[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][upstream] 4 commits: Add .gitignore to project

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Wed Feb 23 11:50:30 GMT 2022



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / certmonger


Commits:
fdc5c87c by Christian Heimes at 2021-10-12T09:07:31+02:00
Add .gitignore to project

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
fcb02122 by Rob Crittenden at 2021-11-11T13:12:02-05:00
Reject a certificate with an empty NSS nickname

It technically wasn't NULL initially, it was "", so wasn't being
caught in the NULL check. The value stored was "" which was treated
as NULL when re-read so the request would eventually lead to a
SEGFAULT by doing a strcmp.

https://bugzilla.redhat.com/show_bug.cgi?id=1995681

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
8b0589d1 by Rob Crittenden at 2022-01-05T14:42:58-05:00
Port to OpenSSL 3.0.0

Few API changes were necessary, fortunately.

Change NSS database type default in the tests to sql since dbm
support is dropped in recent versions.

Specify the PKCS#12 key and cipher parameters to be more compatible
between OpenSSL and NSS.

- - - - -
548e5759 by Rob Crittenden at 2022-01-05T14:43:17-05:00
Tag 0.79.15

- - - - -


25 changed files:

- + .gitignore
- certmonger.spec
- configure.ac
- src/keyiread-o.c
- src/tdbush.c
- src/util-o.c
- tests/001-keyiread-ec/run.sh
- tests/001-keyiread-rsa/run.sh
- tests/001-keyiread/run.sh
- + tests/002-keygen-sql/prequal.sh
- tests/002-keygen/run.sh
- tests/003-csrgen-ec/run.sh
- tests/003-csrgen-rsa/run.sh
- tests/003-csrgen/run.sh
- tests/004-selfsign-ec/run.sh
- tests/004-selfsign-rsa/run.sh
- tests/004-selfsign/run.sh
- tests/025-casave/run.sh
- + tests/026-local/expected.openssl1
- + tests/026-local/expected.openssl3
- tests/026-local/expected.out
- tests/026-local/run.sh
- tests/030-rekey/expected.out
- tests/030-rekey/run.sh
- tests/036-getcert/run.sh


Changes:

=====================================
.gitignore
=====================================
@@ -0,0 +1,123 @@
+# Autotools files - generated by autoreconf -i
+/m4
+
+# gettext infrastructure
+/ABOUT-NLS
+/po/*.gmo
+/po/*~
+/po/Makefile.hack
+/po/Makefile.in.in
+/po/Makevars.template
+/po/POTFILES
+/po/POTFILES.in
+/po/remove-potcdate.sed
+/po/Rules-quot
+/po/stamp-po
+/po/*.header
+/po/*.sin
+/po/*.sed
+
+# In-tree build files
+configure
+config.h
+config.h.in
+Makefile
+Makefile.in
+.deps/
+.libs/
+*.la
+*.a
+*.lo
+*.log
+*.o
+*.trs
+*~
+version.m4
+aclocal.m4
+autom4te.cache/
+config.guess
+config.log
+config.rpath
+config.status
+config.sub
+depcomp
+install-sh
+ltmain.sh
+missing
+stamp-h1
+libtool
+build/
+compile
+test-driver
+
+# output
+/dbus/certmonger.conf
+/dbus/certmonger.service
+/src/certmonger
+/src/certmonger-session
+/src/certmonger.conf
+/src/dogtag-ipa-renew-agent-submit
+/src/dogtag-submit
+/src/getcert
+/src/introspect.sh
+/src/ipa-getcert
+/src/ipa-submit
+/src/local-getcert
+/src/local-submit
+/src/nl-check
+/src/scep-submit
+/src/selfsign-getcert
+/src/serial-check
+/src/submit-d
+/src/submit-h
+/src/tdbusm-check
+/src/toklist
+/systemd/certmonger.conf
+/systemd/certmonger.service
+/systemd/org.fedorahosted.certmonger.service
+/sysvinit/certmonger
+
+# man pages
+/src/*.1
+/src/*.5
+/src/*.8
+
+# tests
+actual.err
+actual.out
+/tests/tools/addcinfo
+/tests/tools/base2pem
+/tests/tools/base64
+/tests/tools/cadata
+/tests/tools/canon
+/tests/tools/casave
+/tests/tools/certread
+/tests/tools/certsave
+/tests/tools/checksig
+/tests/tools/citerate
+/tests/tools/csrgen
+/tests/tools/dates
+/tests/tools/dparse
+/tests/tools/fromfile
+/tests/tools/hooks
+/tests/tools/iterate
+/tests/tools/json
+/tests/tools/json-utf8
+/tests/tools/keygen
+/tests/tools/keyiread
+/tests/tools/libexecdir
+/tests/tools/listnicks
+/tests/tools/ls
+/tests/tools/name2oid
+/tests/tools/oid2name
+/tests/tools/payload
+/tests/tools/pem2base
+/tests/tools/pk7decrypt
+/tests/tools/pk7env
+/tests/tools/pk7parse
+/tests/tools/pk7verify
+/tests/tools/prefs
+/tests/tools/printenv
+/tests/tools/scepgen
+/tests/tools/srv
+/tests/tools/submit


