certmonger

Clone

#69 Build on OpenSSL 1.1
Merged 7 years ago by nalin. Opened 7 years ago by nalin.
nalin/certmonger openssl-1.1  into  master

Go back to ensuring proper sorting of SCEP attribs
Nalin Dahyabhai • 7 years ago  
96c861f
Avoid a variable reuse in get_ostring_attribute
Nalin Dahyabhai • 7 years ago  
70ac7ee
Call X509_check_purpose before reading ex_kusage
Nalin Dahyabhai • 7 years ago  
72fb38c
Don't depend on i2d_X509_EXTENSIONS
Nalin Dahyabhai • 7 years ago  
d158a85
Replace RAND_pseudo_bytes() with RAND_bytes()
Tomas Mraz • 7 years ago  
3341fe4
AUTOTOOLS: Fix warning AC_LANG_CONFTEST: no AC_LANG_SOURCE call detected in body
Lukas Slebodnik • 7 years ago  
fa8b8f0
Include missing header file
Lukas Slebodnik • 7 years ago  
245cec2
Fix warning passing argument from incompatible pointer type
Lukas Slebodnik • 7 years ago  
a50519d
Fix warning excess elements in struct initializer
Lukas Slebodnik • 7 years ago  
4a190f6
Finish porting to OpenSSL 1.1
Nalin Dahyabhai • 7 years ago  
d56a546
Simplify pkcs7 issuerissued()
Nalin Dahyabhai • 7 years ago  
5edd847
Add missing includes of <inttypes.h>
Nalin Dahyabhai • 7 years ago  
a1c822e
Build with -DOPENSSL_NO_DEPRECATED
Nalin Dahyabhai • 7 years ago  
d2a8bc3
Go back to timestamp-based identifiers for now
Nalin Dahyabhai • 7 years ago  
83943d8
Factor out cert_cmp
Nalin Dahyabhai • 7 years ago  
92617ab
Remove a macro we weren't using
Nalin Dahyabhai • 7 years ago  
1e70f04
Remove unused cm_submit_n_nid_from_tag()
Nalin Dahyabhai • 7 years ago  
863b978
Add an alternate correct 028 output for non-DSA
Nalin Dahyabhai • 7 years ago  
a22d36a
Handle X509 version being optional in tests
Nalin Dahyabhai • 7 years ago  
6207548
Handle the correct version from 'openssl req'
Nalin Dahyabhai • 7 years ago  
27aed86
Make checks for "MAC verified OK" message optional
Nalin Dahyabhai • 7 years ago  
2da6d13
Add a couple of missing header includes
Nalin Dahyabhai • 7 years ago  
5224db7
file modified
+62 -9 
@@ -193,7 +193,7 @@ 
 

  	LIBS="$RESOLV_LIBS"
 

  	AC_CHECK_HEADERS(resolv.h arpa/nameser.h)
 

  	have_ns_initparse=false
 

- 	AC_LINK_IFELSE(AC_LANG_PROGRAM([
 

+ 	AC_LINK_IFELSE([AC_LANG_PROGRAM([
 

  		#ifdef HAVE_RESOLV_H
 

  		#include <resolv.h>
 

  		#endif
 
@@ -203,10 +203,10 @@ 
 

  		],[
 

  		ns_msg msg;
 

  		ns_initparse(NULL, 0, &msg);
 

- 		]),
 

+ 		])],
 

  		have_ns_initparse=true,
 

- 		LIBS="-lbind $LIBS"
 

- 		AC_LINK_IFELSE(AC_LANG_PROGRAM([
 

+ 		[LIBS="-lbind $LIBS"
 

+ 		AC_LINK_IFELSE([AC_LANG_PROGRAM([
 

  			#ifdef HAVE_RESOLV_H
 

  			#include <resolv.h>
 

  			#endif
 
@@ -216,12 +216,12 @@ 
 

  			],[
 

  			ns_msg msg;
 

  			ns_initparse(NULL, 0, &msg);
 

