certmonger.spec

@@ -25,7 +25,7 @@
 %endif
 
 Name:		certmonger
-Version:	0.79.5
+Version:	0.79.6
 Release:	1%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
@@ -37,7 +37,8 @@ Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 BuildRequires:	openldap-devel
-BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel
+BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn2-devel
+BuildRequires:	autoconf, automake, gcc, gettext-devel
 %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
 BuildRequires:  libuuid-devel
 %else
@@ -242,6 +243,17 @@ exit 0
 %endif
 
 %changelog
+* Tue May  8 2018 Rob Crittenden <rcritten@redhat.com> 0.79.6-1
+- update to 0.79.6:
+   - Better support for NSS SQLite databases 
+   - Fix CA creation in local CA, fix DER issue in constraint
+   - If stderr is not a tty log to syslog so the helpers can log
+   - Allow configuration of client SCEP algorithms
+   - Set default SCEP digest to SHA-256, cipher to AES-256 per spec
+
+* Mon Apr  2 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-2
+- Switch from libidn to libidn2 for better IDNA2008 support
+
 * Fri Sep  1 2017 Rob Crittenden <rcritten@redhat.com> 0.79.5-1
 - update to 0.79.5:
    - getcert start-tracking: use issuer option when specified

configure.ac

-AC_INIT(certmonger,0.79.5)
+AC_INIT(certmonger,0.79.6)
 AM_INIT_AUTOMAKE([foreign subdir-objects])
 AC_CONFIG_MACRO_DIR(m4)
 AM_MAINTAINER_MODE([disable])
@@ -788,7 +788,7 @@ if ! ${configure_dist_target_only:-false} ; then
 	fi,
 	idn=true)
 	if $idn ; then
-		PKG_CHECK_MODULES(IDN,libidn)
+		PKG_CHECK_MODULES(IDN,libidn2)
 		AC_DEFINE(CM_USE_IDN,1,[Define if dnsName subjectAltNames should be encoded properly, and if international domain names should be handled during service location.])
 	fi
 

debian/certmonger.upstart

-# certmonger
-#
-# certmonger is a D-Bus-based service which attempts to simplify 
-# interaction with certifying authorities (CAs) on networks which use 
-# public-key infrastructure (PKI).
-
-description	"Certmonger"
-
-start on net-device-up
-stop on runlevel [06]
-
-expect daemon
-respawn
-
-exec certmonger

debian/changelog

+certmonger (0.79.6-1) unstable; urgency=medium
+
+  * New upstream release.
+  * control: Update maintainer address.
+  * control: Update vcs urls.
+  * Bump debhelper to 11.
+  * control: Build-depend on libidn2-dev.
+  * rules: Migrate to dh_missing, use --fail-missing.
+  * certmonger.upstart: Removed.
+  * Bump policy to 4.2.1, no changes.
+  * control: Set priority: optional.
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Wed, 17 Oct 2018 10:45:02 +0300
+
 certmonger (0.79.5-3) experimental; urgency=medium
 
   * Merge changes from upstream git to support sqlite nssdb's.

debian/compat

-9
+11

debian/control

 Source: certmonger
 Section: utils
-Priority: extra
-Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
+Priority: optional
+Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
 Uploaders: Timo Aaltonen <tjaalton@debian.org>
-Build-Depends: debhelper (>= 9), dh-autoreconf, quilt,
+Build-Depends: debhelper (>= 11), quilt,
  autopoint,
  dbus (>= 1.8),
- dh-systemd,
  dos2unix,
  expect,
  libdbus-1-dev,
  libcurl4-nss-dev,
- libidn11-dev,
+ libidn2-dev,
  libkrb5-dev,
  libldap2-dev,
  libnspr4-dev,
@@ -27,10 +26,10 @@ Build-Depends: debhelper (>= 9), dh-autoreconf, quilt,
  openssl,
  pkg-config,
  uuid-dev,
-Standards-Version: 3.9.6
+Standards-Version: 4.2.1
 Homepage: https://pagure.io/certmonger/
-Vcs-Git: git://anonscm.debian.org/pkg-freeipa/certmonger.git
-Vcs-Browser: http://anonscm.debian.org/cgit/pkg-freeipa/certmonger.git
+Vcs-Git: https://salsa.debian.org/freeipa-team/certmonger.git
+Vcs-Browser: https://salsa.debian.org/freeipa-team/certmonger
 
 Package: certmonger
 Architecture: any

debian/rules

@@ -29,12 +29,12 @@ override_dh_auto_install:
 
 override_dh_auto_test:
 
