From a43bb9055b6cedd9dbeb41e2b9aaf46f0466fcd4 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Feb 25 2015 21:16:57 +0000 Subject: Rework which keys we prefer for SCEP Rework which data we generate, so that it's easier for helpers to decide what to send to the server: * CERTMONGER_PKCSREQ: Signed with an old/only key and a previously-issued certificate, or using the minicert if there's no new key. * CERTMONGER_PKCSREQ_REKEY: Signed with an new key and the minicert. * CERTMONGER_GETCERTINITIAL: Signed with an old/only key and a previously-issued certificate, or using the minicert if there's no new key. * CERTMONGER_GETCERTINITIAL_REKEY: Signed with an new key and the minicert. --- diff --git a/src/scepgen-n.c b/src/scepgen-n.c index 9e95cc8..b6df441 100644 --- a/src/scepgen-n.c +++ b/src/scepgen-n.c @@ -219,6 +219,17 @@ retry_gen: goto retry_gen; } BN_free(exponent); + + /* Read the proper keys. */ + keys = cm_keyiread_n_get_keys(entry, 0); + if ((keys->privkey->keyType != rsaKey) || + ((keys->privkey_next != NULL) && + (keys->privkey_next->keyType != rsaKey))) { + cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n"); + _exit(CM_SUB_STATUS_ERROR_KEY_TYPE); + } + + /* Sign using a dummy key. */ EVP_PKEY_set1_RSA(key, rsa); csr_new = NULL; csr_old = NULL; @@ -231,14 +242,7 @@ retry_gen: &ias_new, &ias_old); EVP_PKEY_free(key); - /* Read the proper keys, and re-sign using them. */ - keys = cm_keyiread_n_get_keys(entry, 0); - if ((keys->privkey->keyType != rsaKey) || - ((keys->privkey_next != NULL) && - (keys->privkey_next->keyType != rsaKey))) { - cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n"); - _exit(CM_SUB_STATUS_ERROR_KEY_TYPE); - } + /* Re-sign using the proper keys. */ if (csr_old != NULL) { cm_scepgen_n_resign(csr_old, keys->privkey); } @@ -263,7 +267,7 @@ retry_gen: p = csr_new ? cm_scepgen_o_b64_from_p7(NULL, csr_new) : NULL; fprintf(status, "%s:", p ? p : ""); p = ias_new ? cm_scepgen_o_b64_from_p7(NULL, ias_new) : NULL; - fprintf(status, "%s\n", p ? p : ""); + fprintf(status, "%s:\n", p ? p : ""); fclose(status); if (keys->pubkey != NULL) { diff --git a/src/scepgen-o.c b/src/scepgen-o.c index d973023..430911d 100644 --- a/src/scepgen-o.c +++ b/src/scepgen-o.c @@ -512,8 +512,32 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, X509_PUBKEY_set(&old_cert->cert_info->key, pubkey); X509_free(old_cert); } else { - *csr_old = NULL; - *ias_old = NULL; + if (new_pkey == NULL) { + /* Sign the data using the old key and the mini certificate, + * since we may not have a previously-issued certificate (and + * if we do, we did that in another code path. */ + pubkey = X509_PUBKEY_get(new_cert->cert_info->key); + X509_PUBKEY_set(&new_cert->cert_info->key, old_pkey); + *csr_old = build_pkimessage(old_pkey, new_cert, chain, digest, + csr, csr_length, + entry->cm_scep_tx, + SCEP_MSGTYPE_PKCSREQ, + NULL, NULL, + nonce, nonce_length, + NULL, 0); + *ias_old = build_pkimessage(old_pkey, new_cert, chain, digest, + new_ias, new_ias_length, + entry->cm_scep_tx, + SCEP_MSGTYPE_GETCERTINITIAL, + NULL, NULL, + nonce, nonce_length, + NULL, 0); + X509_PUBKEY_set(&new_cert->cert_info->key, pubkey); + } else { + /* No cert, and the minicert matches the new key. */ + *csr_old = NULL; + *ias_old = NULL; + } } if (new_pkey != NULL) { /* Sign the data using the new key and mini certificate, since @@ -536,26 +560,8 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, NULL, 0); X509_PUBKEY_set(&new_cert->cert_info->key, pubkey); } else { - /* Sign the data using the old key and the mini certificate, - * since we may not have a previously-issued certificate (and - * if we do, we just did that). */ - pubkey = X509_PUBKEY_get(new_cert->cert_info->key); - X509_PUBKEY_set(&new_cert->cert_info->key, old_pkey); - *csr_new = build_pkimessage(old_pkey, new_cert, chain, digest, - csr, csr_length, - entry->cm_scep_tx, - SCEP_MSGTYPE_PKCSREQ, - NULL, NULL, - nonce, nonce_length, - NULL, 0); - *ias_new = build_pkimessage(old_pkey, new_cert, chain, digest, - new_ias, new_ias_length, - entry->cm_scep_tx, - SCEP_MSGTYPE_GETCERTINITIAL, - NULL, NULL, - nonce, nonce_length, - NULL, 0); - X509_PUBKEY_set(&new_cert->cert_info->key, pubkey); + *csr_new = NULL; + *ias_new = NULL; } X509_free(new_cert); while ((error = ERR_get_error()) != 0) { @@ -631,7 +637,7 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, p = csr_new ? cm_scepgen_o_b64_from_p7(NULL, csr_new) : NULL; fprintf(status, "%s:", p ? p : ""); p = ias_new ? cm_scepgen_o_b64_from_p7(NULL, ias_new) : NULL; - fprintf(status, "%s\n", p ? p : ""); + fprintf(status, "%s:\n", p ? p : ""); fclose(status); if (new_pkey != NULL) { diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh index 14bb58d..15480ac 100755 --- a/tests/033-scep/run.sh +++ b/tests/033-scep/run.sh @@ -23,12 +23,14 @@ cat ca0.crt | while read line ; do var=" " done +openssl genrsa -out ee.key.next.key 2> /dev/null cat > entry << EOF id=Test ca_name=SelfSign state=NEED_KEY_PAIR key_storage_type=FILE