- 			]),
 

+ 			])],
 

  			RESOLV_LIBS="-lbind $RESOLV_LIBS"
 

  			have_ns_initparse=true,
 

  			AC_MSG_WARN([cannot find ns_initparse() in libresolv or libbind])
 

  			have_ns_initparse=false
 

- 		)
 

+ 		)]
 

  	)
 

  	AC_ARG_ENABLE(srv-location,
 

  		      AS_HELP_STRING([--disable-srv-location],[disable SRV location for servers]),
 
@@ -333,10 +333,62 @@ 
 

  		AC_DEFINE(HAVE_OPENSSL,1,[Define if you have OpenSSL.])
 

  		CFLAGSsave="$CFLAGS"
 

  		LIBSsave="$LIBS"
 

- 		CFLAGS="$OPENSSL_CFLAGS $CFLAGS"
 

+ 		CFLAGS="$OPENSSL_CFLAGS $CFLAGS -DOPENSSL_NO_DEPRECATED"
 

  		LIBS="$OPENSSL_LIBS $LIBS"
 

  		AC_CHECK_DECLS([OpenSSL_add_all_algorithms,OpenSSL_add_ssl_algorithms],,,[#include <openssl/ssl.h>])
 

  		AC_CHECK_DECLS(OPENSSL_free,,,[#include <openssl/crypto.h>])
 

+ 		AC_CHECK_FUNCS(ASN1_BIT_STRING_new)
 

+ 		AC_CHECK_FUNCS(ASN1_GENERALIZEDTIME_new)
 

+ 		AC_CHECK_FUNCS(ASN1_IA5STRING_new)
 

+ 		AC_CHECK_FUNCS(ASN1_INTEGER_new)
 

+ 		AC_CHECK_FUNCS(ASN1_OCTET_STRING_new)
 

+ 		AC_CHECK_FUNCS(ASN1_OCTET_STRING_set)
 

+ 		AC_CHECK_FUNCS(ASN1_PRINTABLESTRING_new)
 

+ 		AC_CHECK_FUNCS(ASN1_STRING_get0_data)
 

+ 		AC_CHECK_FUNCS(ASN1_STRING_get_data)
 

+ 		AC_CHECK_FUNCS(ASN1_STRING_length)
 

+ 		AC_CHECK_FUNCS(ASN1_STRING_new)
 

+ 		AC_CHECK_FUNCS(ASN1_TIME_dup)
 

+ 		AC_CHECK_FUNCS(ASN1_TIME_new)
 

+ 		AC_CHECK_FUNCS(ASN1_TIME_set)
 

+ 		AC_CHECK_FUNCS(EVP_PKEY_base_id)
 

+ 		AC_CHECK_FUNCS(EVP_PKEY_id)
 

+ 		AC_CHECK_FUNCS(OBJ_get0_data)
 

+ 		AC_CHECK_FUNCS(OBJ_length)
 

+ 		AC_CHECK_FUNCS(X509_ATTRIBUTE_get0_object)
 

+ 		AC_CHECK_FUNCS(X509_get0_notAfter)
 

+ 		AC_CHECK_FUNCS(X509_get0_pubkey)
 

+ 		AC_CHECK_FUNCS(X509_get0_serialNumber)
 

+ 		AC_CHECK_FUNCS(X509_get_issuer_name)
 

+ 		AC_CHECK_FUNCS(X509_get_key_usage)
 

+ 		AC_CHECK_FUNCS(X509_get_subject_name)
 

+ 		AC_CHECK_FUNCS(X509_REQ_get0_pubkey)
 

+ 		AC_CHECK_FUNCS(X509_REQ_get0_signature)
 

+ 		AC_CHECK_FUNCS(X509_REQ_set_subject_name)
 

+ 		AC_CHECK_FUNCS(X509_set1_notAfter)
 

+ 		AC_CHECK_FUNCS(X509_set1_notBefore)
 