=====================================
certmonger.spec
=====================================
@@ -27,7 +27,7 @@
 %bcond_with xmlrpc
 
 Name:		certmonger
-Version:	0.79.14
+Version:	0.79.15
 Release:	1%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
@@ -264,6 +264,27 @@ exit 0
 %endif
 
 %changelog
+* Wed Jan  5 2022 Rob Crittenden <rcritten at redhat.com> - 0.79.15-1
+- update to 0.79.15
+  - Translated using Weblate (Swedish)
+  - Translated using Weblate (Indonesian)
+  - Translated using Weblate (Indonesian)
+  - Translated using Weblate (Sinhala)
+  - Translated using Weblate (French)
+  - Translated using Weblate (Korean)
+  - Port to OpenSSL 3.0.0
+  - Use extensions template from NSS
+  - Use implicit, empty FALSE for extensions
+  - Add .gitignore to project
+  - If an existing cert exists, use it to decrypt the PKCS#7 envelope
+  - Increase minimum allowed RSA key size to 1024
+  - Make the default RSA key size configurable
+  - Fix file descriptor leak when executing CA helpers
+  - Add compile check for EVP_PKEY_get_id along with EVP_PKEY_id
+  - Update csrgen test to understand OpenSSL 3.0.0 output
+  - Reject a certificate with an empty NSS nickname
+  - Add SCEP config option to treat the challenge password as an OTP
+
 * Tue Jun 14 2021 Rob Crittenden <rcritten at redhat.com> - 0.79.14-1
 - update to 0.79.14
   -  Fix local CA to work under FIPS


=====================================
configure.ac
=====================================
@@ -1,4 +1,4 @@
-AC_INIT(certmonger,0.79.14)
+AC_INIT(certmonger,0.79.15)
 AM_INIT_AUTOMAKE([foreign subdir-objects])
 AC_CONFIG_MACRO_DIR(m4)
 AM_MAINTAINER_MODE([disable])


=====================================
src/keyiread-o.c
=====================================
@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 				pubikey = cm_store_hex_from_bin(NULL, tmp, length);
 			}
 			tmp = NULL;
-			length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
+			length = i2d_PublicKey(pkey, NULL);
 			if (length > 0) {
-				pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+				tmp = malloc(length);
+				if (tmp != NULL) {
+					length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
+					pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+				}
 			}
 		}
 		fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 				pubikey = cm_store_hex_from_bin(NULL, tmp, length);
 			}
 			tmp = NULL;
-			length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
+			length = i2d_PublicKey(nextpkey, NULL);
 			if (length > 0) {
-				pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+				tmp = malloc(length);
+				if (tmp != NULL) {
+					length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
+					pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+				}
 			}
 			fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
 		} else {


=====================================
src/tdbush.c
=====================================
@@ -616,7 +616,7 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
 							  CM_DBUS_PROP_CERT_LOCATION_NICKNAME,
 							  cm_tdbusm_dict_s);
 		}
-		if (param == NULL) {
+		if (param == NULL || param->value.s == NULL || strlen(param->value.s) == 0) {
 			cm_log(1, "Certificate nickname not specified.\n");
 			talloc_free(parent);
 			return send_internal_base_missing_arg_error(conn, msg,


