certmonger

Clone

#147 Add new option to allow overriding the detected SCEP CA chain
Merged 4 years ago by rcritten. Opened 4 years ago by rcritten.
rcritten/certmonger bz1808613  into  master

file modified
+9 -5 
@@ -8,6 +8,7 @@ 
 

  [-r ra-cert-file]
 

  [-R ca-cert-file]
 

  [-I other-certs-file]
 

+ [-N ca-cert-file]
 

  [-i ca-identifier]
 

  [-v]
 

  [-n]
 
@@ -57,11 +58,14 @@ 
 

  always required.
 

  .TP
 

  \fB\-R\fR CA-certificate-file
 

- The location of the SCEP server's CA certificate, which was used to
 

- issue the SCEP server's certificate, or the SCEP server's own
 

- certificate, if it is self-signed, in PEM form.  If the URL specified
 

- with the \fB-u\fR option is an \fIhttps\fR URL, then this option is
 

- required.
 

+ The location of the CA certificate which was used to issue the SCEP web
 

+ server's certificate in PEM form. If the URL specified with the
 

+ \fB-u\fR option is an \fIhttps\fR URL, then this option is required.
 

+ .TP
 

+ \fB\-N\fR ca-certificate-file
 

+ The location of a PEM-formatted copy of the SCEP server's CA certificate.
 

+ A discovered value is normally supplied by the certmonger daemon, but one can
 

+ be specified for troubleshooting purposes.
 

  .TP
 

  \fB\-r\fR RA-certificate-file
 

  The location of the SCEP server's RA certificate, which is expected to

file modified
+8 -4 
@@ -24,12 +24,16 @@ 
 

  specified.
 

  .TP
 

  \fB\-R\fR ca-certificate-file
 

- The location of a PEM-formatted copy of the SCEP server's CA's certificate.
 

- A discovered value is supplied by the certmonger daemon for use in verifying
 

- the signature on data returned by the SCEP server, but it is not used for
 

- verifying HTTPS server certificates.
 

+ The location of a PEM-formatted copy of the CA's certificate used to verify
 

+ the TLS connection the SCEP server.
 

+ 

  This option must be specified if the URL is an \fIhttps\fR location.
 

  .TP
 

+ \fB\-N\fR ca-certificate-file
 

+ The location of a PEM-formatted copy of the SCEP server's CA certificate.
 

+ A discovered value is normally supplied by the certmonger daemon, but one can
 

+ be specified for troubleshooting purposes.
 

+ .TP
 

  \fB\-r\fR ra-certificate-file
 

  The location of a PEM-formatted copy of the SCEP server's RA's certificate.
 

  A discovered value is normally supplied by the certmonger daemon, but one can

file modified
+5 -1 
@@ -4522,6 +4522,7 @@ 
 

  	enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
 

  	char *caname = NULL, *url = NULL, *path = NULL, *id = NULL;
 

  	char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command;
 

+ 	char *signingca = NULL;
 

  	const char *err;
 

  	int c, prefer_non_renewal = 0, verbose = 0;
 

  	dbus_bool_t b;
 
@@ -4534,6 +4535,7 @@ 
 

  		{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
 

  		{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
 

  		{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
 

+ 		{"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
 

  		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
 

  		{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
 

  		{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
 
@@ -4595,7 +4597,7 @@ 
 

  		return 1;
 

  	}
 

  	command = talloc_asprintf(globals.tctx,
 

- 				  "%s -u %s %s %s %s %s %s %s %s %s %s",
 

+ 				  "%s -u %s %s %s %s %s %s %s %s %s %s %s",
 

  				  shell_escape(globals.tctx,
 

  					       CM_SCEP_HELPER_PATH),
 

  				  shell_escape(globals.tctx, url),
 
@@ -4607,6 +4609,8 @@ 
 

  				  id ? shell_escape(globals.tctx, id) : "",
 

  				  certs ? "-I" : "",
 

  				  certs ? shell_escape(globals.tctx, certs) : "",
 

+ 				  signingca ? "-N" : "",
 

+ 				  signingca ? shell_escape(globals.tctx, signingca) : "",
 

  				  prefer_non_renewal ? "-n" : "");
 

  	for (c = 0; c < verbose; c++) {
 

  		command = talloc_strdup_append(command, " -v");

file modified
+6 -7 
@@ -205,7 +205,6 @@ 
 

  	int response_code = 0, response_code2 = 0;
 

  	enum known_ops op = op_unset;
 

  	const char *id = NULL, *cainfo = NULL;
 

- 	char *poptarg;
 

  	char *message = NULL, *rekey_message = NULL;
 

  	const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
 

  	void *ctx;
 
@@ -234,8 +233,9 @@ 
 

  		{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
 

  		{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
 

  		{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
 

- 		{"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},
 

+ 		{"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"},
 

  		{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},
 

+ 		{"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"},
 

  		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},
 

  		{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},
 

  		POPT_AUTOHELP
 
@@ -328,9 +328,10 @@ 
 

  			racert = cm_submit_u_from_file(poptGetOptArg(pctx));
 

  			break;
 

  		case 'R':
 

- 			poptarg = poptGetOptArg(pctx);
 

- 			cainfo = strdup(poptarg);
 

- 			cacert = cm_submit_u_from_file(poptarg);
 

+ 			cainfo = poptGetOptArg(pctx);
 

+ 			break;
 

+ 		case 'N':
 

+ 			cacert = cm_submit_u_from_file(poptGetOptArg(pctx));
 

  			break;
 

  		case 'I':
 

  			certs = cm_submit_u_from_file(poptGetOptArg(pctx));
 
@@ -339,7 +340,6 @@ 
 

  	}
 

  	if (c != -1) {
 

  		poptPrintUsage(pctx, stdout, 0);
 

- 		free(cainfo);
 

  		return CM_SUBMIT_STATUS_UNCONFIGURED;
 

  	}
 

  
@@ -1188,7 +1188,6 @@ 
 

  	if (pctx) {
 

  		poptFreeContext(pctx);
 

  	}
 

- 	free(cainfo);
 

  	free(id);
 

  	cm_submit_h_cleanup(hctx);
 

  	talloc_free(ctx);

The -R option was doing double-duty for the SCEP CA.

  1. It was required if the SCEP URL used TLS
  2. It override the CA certificate downloaded from the SCEP server

If the chains were different then validating the SCEP responses would
fail.

https://bugzilla.redhat.com/show_bug.cgi?id=1808613

Pull-Request has been merged by rcritten
4 years ago
Metadata
None
No Tags
Changes Summary 4
+9 -5
file changed
src/certmonger-scep-submit.8.in
+8 -4
file changed
src/getcert-add-scep-ca.1.in
+5 -1
file changed
src/getcert.c
+6 -7
file changed
src/scep.c
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.