+ 		AC_CHECK_FUNCS(X509_set_issuer_name)
 

+ 		AC_CHECK_FUNCS(X509_set_pubkey)
 

+ 		AC_CHECK_FUNCS(X509_set_subject_name)
 

+ 		AC_CHECK_FUNCS(X509_set_version)
 

+ 		AC_CHECK_MEMBERS(X509.cert_info,,,
 

+ 				 [
 

+ 				 #include <openssl/x509.h>
 

+ 				 ])
 

+ 		AC_MSG_CHECKING([if NETSCAPE_SPKI.sig_algor is a pointer or a struct])
 

+ 		have_sig_algor_pointer=unknown
 

+ 		AC_LINK_IFELSE(AC_LANG_PROGRAM([
 

+ 			#include <stddef.h>
 

+ 			#include <openssl/x509.h>
 

+ 			],[
 

+ 			NETSCAPE_SPKI spki;
 

+ 			spki.sig_algor = NULL;
 

+ 			]),
 

+ 			AC_DEFINE(CM_NETSCAPE_SPKI_SIG_ALGOR_IS_POINTER,1,[Define if NETSCAPE_SPKI.sig_algor is a pointer])
 

+ 			have_sig_algor_pointer="pointer to X509_ALGOR",
 

+ 			have_sig_algor_pointer=X509_ALGOR
 

+ 		)
 

+ 		AC_MSG_RESULT($have_sig_algor_pointer)
 

  		CFLAGS="$CFLAGSsave"
 

  		LIBS="$LIBSsave"
 

  	fi
 
@@ -440,10 +492,11 @@ 
 

  		AC_CHECK_HEADERS(gmp.h)
 

  		AC_CHECK_FUNC(mpz_set_str,,
 

  			      LIBS="-lgmp $LIBS"
 

- 			      AC_LINK_IFELSE(AC_LANG_PROGRAM([
 

+ 			      AC_LINK_IFELSE([AC_LANG_PROGRAM([
 

  				#include <stdlib.h>
 

  				#include <gmp.h>
 

- 			      ],[mpz_get_str(NULL,10,NULL);]),GMP_LIBS="$GMP_LIBS -lgmp"))
 

+ 			      ],[mpz_get_str(NULL,10,NULL);])],
 

+ 			      [GMP_LIBS="$GMP_LIBS -lgmp"]))
 

  		AC_MSG_CHECKING([for GMP])
 

  		if test $ac_cv_header_gmp_h = yes ; then
 

  			AC_MSG_RESULT(found)

file modified
+2 -2 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2010,2011,2013,2014,2015 Red Hat, Inc.
 

+  * Copyright (C) 2009,2010,2011,2013,2014,2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -252,7 +252,7 @@ 
 

  		if (bio != NULL) {
 

  			cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
 

  			if (cert != NULL) {
 

- 				bn = ASN1_INTEGER_to_BN(cert->cert_info->serialNumber, NULL);
 

+ 				bn = ASN1_INTEGER_to_BN(util_X509_get0_serialNumber(cert), NULL);
 

  				if (bn != NULL) {
 

  					bin = malloc(BN_num_bytes(bn));
 

  					if (bin != NULL) {

file modified
+39 -13 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2010,2011,2014,2015 Red Hat, Inc.
 

+  * Copyright (C) 2009,2010,2011,2014,2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -600,7 +600,8 @@ 
 

  	struct cm_store_entry **entries;
 

  	struct cm_event *events;
 

  	int i;
 

- 	char uuidstring[37];
 

+ 	time_t now;
 

+ 	char timestamp[15];
 

  

  	/* Check for duplicates and count the number of entries we're already
 

  	 * managing. */
 
@@ -612,11 +613,23 @@ 
 

  			}
 

  		}
 

  	} else {
 

- 		/* Assign a new ID. */
 

- 		if (cm_store_make_uuid_string_underscore(uuidstring) < 0) {
 

- 			return -1;
 