-override_dh_install:
-	dh_install --list-missing
+override_dh_missing:
+	dh_missing --fail-missing
 
 override_dh_clean:
 	dh_clean
 #	rm -f po/*.gmo
 
 %:
-	dh $@ --parallel --with quilt,autoreconf,systemd --builddirectory=build/
+	dh $@ --with quilt --builddirectory=build/

src/certext.c

@@ -42,7 +42,7 @@
 #include <krb5.h>
 
 #ifdef CM_USE_IDN
-#include <idna.h>
+#include <idn2.h>
 #endif
 
 #include "certext.h"
@@ -1620,9 +1620,9 @@ cm_certext_build_certificate_template(
 		return NULL;
 
 	int i = 0;
-	char *saveptr, *endptr;
+	char *saveptr, *endptr, *part;
 	for (
-		char *part = strtok_r(template_spec_dup, ":", &saveptr);
+		part = strtok_r(template_spec_dup, ":", &saveptr);
 		part != NULL;
 		part = strtok_r(NULL, ":", &saveptr)
 	) {

src/certmaster.c

@@ -86,7 +86,10 @@ main(int argc, const char **argv)
 	bindtextdomain(PACKAGE, MYLOCALEDIR);
 #endif
 
+    if (isatty(STDERR_FILENO))
 		cm_log_set_method(cm_log_stderr);
+	else
+		cm_log_set_method(cm_log_syslog);
 	pctx = poptGetContext(argv[0], argc, argv, popts, 0);
 	if (pctx == NULL) {
 		return CM_SUBMIT_STATUS_UNCONFIGURED;

src/dogtag.c

@@ -296,7 +296,10 @@ main(int argc, const char **argv)
 	}
 
 	umask(S_IRWXG | S_IRWXO);
+	if (isatty(STDERR_FILENO))
 		cm_log_set_method(cm_log_stderr);
+	else
+		cm_log_set_method(cm_log_syslog);
 	cm_log_set_level(verbose);
 
 	nctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION,

src/getcert.c

@@ -4291,6 +4291,12 @@ list_cas(const char *argv0, int argc, const char **argv)
 		if ((s != NULL) && (strlen(s) > 0)) {
 			printf(_("\tpost-save command: %s\n"), s);
 		}
+		if (verbose > 0) {
+			printf(_("\tconfig-path: %s\n"),
+			       query_rep_s(bus, cas[i], CM_DBUS_CA_INTERFACE,
+					   "get_config_file_path",
+					   verbose, globals.tctx));
+		}
 	}
 	return 0;
 }

src/ipa.c

@@ -689,7 +689,10 @@ main(int argc, const char **argv)
 	}
 
 	umask(S_IRWXG | S_IRWXO);
+	if (isatty(STDERR_FILENO))
 		cm_log_set_method(cm_log_stderr);
+	else
+		cm_log_set_method(cm_log_syslog);
 	cm_log_set_level(verbose);
 
 	/* Start backfilling defaults, both hard-coded and from the IPA

src/local.c

@@ -488,7 +488,10 @@ main(int argc, const char **argv)
 
 	umask(S_IRWXG | S_IRWXO);
 
+	if (isatty(STDERR_FILENO))
 		cm_log_set_method(cm_log_stderr);
+	else
+		cm_log_set_method(cm_log_syslog);
 	cm_log_set_level(verbose);
 
 	if (localdir == NULL) {

src/prefs.h

@@ -20,9 +20,12 @@
 
 enum cm_prefs_cipher {
 	cm_prefs_aes128,
+	cm_prefs_aes192,
 	cm_prefs_aes256,
 	cm_prefs_des3,
 	cm_prefs_des,
+	/* This is for the selection logic */
+	cm_prefs_nocipher,
 };
 
 enum cm_prefs_digest {
@@ -31,6 +34,8 @@ enum cm_prefs_digest {
 	cm_prefs_sha512,
 	cm_prefs_sha1,
 	cm_prefs_md5,
+	/* This is for the selection logic */
+	cm_prefs_nodigest,
 };
 
 enum cm_notification_method;

src/scep.c

@@ -343,7 +343,10 @@ main(int argc, const char **argv)
 	}
 
 	umask(S_IRWXG | S_IRWXO);
+	if (isatty(STDERR_FILENO))
 		cm_log_set_method(cm_log_stderr);
+	else
+		cm_log_set_method(cm_log_syslog);
 	cm_log_set_level(verbose);
 
