 Subject Key Identifier:
-- (160 bits)
-- Authority Information Access:
-- OCSP - URI:http://ocsp-1.example.com:12345
-- OCSP - URI:http://ocsp-2.example.com:12345
--
-- OCSP No Check:
--
--[issue]
--[issuer]
--Certificate:
-- Data:
-- Version: 3 (0x2)
-- Signature Algorithm: sha256WithRSAEncryption
-- Issuer: CN=Local Signing Authority, CN=$UUID
-- Subject: CN=Local Signing Authority, CN=$UUID
-- X509v3 extensions:
-- X509v3 Basic Constraints: critical
-- CA:TRUE
-- X509v3 Subject Key Identifier:
-- (160 bits)
-- X509v3 Authority Key Identifier:
-- keyid:(160 bits)
--
-- X509v3 Key Usage: critical
-- Digital Signature, Certificate Sign, CRL Sign
--[subject]
--Certificate:
-- Data:
-- Version: 3 (0x2)
-- Signature Algorithm: sha256WithRSAEncryption
-- Issuer: CN=Local Signing Authority, CN=$UUID
-- Subject: CN=Babs Jensen's Signer
-- X509v3 extensions:
-- X509v3 Key Usage:
-- Digital Signature, Certificate Sign, CRL Sign
-- X509v3 Subject Alternative Name:
-- email:root at localhost, email:root at localhost.localdomain
-- X509v3 Basic Constraints: critical
-- CA:TRUE
-- X509v3 Authority Key Identifier:
-- keyid:(160 bits)
--
-- X509v3 Subject Key Identifier:
-- (160 bits)
-- Authority Information Access:
-- OCSP - URI:http://ocsp-1.example.com:12345
-- OCSP - URI:http://ocsp-2.example.com:12345
--
-- OCSP No Check:
--
--[verify]
--cert: OK
--OK.
-+# purposely empty
-diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh
-index 6f0e74c9..3e7ade56 100755
---- a/tests/026-local/run.sh
-+++ b/tests/026-local/run.sh
-@@ -1,4 +1,13 @@
--#!/bin/bash -e
-+#!/bin/bash
-+
-+openssl cmp -h > /dev/null 2>&1
-+if [ $? == 1 ]; then
-+ cp expected.openssl1 expected.out
-+else
-+ cp expected.openssl3 expected.out
-+fi
-+
-+set -e
-
- cd $tmpdir
-
-diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out
-index e9a04221..8a9ac3fa 100644
---- a/tests/030-rekey/expected.out
-+++ b/tests/030-rekey/expected.out
-@@ -11,7 +11,6 @@ key_requested_count=0
- (submit OpenSSL)
- key_issued_count=0
- key_requested_count=1
--First round certificates OK.
- NSS keys before re-keygen (preserve=1,pin=""):
- <-> rsa originalhex NSS Certificate DB:i2048
- key_issued_count=0
-@@ -98,7 +97,6 @@ key_requested_count=0
- (submit OpenSSL)
- key_issued_count=0
- key_requested_count=1
--First round certificates OK.
- NSS keys before re-keygen (preserve=1,pin="password"):
- <-> rsa originalhex NSS Certificate DB:i2048
- key_issued_count=0
-@@ -185,7 +183,6 @@ key_requested_count=0
- (submit OpenSSL)
- key_issued_count=0
- key_requested_count=1
--First round certificates OK.
- NSS keys before re-keygen (preserve=0,pin=""):
- <-> rsa originalhex NSS Certificate DB:i2048
- key_issued_count=0
-@@ -270,7 +267,6 @@ key_requested_count=0
- (submit OpenSSL)
- key_issued_count=0
- key_requested_count=1
--First round certificates OK.
- NSS keys before re-keygen (preserve=0,pin="password"):
- <-> rsa originalhex NSS Certificate DB:i2048
- key_issued_count=0
-diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh
-index 07fea683..7b9125ec 100755
---- a/tests/030-rekey/run.sh
-+++ b/tests/030-rekey/run.sh
-@@ -31,7 +31,7 @@ for preserve in 1 0 ; do
- -s "cn=T$size" -c "cn=T$size" \
- -x -t u -m 4660 -f pinfile
- # Export the certificate and key.
-- pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
-+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
- openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size
- openssl pkcs12 -in $size.p12 -passin pass: -nokeys -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size
- # Grab a copy of the public key.
-@@ -101,14 +101,6 @@ for preserve in 1 0 ; do
- echo '(submit OpenSSL)'
- $toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size
- grep ^key.\*count= entry.openssl.$size | LANG=C sort
-- # Now compare the self-signed certificates built from the keys.
-- if ! cmp cert.nss.$size cert.openssl.$size ; then
-- echo First round certificates differ:
-- cat cert.nss.$size cert.openssl.$size
-- exit 1
-- else
-- echo First round certificates OK.