- 		}
 

- 		new_entry->cm_nickname = talloc_strdup(new_entry, uuidstring);
 

+ 		do {
 

+ 			/* Try to assign a new ID. */
 

+ 			now = cm_time(NULL);
 

+ 			new_entry->cm_nickname = cm_store_timestamp_from_time(now,
 

+ 									      timestamp);
 

+ 			/* Check for duplicates. */
 

+ 			for (i = 0; i < context->n_entries; i++) {
 

+ 				if (strcmp(context->entries[i]->cm_nickname,
 

+ 					   new_entry->cm_nickname) == 0) {
 

+ 					/* Busy wait 0.1s. Ugh. */
 

+ 					usleep(100000);
 

+ 					break;
 

+ 				}
 

+ 			}
 

+ 		} while (i < context->n_entries);
 

+ 		new_entry->cm_nickname = talloc_strdup(new_entry,
 

+ 						       new_entry->cm_nickname);
 

  	}
 

  	/* Resize the entry array. */
 

  	events = NULL;
 
@@ -991,7 +1004,8 @@ 
 

  	struct cm_store_ca **cas;
 

  	struct cm_ca_event *events;
 

  	int i;
 

- 	char uuidstring[37];
 

+ 	time_t now;
 

+ 	char timestamp[15];
 

  	enum cm_ca_phase phase;
 

  

  	/* Check for duplicates and count the number of CAs we're already
 
@@ -1004,11 +1018,23 @@ 
 

  			}
 

  		}
 

  	} else {
 

- 		/* Assign a new ID. */
 

- 		if (cm_store_make_uuid_string_underscore(uuidstring) < 0) {
 

- 			return -1;
 

- 		}
 

- 		new_ca->cm_nickname = talloc_strdup(new_ca, uuidstring);
 

+ 		do {
 

+ 			/* Try to assign a new nickname. */
 

+ 			now = cm_time(NULL);
 

+ 			new_ca->cm_nickname = cm_store_timestamp_from_time(now,
 

+ 									   timestamp);
 

+ 			/* Check for duplicates. */
 

+ 			for (i = 0; i < context->n_cas; i++) {
 

+ 				if (strcmp(context->cas[i]->cm_nickname,
 

+ 					   new_ca->cm_nickname) == 0) {
 

+ 					/* Busy wait 0.1s. Ugh. */
 

+ 					usleep(100000);
 

+ 					break;
 

+ 				}
 

+ 			}
 

+ 		} while (i < context->n_cas);
 

+ 		new_ca->cm_nickname = talloc_strdup(new_ca,
 

+ 						    new_ca->cm_nickname);
 

  	}
 

  	/* Allocate storage for a new CA array. */
 

  	cas = talloc_realloc(context, context->cas, struct cm_store_ca *,

file modified
+3 -2 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2010,2011,2012,2013,2014,2015 Red Hat, Inc.
 

+  * Copyright (C) 2009,2010,2011,2012,2013,2014,2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -791,7 +791,8 @@ 
 

  	nowe.len = strlen(now);
 

  	validity->notAfter = nowe;
 

  	minicert = CERT_CreateCertificate(1, name, validity, req);
 

- 	SEC_ASN1EncodeInteger(arena, &minicert->version, 0);
 

+ 	SEC_ASN1EncodeInteger(arena, &minicert->version,
 

+ 			      cm_csrgen_version_for_testing_minicerts);
 

  	if ((spkidigest[1] & 0x80) != 0) {
 

  		minicert->serialNumber.data = spkidigest;
 

  		minicert->serialNumber.len = cm_prefs_nss_dig_alg_len() + 1;

file modified
+20 -19 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2010,2011,2012,2013,2014,2015 Red Hat, Inc.
 