 	ctx = talloc_new(NULL);
@@ -929,15 +932,18 @@ main(int argc, const char **argv)
 			if (i != 0) {
 				printf(_("Error: failed to verify signature on "
 					 "server response.\n"));
+				cm_log(1, "Error: failed to verify signature on "
+					 "server response.\n");
 				while ((error = ERR_get_error()) != 0) {
 					memset(buf, '\0', sizeof(buf));
 					ERR_error_string_n(error, buf, sizeof(buf));
 					cm_log(1, "%s\n", buf);
 				}
-				s = cm_store_base64_from_bin(ctx, (unsigned char *) results,
-							     results_length);
+				s = cm_store_base64_from_bin(ctx, (unsigned char *) results2,
+							     results_length2);
 				s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
 				fprintf(stderr, "%s", s);
+				cm_log(1, "%s", s);
 				free(s);
 				return CM_SUBMIT_STATUS_UNREACHABLE;
 			}

src/scepgen-o.c

@@ -422,49 +422,156 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
 		free(pem);
 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 	}
+
+	char* scep_cipher = ca->cm_ca_scep_cipher;
+	if (scep_cipher != NULL) {
+		/* Force the cipher to whatever is in the configuration */
+		if (strcmp(scep_cipher, "AES256") == 0) {
+			cipher = cm_prefs_aes256;
+		}
+		else if (strcmp(scep_cipher, "AES192") == 0) {
+			cipher = cm_prefs_aes192;
+		}
+		else if (strcmp(scep_cipher, "AES128") == 0) {
+			cipher = cm_prefs_aes128;
+		}
+		else if (strcmp(scep_cipher, "DES3") == 0) {
+			cipher = cm_prefs_des3;
+		}
+		else if (strcmp(scep_cipher, "DES") == 0) {
 			cipher = cm_prefs_des;
+		}
+		else {
+			cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
+			_exit(1);
+		}
+
+		cm_log(1, "SCEP cipher set from configuration to: '%s'\n", scep_cipher);
+	}
+	else {
+		cipher = cm_prefs_nocipher;
 		for (i = 0;
 		     (ca->cm_ca_capabilities != NULL) &&
 		     (ca->cm_ca_capabilities[i] != NULL);
 		     i++) {
 			capability = ca->cm_ca_capabilities[i];
+			if ((strcmp(capability, "AES-256") == 0) ||
+				(strcmp(capability, "AES256") == 0)) {
+					cm_log(1, "Server supports AES256, using that.\n");
+					cipher = cm_prefs_aes256;
+					break;
+			}
+			if ((strcmp(capability, "AES-192") == 0) ||
+				(strcmp(capability, "AES192") == 0)) {
+					cm_log(1, "Server supports AES192, using that.\n");
+					cipher = cm_prefs_aes192;
+					break;
+			}
+			if ((strcmp(capability, "AES-128") == 0) ||
+				(strcmp(capability, "AES128") == 0)) {
+					cm_log(1, "Server supports AES128, using that.\n");
+					cipher = cm_prefs_aes128;
+					break;
+			}
+			if (strcmp(capability, "AES") == 0) {
+				cm_log(1, "Server supports AES, using AES256.\n");
+				cipher = cm_prefs_aes256;
+				break;
+			}
 			if (strcmp(capability, "DES3") == 0) {
 				cm_log(1, "Server supports DES3, using that.\n");
 				cipher = cm_prefs_des3;
 				break;
 			}
+			/* This remains for backward compatibility */
+			if (strcmp(capability, "DES") == 0) {
+				cm_log(1, "Server supports DES, using that.\n");
+				cipher = cm_prefs_des;
+				break;
 			}
-	if (cipher == cm_prefs_des) {
-		cm_log(1, "Server does not support DES3, using DES.\n");
 		}
-	pref_digest = cm_prefs_preferred_digest();
+		if (cipher == cm_prefs_nocipher) {
+			/* Per the latest Draft RFC */