=====================================
src/util-o.c
=====================================
@@ -46,6 +46,7 @@
 void
 util_o_init(void)
 {
+#if OPENSSL_VERSION_MAJOR < 3
 #if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
 	OpenSSL_add_all_algorithms();
 #elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS
@@ -53,6 +54,7 @@ util_o_init(void)
 #else
 	SSL_library_init();
 #endif
+#endif
 }
 
 char *


=====================================
tests/001-keyiread-ec/run.sh
=====================================
@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do
 	EOF
 	$toolsdir/keyiread entry.nss.$size
 	# Export the key.
-	if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
+	if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
 		echo Error exporting key for $size, continuing.
 		continue
 	fi


=====================================
tests/001-keyiread-rsa/run.sh
=====================================
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
 		-s "cn=T$size" -c "cn=T$size" \
 		-x -t u -k rsa
 	# Export the key.
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
 	cat > entry.openssl.$size <<- EOF
 	key_storage_type=FILE


=====================================
tests/001-keyiread/run.sh
=====================================
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
 		-s "cn=T$size" -c "cn=T$size" \
 		-x -t u
 	# Export the key.
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
 	cat > entry.openssl.$size <<- EOF
 	key_storage_type=FILE


=====================================
tests/002-keygen-sql/prequal.sh
=====================================
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+	echo "This test won't work right if run as root."
+	exit 1
+fi


=====================================
tests/002-keygen/run.sh
=====================================
@@ -2,7 +2,7 @@
 
 cd "$tmpdir"
 
-scheme="${scheme:-dbm:}"
+scheme="${scheme:-sql:}"
 
 source "$srcdir"/functions
 initnssdb "$scheme$tmpdir"


=====================================
tests/003-csrgen-ec/run.sh
=====================================
@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
 	-s "cn=T$size" -c "cn=T$size" \
 	-x -t u -k ec -q $size
 # Export the key.
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
 openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : )
 # Read the public key and cache it.
 cat > entry.openssl.$size <<- EOF


=====================================
tests/003-csrgen-rsa/run.sh
=====================================
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
 		-s "cn=T$size" -c "cn=T$size" \
 		-x -t u -k rsa
 	# Export the key.
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : )
 	# Read the public key and cache it.
 	cat > entry.openssl.$size <<- EOF


=====================================
tests/003-csrgen/run.sh
=====================================
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
 		-s "cn=T$size" -c "cn=T$size" \
 		-x -t u
 	# Export the key.
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : )
 	# Read the public key and cache it.
 	cat > entry.openssl.$size <<- EOF


=====================================
tests/004-selfsign-ec/run.sh
=====================================
@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
 	-s "cn=T$size" -c "cn=T$size" \
 	-x -t u -k ec -q $size
 # Export the certificate and key.
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
 openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
 # Read that OpenSSL key.
 cat > entry.$size <<- EOF


=====================================
tests/004-selfsign-rsa/run.sh
=====================================
@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do
 		-s "cn=T$size" -c "cn=T$size" \
 		-x -t u -k rsa
 	# Export the certificate and key.
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
 	openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
 	# Read that OpenSSL key.
 	cat > entry.$size <<- EOF


=====================================
tests/004-selfsign/run.sh
=====================================
@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do
 		-s "cn=T$size" -c "cn=T$size" \
 		-x -t u
 	# Export the certificate and key.
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
 	openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
 	# Read that OpenSSL key.
 	cat > entry.$size <<- EOF


=====================================
tests/025-casave/run.sh
=====================================
@@ -2,7 +2,7 @@
 
 cd $tmpdir
 
-scheme="${scheme:-dbm}"
+scheme="${scheme:-sql}"
 cat > $tmpdir/entrycb1 <<- EOF
 id=EntryCB1
 ca_name=CAB1