+  * Copyright (C) 2009,2010,2011,2012,2013,2014,2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -84,8 +84,10 @@ 
 

  	FILE *keyfp, *status;
 

  	X509_REQ *req;
 

  	X509_NAME *subject;
 

+ 	const X509_ALGOR *sig_alg;
 

  	X509 *minicert;
 

  	ASN1_INTEGER *serial, *version;
 

+ 	ASN1_GENERALIZEDTIME *notBefore = NULL, *notAfter = NULL;
 

  	NETSCAPE_SPKI spki;
 

  	NETSCAPE_SPKAC spkac;
 

  	EVP_PKEY *pkey;
 
@@ -229,7 +231,7 @@ 
 

  				}
 

  			}
 

  			if (subject != NULL) {
 

- 				X509_NAME_set(&req->req_info->subject, subject);
 

+ 				util_X509_REQ_set_subject_name(req, subject);
 

  			}
 

  			X509_REQ_set_pubkey(req, pkey);
 

  			X509_REQ_set_version(req, SEC_CERTIFICATE_REQUEST_VERSION);
 
@@ -288,7 +290,7 @@ 
 

  			PEM_write_X509_REQ_NEW(status, req);
 

  			/* Generate the SPKAC. */
 

  			memset(&spkac, 0, sizeof(spkac));
 

- 			spkac.challenge = M_ASN1_IA5STRING_new();
 

+ 			spkac.challenge = util_ASN1_IA5STRING_new();
 

  			if (password != NULL) {
 

  				ASN1_STRING_set(spkac.challenge,
 

  						password, strlen(password));
 
@@ -298,8 +300,9 @@ 
 

  			}
 

  			memset(&spki, 0, sizeof(spki));
 

  			spki.spkac = &spkac;
 

- 			spki.sig_algor = req->sig_alg;
 

- 			spki.signature = M_ASN1_BIT_STRING_new();
 

+ 			util_X509_REQ_get0_signature(req, NULL, &sig_alg);
 

+ 			util_NETSCAPE_SPKI_set_sig_alg(&spki, sig_alg);
 

+ 			spki.signature = util_ASN1_BIT_STRING_new();
 

  			NETSCAPE_SPKI_set_pubkey(&spki, pkey);
 

  			NETSCAPE_SPKI_sign(&spki, pkey, cm_prefs_ossl_hash());
 

  			s = NETSCAPE_SPKI_b64_encode(&spki);
 
@@ -335,26 +338,24 @@ 
 

  			now = gmtime(&nowt);
 

  			nows = talloc_asprintf(entry, "%04d%02d%02d000000Z",
 

  					       now->tm_year + 1900, now->tm_mon + 1, now->tm_mday);
 

- 			minicert->cert_info->validity->notBefore = M_ASN1_GENERALIZEDTIME_new();
 

- 			ASN1_GENERALIZEDTIME_set_string(minicert->cert_info->validity->notBefore, nows);
 

+ 			notBefore = util_ASN1_GENERALIZEDTIME_new();
 

+ 			ASN1_GENERALIZEDTIME_set_string(notBefore, nows);
 

+ 			util_X509_set1_notBefore(minicert, notBefore);
 

  			nows = talloc_asprintf(entry, "%04d%02d%02d000000Z",
 

  					       now->tm_year + 1900 + 100, now->tm_mon + 1, now->tm_mday);
 

- 			minicert->cert_info->validity->notAfter = M_ASN1_GENERALIZEDTIME_new();
 

- 			ASN1_GENERALIZEDTIME_set_string(minicert->cert_info->validity->notAfter, nows);
 

- 			X509_NAME_set(&minicert->cert_info->issuer, subject);
 

- 			X509_NAME_set(&minicert->cert_info->subject, subject);
 

- 			/* This used to just be X509_set_version(), but
 

- 			 * starting in 1.0.2, OpenSSL began setting it to NULL
 

- 			 * for v1, which breaks tests which expect identical
 

- 			 * output from both NSS and OpenSSL. */
 

- 			version = M_ASN1_INTEGER_new();
 

+ 			notAfter = util_ASN1_GENERALIZEDTIME_new();
 