-- fi
-
- # Now generate new keys, CSRs, and certificates (NSS).
- echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"
-diff --git a/tests/036-getcert/run.sh b/tests/036-getcert/run.sh
-index 1c99803d..bcb821d7 100755
---- a/tests/036-getcert/run.sh
-+++ b/tests/036-getcert/run.sh
-@@ -51,7 +51,7 @@ listdb() {
- }
-
- extract() {
-- pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
-+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
- openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert
- openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key
- echo -n cert:
---
-2.26.3
-
=====================================
debian/patches/series
=====================================
@@ -1,4 +1,3 @@
fix-keythi-h-path.diff
fix-service-environment.diff
use-dbus-run-session.diff
-0001-candidate-openssl-3.0-compat-fixes.patch
=====================================
debian/rules
=====================================
@@ -27,9 +27,6 @@ override_dh_auto_install:
override_dh_auto_test:
dh_auto_test || true
-override_dh_missing:
- dh_missing --fail-missing
-
override_dh_clean:
dh_clean
# rm -f po/*.gmo
=====================================
src/keyiread-o.c
=====================================
@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
pubikey = cm_store_hex_from_bin(NULL, tmp, length);
}
tmp = NULL;
- length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
+ length = i2d_PublicKey(pkey, NULL);
if (length > 0) {
- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ tmp = malloc(length);
+ if (tmp != NULL) {
+ length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ }
}
}
fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
pubikey = cm_store_hex_from_bin(NULL, tmp, length);
}
tmp = NULL;
- length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
+ length = i2d_PublicKey(nextpkey, NULL);
if (length > 0) {
- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ tmp = malloc(length);
+ if (tmp != NULL) {
+ length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ }
}
fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
} else {
=====================================
src/tdbush.c
=====================================
@@ -616,7 +616,7 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
CM_DBUS_PROP_CERT_LOCATION_NICKNAME,
cm_tdbusm_dict_s);
}
- if (param == NULL) {
+ if (param == NULL || param->value.s == NULL || strlen(param->value.s) == 0) {
cm_log(1, "Certificate nickname not specified.\n");
talloc_free(parent);
return send_internal_base_missing_arg_error(conn, msg,
=====================================
src/util-o.c
=====================================
@@ -46,6 +46,7 @@
void
util_o_init(void)
{
+#if OPENSSL_VERSION_MAJOR < 3
#if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
OpenSSL_add_all_algorithms();
#elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS
@@ -53,6 +54,7 @@ util_o_init(void)
#else
SSL_library_init();
#endif
+#endif
}
char *
=====================================
tests/001-keyiread-ec/run.sh
=====================================
@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do
EOF
$toolsdir/keyiread entry.nss.$size
# Export the key.
- if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
+ if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
echo Error exporting key for $size, continuing.
continue
fi
=====================================
tests/001-keyiread-rsa/run.sh
=====================================
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
cat > entry.openssl.$size <<- EOF
key_storage_type=FILE
=====================================
tests/001-keyiread/run.sh
=====================================
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
cat > entry.openssl.$size <<- EOF
key_storage_type=FILE
=====================================
tests/002-keygen-sql/prequal.sh
=====================================
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+ echo "This test won't work right if run as root."
+ exit 1
+fi
=====================================
tests/002-keygen/run.sh
=====================================
@@ -2,7 +2,7 @@
cd "$tmpdir"
-scheme="${scheme:-dbm:}"
+scheme="${scheme:-sql:}"
source "$srcdir"/functions
initnssdb "$scheme$tmpdir"
=====================================
tests/003-csrgen-ec/run.sh
=====================================
@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k ec -q $size
# Export the key.
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
=====================================
tests/003-csrgen-rsa/run.sh
=====================================
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
=====================================
tests/003-csrgen/run.sh
=====================================
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
=====================================
tests/004-selfsign-ec/run.sh
=====================================
@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k ec -q $size
# Export the certificate and key.
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
=====================================
tests/004-selfsign-rsa/run.sh
=====================================
@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the certificate and key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
=====================================
tests/004-selfsign/run.sh
=====================================
@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the certificate and key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
=====================================
tests/025-casave/run.sh
=====================================
@@ -2,7 +2,7 @@
cd $tmpdir
-scheme="${scheme:-dbm}"
+scheme="${scheme:-sql}"
cat > $tmpdir/entrycb1 <<- EOF
id=EntryCB1
ca_name=CAB1
=====================================
tests/026-local/expected.openssl1
=====================================
@@ -0,0 +1,73 @@
+[key]
+OK.