=====================================
tests/026-local/expected.openssl1
=====================================
@@ -0,0 +1,73 @@
+[key]
+OK.
+[csr]
+Certificate Request:
+    Data:
+        Version: 1 (0x0)
+        Subject: CN=Babs Jensen's Signer
+        Attributes:
+            friendlyName             :unable to print attribute
+        Requested Extensions:
+            X509v3 Key Usage: 
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Subject Alternative Name: 
+                email:root at localhost, email:root at localhost.localdomain
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Authority Key Identifier: 
+                keyid:(160 bits)
+
+            X509v3 Subject Key Identifier: 
+                (160 bits)
+            Authority Information Access: 
+                OCSP - URI:http://ocsp-1.example.com:12345
+                OCSP - URI:http://ocsp-2.example.com:12345
+
+            OCSP No Check: 
+
+[issue]
+[issuer]
+Certificate:
+    Data:
+        Version: 3 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Local Signing Authority, CN=$UUID
+        Subject: CN=Local Signing Authority, CN=$UUID
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                (160 bits)
+            X509v3 Authority Key Identifier: 
+                keyid:(160 bits)
+
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+[subject]
+Certificate:
+    Data:
+        Version: 3 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Local Signing Authority, CN=$UUID
+        Subject: CN=Babs Jensen's Signer
+        X509v3 extensions:
+            X509v3 Key Usage: 
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Subject Alternative Name: 
+                email:root at localhost, email:root at localhost.localdomain
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Authority Key Identifier: 
+                keyid:(160 bits)
+
+            X509v3 Subject Key Identifier: 
+                (160 bits)
+            Authority Information Access: 
+                OCSP - URI:http://ocsp-1.example.com:12345
+                OCSP - URI:http://ocsp-2.example.com:12345
+
+            OCSP No Check: 
+
+[verify]
+cert: OK
+OK.


=====================================
tests/026-local/expected.openssl3
=====================================
@@ -0,0 +1,68 @@
+[key]
+OK.
+[csr]
+Certificate Request:
+    Data:
+        Version: 1 (0x0)
+        Subject: CN=Babs Jensen's Signer
+        Attributes:
+            friendlyName             :unable to print attribute
+            Requested Extensions:
+                X509v3 Key Usage: 
+                    Digital Signature, Certificate Sign, CRL Sign
+                X509v3 Subject Alternative Name: 
+                    email:root at localhost, email:root at localhost.localdomain
+                X509v3 Basic Constraints: critical
+                    CA:TRUE
+                X509v3 Authority Key Identifier: 
+                    (160 bits)
+                X509v3 Subject Key Identifier: 
+                    (160 bits)
+                Authority Information Access: 
+                    OCSP - URI:http://ocsp-1.example.com:12345
+                    OCSP - URI:http://ocsp-2.example.com:12345
+                OCSP No Check: 
+
+[issue]
+[issuer]
+Certificate:
+    Data:
+        Version: 3 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Local Signing Authority, CN=$UUID
+        Subject: CN=Local Signing Authority, CN=$UUID
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                (160 bits)
+            X509v3 Authority Key Identifier: 
+                (160 bits)
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+[subject]
+Certificate:
+    Data:
+        Version: 3 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Local Signing Authority, CN=$UUID
+        Subject: CN=Babs Jensen's Signer
+        X509v3 extensions:
+            X509v3 Key Usage: 
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Subject Alternative Name: 
+                email:root at localhost, email:root at localhost.localdomain
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Authority Key Identifier: 
+                (160 bits)
+            X509v3 Subject Key Identifier: 
+                (160 bits)
+            Authority Information Access: 
+                OCSP - URI:http://ocsp-1.example.com:12345
+                OCSP - URI:http://ocsp-2.example.com:12345
+            OCSP No Check: 
+
+[verify]
+cert: OK
+OK.


=====================================
tests/026-local/expected.out
=====================================
@@ -1,73 +1 @@
-[key]
-OK.
-[csr]
-Certificate Request:
-    Data:
-        Version: 1 (0x0)
-        Subject: CN=Babs Jensen's Signer
-        Attributes:
-            friendlyName             :unable to print attribute
-        Requested Extensions:
-            X509v3 Key Usage: 
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Alternative Name: 
-                email:root at localhost, email:root at localhost.localdomain
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Authority Key Identifier: 
-                keyid:(160 bits)
-
-            X509v3 Subject Key Identifier: 
-                (160 bits)
-            Authority Information Access: 
-                OCSP - URI:http://ocsp-1.example.com:12345
-                OCSP - URI:http://ocsp-2.example.com:12345
-
-            OCSP No Check: 
-
-[issue]
-[issuer]
-Certificate:
-    Data:
-        Version: 3 (0x2)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Local Signing Authority, CN=$UUID
-        Subject: CN=Local Signing Authority, CN=$UUID
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                (160 bits)
-            X509v3 Authority Key Identifier: 
-                keyid:(160 bits)
-
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-[subject]
-Certificate:
-    Data:
-        Version: 3 (0x2)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Local Signing Authority, CN=$UUID
-        Subject: CN=Babs Jensen's Signer
-        X509v3 extensions:
-            X509v3 Key Usage: 
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Alternative Name: 
-                email:root at localhost, email:root at localhost.localdomain
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Authority Key Identifier: 
-                keyid:(160 bits)
-
-            X509v3 Subject Key Identifier: 
-                (160 bits)
-            Authority Information Access: 
-                OCSP - URI:http://ocsp-1.example.com:12345
-                OCSP - URI:http://ocsp-2.example.com:12345
-
-            OCSP No Check: 
-
-[verify]
-cert: OK
-OK.
+# purposely empty