+			cm_log(1, "Could not determine supported CA capabilities, using cipher AES256.\n");
+			cipher = cm_prefs_aes256;
+		}
+	}
+
+	char* scep_digest = ca->cm_ca_scep_digest;
+	if (scep_digest != NULL) {
+		/* Force the digest to whatever is in the configuration */
+		if (strcmp(scep_digest, "SHA512") == 0) {
+			digest = cm_prefs_sha512;
+		}
+		else if (strcmp(scep_digest, "SHA384") == 0) {
+			digest = cm_prefs_sha384;
+		}
+		else if (strcmp(scep_digest, "SHA256") == 0) {
+			digest = cm_prefs_sha256;
+		}
+		else if (strcmp(scep_digest, "SHA1") == 0) {
+			digest = cm_prefs_sha1;
+		}
+		else if (strcmp(scep_digest, "MD5") == 0) {
 			digest = cm_prefs_md5;
+		}
+		else {
+			cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
+			_exit(1);
+		}
+
+		cm_log(1, "SCEP digest set from configuration to: '%s'\n", scep_digest);
+	}
+	else {
+		pref_digest = cm_prefs_preferred_digest();
+		digest = cm_prefs_nodigest;
 		for (i = 0;
 		     (ca->cm_ca_capabilities != NULL) &&
 		     (ca->cm_ca_capabilities[i] != NULL);
 		     i++) {
 			capability = ca->cm_ca_capabilities[i];
-		if ((pref_digest == cm_prefs_sha1) &&
-		    (strcmp(capability, "SHA-1") == 0)) {
-			cm_log(1, "Server supports SHA-1, using that.\n");
-			digest = cm_prefs_sha1;
+			if ((pref_digest == cm_prefs_sha512) &&
+			    ((strcmp(capability, "SHA-512") == 0) ||
+				(strcmp(capability, "SHA512") == 0))) {
+					cm_log(1, "Server supports SHA-512, using that.\n");
+					digest = cm_prefs_sha512;
+					break;
+			}
+			if ((pref_digest == cm_prefs_sha384) &&
+			    ((strcmp(capability, "SHA-384") == 0) ||
+				(strcmp(capability, "SHA384") == 0))) {
+					cm_log(1, "Server supports SHA-384, using that.\n");
+					digest = cm_prefs_sha384;
 					break;
 			}
 			if ((pref_digest == cm_prefs_sha256) &&
-		    (strcmp(capability, "SHA-256") == 0)) {
+			    ((strcmp(capability, "SHA-256") == 0) ||
+				(strcmp(capability, "SHA256") == 0))) {
 					cm_log(1, "Server supports SHA-256, using that.\n");
 					digest = cm_prefs_sha256;
 					break;
 			}
-		if ((pref_digest == cm_prefs_sha512) &&
-		    (strcmp(capability, "SHA-512") == 0)) {
-			cm_log(1, "Server supports SHA-512, using that.\n");
-			digest = cm_prefs_sha512;
+			if ((pref_digest == cm_prefs_sha1) &&
+			    ((strcmp(capability, "SHA-1") == 0) ||
+				(strcmp(capability, "SHA1") == 0))) {
+					cm_log(1, "Server supports SHA-1, using that.\n");
+					digest = cm_prefs_sha1;
 					break;
 			}
+			/* This remains for backward compatibility */
+			if ((pref_digest == cm_prefs_sha1) &&
+			    (strcmp(capability, "MD5") == 0)) {
+				cm_log(1, "Server supports MD5, using that.\n");
+				digest = cm_prefs_md5;
+				break;
+			}
+		}
+		if (digest == cm_prefs_nodigest) {
+			/* Per SCEP RFC draft-gutmann-scep-10 - March 1, 2018 */
+			/* https://www.ietf.org/id/draft-gutmann-scep-10.txt  */
+			cm_log(1, "Could not determine supported CA capabilities, using digest SHA256.\n");
+			digest = cm_prefs_sha256;
 		}
-	if (digest == cm_prefs_md5) {
-		cm_log(1, "Server does not support better digests, using MD5.\n");
 	}
 	if (old_cert != NULL) {
 		if (cm_pkcs7_envelope_ias(ca->cm_ca_encryption_cert, cipher,