key_storage_location=$tmpdir/ee.key +key_next_marker=next cert_storage_type=FILE cert_storage_location=$tmpdir/ee.crt notification_method=STDOUT @@ -49,13 +51,15 @@ echo -----END CERTIFICATE----- >> mini.crt check_failed() { if ! grep -q "^verify failed$" results ; then - echo expected signature verification to fail, but it did not + echo expected signature verification to fail, but it did not: + cat results exit 1 fi } check_verified() { if ! grep -q "^verify passed$" results ; then - echo expected signature verification to succeed, but it did not + echo expected signature verification to succeed, but it did not: + cat results exit 1 fi } @@ -71,27 +75,31 @@ set_digest() { check_digest() { digest=`grep ^digest: results | cut -f2 -d:` if test $digest != $1 ; then - echo expected digest $1, got $digest + echo expected digest $1, got "$digest": + cat results fi } check_msgtype() { msgtype=`grep ^msgtype: results | cut -f2 -d:` if test $msgtype -ne $1 ; then - echo expected message type $1, got $msgtype + echo expected message type $1, got "$msgtype": + cat results fi } check_txid() { original=`grep ^tx: scepdata | cut -f2 -d:` parsed=`grep ^tx: results | cut -f2 -d:` if test "$original" != "$parsed" ; then - echo expected tx id "$original", got "$parsed" + echo expected tx id "$original", got "$parsed": + cat results fi } check_nonce() { original=`grep ^nonce: scepdata | cut -f2 -d:` parsed=`grep ^snonce: results | cut -f2 -d:` if test "$original" != "$parsed" ; then - echo expected nonce "$original", got "$parsed" + echo expected nonce "$original", got "$parsed": + cat results fi } @@ -99,24 +107,39 @@ set_digest md5 $toolsdir/scepgen ca entry > scepdata echo "[req, no trust root]" +if test x`grep ^req: scepdata | cut -f2- -d:` = x ; then + echo missing req +fi grep ^req: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify ee.crt 2>&1 > results 2>&1 check_failed echo OK echo "[gic, no trust root]" +if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then + echo missing gic +fi grep ^gic: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify ee.crt 2>&1 > results 2>&1 check_failed echo OK echo "[req, self root]" +if test x`grep ^req: scepdata | cut -f2- -d:` = x ; then + echo missing req +fi grep ^req: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r mini.crt ee.crt 2>&1 > results 2>&1 check_failed echo OK echo "[gic, self root]" +if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then + echo missing gic +fi grep ^gic: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r mini.crt ee.crt 2>&1 > results 2>&1 check_failed echo OK echo "[req, old root]" set_digest md5 $toolsdir/scepgen ca entry > scepdata +if test x`grep ^req: scepdata | cut -f2- -d:` = x ; then + echo missing req +fi grep ^req: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r ca0.crt ee.crt 2>&1 > results 2>&1 check_verified check_msgtype $SCEP_MSGTYPE_PKCSREQ @@ -127,6 +150,9 @@ echo OK echo "[gic, old trust root]" set_digest sha1 $toolsdir/scepgen ca entry > scepdata +if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then + echo missing gic +fi grep ^gic: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r ca0.crt ee.crt 2>&1 > results 2>&1 check_verified check_msgtype $SCEP_MSGTYPE_GETCERTINITIAL @@ -135,16 +161,25 @@ check_nonce check_digest sha1 echo OK echo "[req next, no trust root]" +if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then + echo missing req.next +fi grep ^req.next.: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify ee.crt > results 2>&1 check_failed echo OK echo "[gic next, no trust root]" +if test x`grep ^gic.next.: scepdata | cut -f2- -d:` = x ; then + echo missing gic.next +fi grep ^gic.next.: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify ee.crt > results 2>&1 check_failed echo OK echo "[req next, self root]" set_digest sha256 $toolsdir/scepgen ca entry > scepdata +if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then + echo missing req.next +fi grep ^req.next.: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r mini.crt ee.crt > results 2>&1 check_verified check_msgtype $SCEP_MSGTYPE_PKCSREQ @@ -153,6 +188,9 @@ check_nonce check_digest sha256 echo OK echo "[gic next, self root]" +if test x`grep ^gic.next.: scepdata | cut -f2- -d:` = x ; then + echo missing gic.next +fi grep ^gic.next.: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r mini.crt ee.crt > results 2>&1 check_verified check_msgtype $SCEP_MSGTYPE_GETCERTINITIAL @@ -160,10 +198,16 @@ check_txid check_nonce echo OK echo "[req next, old root]" +if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then + echo missing req.next +fi grep ^req.next.: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r ca0.crt ee.crt > results 2>&1 check_failed echo OK echo "[gic next, old trust root]" +if test x`grep ^gic.next.: scepdata | cut -f2- -d:` = x ; then + echo missing gic.next +fi grep ^gic.next.: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r ca0.crt ee.crt > results 2>&1 check_failed echo OK