From 6a2ad2b0780aa94e01aa0cefa960b55656cfd704 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Aug 24 2017 22:25:54 +0000 Subject: MS cert template: add D-Bus property and storage Add a D-Bus property and storage for a new template attribute, which will hold data to be included in CSRs in the MS V2 certificate template extension. The server does not validate the extension data (validation behaviour is implemented in a subsequent commit). Part of: https://pagure.io/certmonger/issue/78 --- diff --git a/doc/api.txt b/doc/api.txt index 31016be..83cf375 100644 --- a/doc/api.txt +++ b/doc/api.txt @@ -56,6 +56,7 @@ o object layout {("template-crldp"),array-of-string (CRL distribution point URIs)} {("template-ns-comment"),string (Netscape comment)} {("template-profile"),string (certificate profile)} + {("template-ms-certificate-template"),string (MS V2 template specifier; format: :[:] )} {("template-issuer"),string (requested issuer)} {("template-challenge-password"),string (password to add to CSR)} {("template-challenge-password-file"),string (password file) @@ -165,6 +166,7 @@ o object layout {("template-crldp"),array-of-string (CRL distribution point URIs)} {("template-ns-comment"),string (Netscape comment)} {("template-profile"),string (certificate profile)} + {("template-ms-certificate-template"),string (MS V2 template specifier; format: :[:] )} {("template-issuer"),string (requested issuer)} {("template-challenge-password"),string (password to add to CSR)} {("template-challenge-password-file"),string (password file) diff --git a/src/store-files.c b/src/store-files.c index dbeebce..5ccde77 100644 --- a/src/store-files.c +++ b/src/store-files.c @@ -145,6 +145,7 @@ enum cm_store_file_field { cm_store_entry_field_template_ns_comment, cm_store_entry_field_template_profile, cm_store_entry_field_template_issuer, + cm_store_entry_field_template_certificate_template, cm_store_entry_field_template_no_ocsp_check, cm_store_entry_field_template_ns_certtype, @@ -320,6 +321,7 @@ static struct cm_store_file_field_list { {cm_store_entry_field_template_profile, "template_profile"}, /* right */ {cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */ {cm_store_entry_field_template_issuer, "template_issuer"}, + {cm_store_entry_field_template_certificate_template, "template_certificate_template"}, {cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"}, {cm_store_entry_field_template_ns_certtype, "template_ns_certtype"}, @@ -1208,6 +1210,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) case cm_store_entry_field_template_profile: ret->cm_template_profile = free_if_empty(p); break; + case cm_store_entry_field_template_certificate_template: + ret->cm_template_certificate_template = free_if_empty(p); + break; case cm_store_entry_field_template_issuer: ret->cm_template_issuer = free_if_empty(p); break; @@ -1454,6 +1459,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) case cm_store_entry_field_template_ocsp_location: case cm_store_entry_field_template_ns_comment: case cm_store_entry_field_template_profile: + case cm_store_entry_field_template_certificate_template: case cm_store_entry_field_template_issuer: case cm_store_entry_field_template_no_ocsp_check: case cm_store_entry_field_template_ns_certtype: @@ -2063,6 +2069,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) entry->cm_template_no_ocsp_check ? 1 : 0); cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype, entry->cm_template_ns_certtype); + cm_store_file_write_str(fp, cm_store_entry_field_template_certificate_template, + entry->cm_template_certificate_template); cm_store_file_write_str(fp, cm_store_entry_field_challenge_password, entry->cm_template_challenge_password); @@ -2824,6 +2832,8 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry) ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile); ret->cm_template_issuer = cm_store_maybe_strdup(ret, entry->cm_template_issuer); ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check; + ret->cm_template_certificate_template = + cm_store_maybe_strdup(ret, entry->cm_template_certificate_template); ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret, entry->cm_template_ns_certtype); diff --git a/src/store-int.h b/src/store-int.h index 2d3a353..98b37e6 100644 --- a/src/store-int.h +++ b/src/store-int.h @@ -144,6 +144,7 @@ struct cm_store_entry { char *cm_template_profile; char *cm_template_issuer; char *cm_template_ns_certtype; + char *cm_template_certificate_template; unsigned int cm_template_no_ocsp_check: 1; /* A challenge password, which may be included (in cleartext form!) in * a CSR. */ diff --git a/src/tdbus.h b/src/tdbus.h index 496f2dd..7164f11 100644 --- a/src/tdbus.h +++ b/src/tdbus.h @@ -110,6 +110,7 @@ #define CM_DBUS_PROP_TEMPLATE_PROFILE "template-profile" #define CM_DBUS_PROP_TEMPLATE_ISSUER "template-issuer" #define CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE "template-ns-certtype" +#define CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE "template-ms-certificate-template" #define CM_DBUS_SIGNAL_REQUEST_CERT_SAVED "SavedCertificate" #define CM_DBUS_PROP_CA_PRESAVE_COMMAND "ca-presave-command" #define CM_DBUS_PROP_CA_PRESAVE_UID "ca-presave-uid" diff --git a/src/tdbush.c b/src/tdbush.c index 79f0301..6348cfc 100644 --- a/src/tdbush.c +++ b/src/tdbush.c @@ -1569,6 +1569,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, param->value.s); } param = cm_tdbusm_find_dict_entry(d, + CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE, + cm_tdbusm_dict_s); + if (param != NULL) { + // TODO check validity + new_entry->cm_template_certificate_template = maybe_strdup(new_entry, + param->value.s); + } + param = cm_tdbusm_find_dict_entry(d, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD, cm_tdbusm_dict_s); if ((param != NULL) && @@ -3359,6 +3367,17 @@ request_modify(DBusConnection *conn, DBusMessage *msg, } } else if ((param->value_type == cm_tdbusm_dict_s) && + (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE) == 0)) { + talloc_free(entry->cm_template_certificate_template); + // TODO check validity + entry->cm_template_certificate_template = + maybe_strdup(entry, param->value.s); + if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) { + propname[n_propname++] = + CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; + } + } else + if ((param->value_type == cm_tdbusm_dict_s) && (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD) == 0)) { talloc_free(entry->cm_template_challenge_password); entry->cm_template_challenge_password = maybe_strdup(entry, @@ -6773,6 +6792,14 @@ cm_tdbush_iface_request(void) NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL), make_interface_item(cm_tdbush_interface_property, + make_property(CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE, + cm_tdbush_property_string, + cm_tdbush_property_readwrite, + cm_tdbush_property_char_p, + offsetof(struct cm_store_entry, cm_template_certificate_template), + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL), + make_interface_item(cm_tdbush_interface_property, make_property(CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE, cm_tdbush_property_string, cm_tdbush_property_readwrite, @@ -7217,7 +7244,7 @@ cm_tdbush_iface_request(void) make_interface_item(cm_tdbush_interface_signal, make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED, NULL), - NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); + NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))); } return ret; } diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out index 93cc4d1..8a81a7f 100644 --- a/tests/028-dbus/expected.out +++ b/tests/028-dbus/expected.out @@ -330,6 +330,7 @@ OK +