+[csr]
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: CN=Babs Jensen's Signer
+ Attributes:
+ friendlyName :unable to print attribute
+ Requested Extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root at localhost, email:root at localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+
+ OCSP No Check:
+
+[issue]
+[issuer]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Local Signing Authority, CN=$UUID
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+[subject]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Babs Jensen's Signer
+ X509v3 extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root at localhost, email:root at localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+
+ OCSP No Check:
+
+[verify]
+cert: OK
+OK.
=====================================
tests/026-local/expected.openssl3
=====================================
@@ -0,0 +1,68 @@
+[key]
+OK.
+[csr]
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: CN=Babs Jensen's Signer
+ Attributes:
+ friendlyName :unable to print attribute
+ Requested Extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root at localhost, email:root at localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+ OCSP No Check:
+
+[issue]
+[issuer]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Local Signing Authority, CN=$UUID
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+[subject]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Babs Jensen's Signer
+ X509v3 extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root at localhost, email:root at localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+ OCSP No Check:
+
+[verify]
+cert: OK
+OK.
=====================================
tests/026-local/expected.out
=====================================
@@ -1,73 +1 @@
-[key]
-OK.
-[csr]
-Certificate Request:
- Data:
- Version: 1 (0x0)
- Subject: CN=Babs Jensen's Signer
- Attributes:
- friendlyName :unable to print attribute
- Requested Extensions:
- X509v3 Key Usage:
- Digital Signature, Certificate Sign, CRL Sign
- X509v3 Subject Alternative Name:
- email:root at localhost, email:root at localhost.localdomain
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Subject Key Identifier:
- (160 bits)
- Authority Information Access:
- OCSP - URI:http://ocsp-1.example.com:12345
- OCSP - URI:http://ocsp-2.example.com:12345
-
- OCSP No Check:
-
-[issue]
-[issuer]
-Certificate:
- Data:
- Version: 3 (0x2)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=Local Signing Authority, CN=$UUID
- Subject: CN=Local Signing Authority, CN=$UUID
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Subject Key Identifier:
- (160 bits)
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Key Usage: critical
- Digital Signature, Certificate Sign, CRL Sign
-[subject]
-Certificate:
- Data:
- Version: 3 (0x2)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=Local Signing Authority, CN=$UUID
- Subject: CN=Babs Jensen's Signer
- X509v3 extensions:
- X509v3 Key Usage:
- Digital Signature, Certificate Sign, CRL Sign
- X509v3 Subject Alternative Name:
- email:root at localhost, email:root at localhost.localdomain
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Subject Key Identifier:
- (160 bits)
- Authority Information Access:
- OCSP - URI:http://ocsp-1.example.com:12345
- OCSP - URI:http://ocsp-2.example.com:12345
-
- OCSP No Check:
-
-[verify]
-cert: OK
-OK.
+# purposely empty
=====================================
tests/026-local/run.sh
=====================================
@@ -1,4 +1,13 @@
-#!/bin/bash -e
+#!/bin/bash
+
+openssl cmp -h > /dev/null 2>&1
+if [ $? == 1 ]; then
+ cp expected.openssl1 expected.out
+else
+ cp expected.openssl3 expected.out
+fi
+
+set -e
cd $tmpdir
=====================================
tests/030-rekey/expected.out
=====================================
@@ -11,7 +11,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=1,pin=""):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -98,7 +97,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=1,pin="password"):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -185,7 +183,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=0,pin=""):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -270,7 +267,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=0,pin="password"):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
=====================================
tests/030-rekey/run.sh
=====================================
@@ -31,7 +31,7 @@ for preserve in 1 0 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -m 4660 -f pinfile
# Export the certificate and key.
- pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size
openssl pkcs12 -in $size.p12 -passin pass: -nokeys -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size
# Grab a copy of the public key.
@@ -101,14 +101,6 @@ for preserve in 1 0 ; do
echo '(submit OpenSSL)'
$toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size
grep ^key.\*count= entry.openssl.$size | LANG=C sort
- # Now compare the self-signed certificates built from the keys.
- if ! cmp cert.nss.$size cert.openssl.$size ; then
- echo First round certificates differ:
- cat cert.nss.$size cert.openssl.$size
- exit 1
- else
- echo First round certificates OK.
- fi
# Now generate new keys, CSRs, and certificates (NSS).
echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"
=====================================
tests/036-getcert/run.sh
=====================================
@@ -51,7 +51,7 @@ listdb() {
}
extract() {
- pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert
openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key
echo -n cert:
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/c151f44278e5e750c1d311bc01cc80e162cf2533...dfdd9a40ea43ee5572644ce44be2a21448b6975d
--
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/c151f44278e5e750c1d311bc01cc80e162cf2533...dfdd9a40ea43ee5572644ce44be2a21448b6975d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20220223/519c20a7/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list