=====================================
tests/026-local/run.sh
=====================================
@@ -1,4 +1,13 @@
-#!/bin/bash -e
+#!/bin/bash
+
+openssl cmp -h > /dev/null 2>&1
+if [ $? == 1 ]; then
+	cp expected.openssl1 expected.out
+else
+	cp expected.openssl3 expected.out
+fi
+
+set -e
 
 cd $tmpdir
 


=====================================
tests/030-rekey/expected.out
=====================================
@@ -11,7 +11,6 @@ key_requested_count=0
 (submit OpenSSL)
 key_issued_count=0
 key_requested_count=1
-First round certificates OK.
 NSS keys before re-keygen (preserve=1,pin=""):
 <-> rsa      originalhex   NSS Certificate DB:i2048
 key_issued_count=0
@@ -98,7 +97,6 @@ key_requested_count=0
 (submit OpenSSL)
 key_issued_count=0
 key_requested_count=1
-First round certificates OK.
 NSS keys before re-keygen (preserve=1,pin="password"):
 <-> rsa      originalhex   NSS Certificate DB:i2048
 key_issued_count=0
@@ -185,7 +183,6 @@ key_requested_count=0
 (submit OpenSSL)
 key_issued_count=0
 key_requested_count=1
-First round certificates OK.
 NSS keys before re-keygen (preserve=0,pin=""):
 <-> rsa      originalhex   NSS Certificate DB:i2048
 key_issued_count=0
@@ -270,7 +267,6 @@ key_requested_count=0
 (submit OpenSSL)
 key_issued_count=0
 key_requested_count=1
-First round certificates OK.
 NSS keys before re-keygen (preserve=0,pin="password"):
 <-> rsa      originalhex   NSS Certificate DB:i2048
 key_issued_count=0


=====================================
tests/030-rekey/run.sh
=====================================
@@ -31,7 +31,7 @@ for preserve in 1 0 ; do
 		-s "cn=T$size" -c "cn=T$size" \
 		-x -t u -m 4660 -f pinfile
 	# Export the certificate and key.
-	pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
 	openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size
 	openssl pkcs12 -in $size.p12 -passin pass: -nokeys  -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size
 	# Grab a copy of the public key.
@@ -101,14 +101,6 @@ for preserve in 1 0 ; do
 	echo '(submit OpenSSL)'
 	$toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size
 	grep ^key.\*count= entry.openssl.$size | LANG=C sort
-	# Now compare the self-signed certificates built from the keys.
-	if ! cmp cert.nss.$size cert.openssl.$size ; then
-		echo First round certificates differ:
-		cat cert.nss.$size cert.openssl.$size
-		exit 1
-	else
-		echo First round certificates OK.
-	fi
 
 	# Now generate new keys, CSRs, and certificates (NSS).
 	echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"


=====================================
tests/036-getcert/run.sh
=====================================
@@ -51,7 +51,7 @@ listdb() {
 }
 
 extract() {
-	pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
 	openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert
 	openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key
 	echo -n cert:



View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/46cd5a7d9434ed104093152bdf0a55404e6a1c6b...548e5759858a88d1d6f9f9db079dd74b5feb7f0a

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/46cd5a7d9434ed104093152bdf0a55404e6a1c6b...548e5759858a88d1d6f9f9db079dd74b5feb7f0a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20220223/3b5ff5b4/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list