src/srvloc.c

@@ -34,7 +34,7 @@
 #include <unistd.h>
 
 #ifdef CM_USE_IDN
-#include <idna.h>
+#include <idn2.h>
 #endif
 
 #ifdef HAVE_OPENSSL

src/store-files.c

@@ -221,6 +221,8 @@ enum cm_store_file_field {
 	cm_store_ca_field_other_cert_nssdbs,
 
 	cm_store_ca_field_capabilities,
+	cm_store_ca_field_scep_cipher,
+	cm_store_ca_field_scep_digest,
 	cm_store_ca_field_scep_ca_identifier,
 	cm_store_ca_field_encryption_cert,
 	cm_store_ca_field_encryption_issuer_cert,
@@ -400,6 +402,8 @@ static struct cm_store_file_field_list {
 	{cm_store_ca_field_other_cert_nssdbs, "ca_other_cert_dbs"},
 
 	{cm_store_ca_field_capabilities, "ca_capabilities"},
+	{cm_store_ca_field_scep_cipher, "scep_cipher"},
+	{cm_store_ca_field_scep_digest, "scep_digest"},
 	{cm_store_ca_field_scep_ca_identifier, "scep_ca_identifier"},
 	{cm_store_ca_field_encryption_cert, "ca_encryption_cert"},
 	{cm_store_ca_field_encryption_issuer_cert, "ca_encryption_issuer_cert"},
@@ -804,6 +808,8 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp)
 			case cm_store_ca_field_other_root_cert_nssdbs:
 			case cm_store_ca_field_other_cert_nssdbs:
 			case cm_store_ca_field_capabilities:
+			case cm_store_ca_field_scep_cipher:
+			case cm_store_ca_field_scep_digest:
 			case cm_store_ca_field_scep_ca_identifier:
 			case cm_store_ca_field_encryption_cert:
 			case cm_store_ca_field_encryption_issuer_cert:
@@ -1602,6 +1608,14 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp)
 				ret->cm_ca_capabilities =
 					free_if_empty_multi(ret, p);
 				break;
+			case cm_store_ca_field_scep_cipher:
+				ret->cm_ca_scep_cipher =
+					free_if_empty(p);
+				break;
+			case cm_store_ca_field_scep_digest:
+				ret->cm_ca_scep_digest =
+					free_if_empty(p);
+				break;
 			case cm_store_ca_field_scep_ca_identifier:
 				ret->cm_ca_scep_ca_identifier =
 					free_if_empty(p);
@@ -2418,6 +2432,10 @@ cm_store_ca_write(FILE *fp, struct cm_store_ca *ca)
 				 ca->cm_ca_other_cert_store_nssdbs);
 	cm_store_file_write_strs(fp, cm_store_ca_field_capabilities,
 				 ca->cm_ca_capabilities);
+	cm_store_file_write_str(fp, cm_store_ca_field_scep_cipher,
+				ca->cm_ca_scep_cipher);
+	cm_store_file_write_str(fp, cm_store_ca_field_scep_digest,
+				ca->cm_ca_scep_digest);
 	cm_store_file_write_str(fp, cm_store_ca_field_scep_ca_identifier,
 				ca->cm_ca_scep_ca_identifier);
 	cm_store_file_write_str(fp, cm_store_ca_field_encryption_cert,
@@ -2940,6 +2958,10 @@ cm_store_ca_dup(void *parent, struct cm_store_ca *ca)
 
 	ret->cm_ca_capabilities =
 		cm_store_maybe_strdupv(ret, ca->cm_ca_capabilities);
+	ret->cm_ca_scep_cipher =
+		cm_store_maybe_strdup(ret, ca->cm_ca_scep_cipher);
+	ret->cm_ca_scep_digest =
+		cm_store_maybe_strdup(ret, ca->cm_ca_scep_digest);
 	ret->cm_ca_scep_ca_identifier =
 		cm_store_maybe_strdup(ret, ca->cm_ca_scep_ca_identifier);
 	ret->cm_ca_encryption_cert =

src/store-int.h

@@ -349,6 +349,10 @@ struct cm_store_ca {
 	char **cm_ca_other_cert_store_nssdbs;
 	/* CA capabilities.  Currently only ever SCEP capabilities. */
 	char **cm_ca_capabilities;
+	/* SCEP Cipher to use. Overrides CA Capabilities */
+	char *cm_ca_scep_cipher;
+	/* SCEP Digest to use. Overrides CA Capabilities */
+	char *cm_ca_scep_digest;
 	/* An SCEP CA identifier, for use in gathering an RA (and possibly a
 	 * CA) certificate. */
 	char *cm_ca_scep_ca_identifier;

src/tdbus.h

@@ -119,6 +119,8 @@
 #define CM_DBUS_PROP_ROOT_CERTS "root-certs"
 #define CM_DBUS_PROP_OTHER_ROOT_CERTS "root-other-certs"
 #define CM_DBUS_PROP_OTHER_CERTS "other-certs"
+#define CM_DBUS_PROP_SCEP_CIPHER "scep-cipher"
+#define CM_DBUS_PROP_SCEP_DIGEST "scep-digest"
 #define CM_DBUS_PROP_SCEP_CA_IDENTIFIER "scep-ca-identifier"
 #define CM_DBUS_PROP_SCEP_CA_CAPABILITIES "scep-ca-capabilities"
 #define CM_DBUS_PROP_SCEP_RA_CERT "scep-ra-cert"