+ 			ASN1_GENERALIZEDTIME_set_string(notAfter, nows);
 

+ 			util_X509_set1_notAfter(minicert, notAfter);
 

+ 			util_X509_set_issuer_name(minicert, subject);
 

+ 			util_X509_set_subject_name(minicert, subject);
 

+ 			version = util_ASN1_INTEGER_new();
 

  			if (version == NULL) {
 

  				cm_log(1, "Out of memory creating mini certificate.\n");
 

  				_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

  			}
 

- 			ASN1_INTEGER_set(version, 0);
 

- 			minicert->cert_info->version = version;
 

- 			serial = M_ASN1_INTEGER_new();
 

+ 			ASN1_INTEGER_set(version, cm_csrgen_version_for_testing_minicerts);
 

+ 			util_X509_set1_version(minicert, version);
 

+ 			serial = util_ASN1_INTEGER_new();
 

  			if (serial == NULL) {
 

  				cm_log(1, "Out of memory creating mini certificate.\n");
 

  				_exit(CM_SUB_STATUS_INTERNAL_ERROR);

file modified
+3 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2011,2012,2014 Red Hat, Inc.
 

+  * Copyright (C) 2009,2011,2012,2014,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -31,6 +31,8 @@ 
 

  #include "log.h"
 

  #include "store-int.h"
 

  

+ int cm_csrgen_version_for_testing_minicerts = 0;
 

+ 

  int
 

  cm_csrgen_read_challenge_password(struct cm_store_entry *entry, char **password)
 

  {

file modified
+3 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2014 Red Hat, Inc.
 

+  * Copyright (C) 2009,2014,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -21,6 +21,8 @@ 
 

  struct cm_csrgen_state;
 

  struct cm_store_entry;
 

  

+ extern int cm_csrgen_version_for_testing_minicerts;
 

+ 

  /* Start CSR generation using template information in the entry. */
 

  struct cm_csrgen_state *cm_csrgen_start(struct cm_store_entry *entry);
 

  struct cm_csrgen_state *cm_csrgen_n_start(struct cm_store_entry *entry);

file modified
+4 
@@ -21,7 +21,11 @@ 
 

  #include <sys/stat.h>
 

  #include <errno.h>
 

  #include <fcntl.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <limits.h>
 

+ #include <stdint.h>
 

  #include <stdlib.h>
 

  #include <stdio.h>
 

  #include <string.h>

file modified
+4 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2015 Red Hat, Inc.
 

+  * Copyright (C) 2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -19,6 +19,9 @@ 
 

  

  #include <sys/types.h>
 

  #include <errno.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <stdint.h>
 

  #include <stdlib.h>
 

  #include <string.h>

file modified
+1 -1 
@@ -67,7 +67,7 @@ 
 

  	char *ret;
 

  	size_t l;
 

  

- 	if (!RAND_pseudo_bytes(suffix, sizeof(suffix))) {
 

+ 	if (!RAND_bytes(suffix, sizeof(suffix))) {
 

  		/* Try again sometime later. */
 

  		cm_log(1, "Error generating suffix.\n");
 

  		_exit(CM_SUB_STATUS_INTERNAL_ERROR);

file modified
+3 -3 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2010,2011,2012,2014,2015 Red Hat, Inc.
 

+  * Copyright (C) 2009,2010,2011,2012,2014,2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -152,7 +152,7 @@ 
 

  		pubkey = "";
 

  		pubikey = "";
 

  		if (pkey != NULL) {
 

- 			switch (EVP_PKEY_type(pkey->type)) {
 

+ 			switch (util_EVP_PKEY_base_id(pkey)) {
 

  			case EVP_PKEY_RSA:
 

  				cm_log(3, "Key is an RSA key.\n");
 

  				alg = "RSA";
 
@@ -189,7 +189,7 @@ 
 

  		}
 

  		fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
 

  		if (nextpkey != NULL) {
 

- 			switch (EVP_PKEY_type(nextpkey->type)) {
 

+ 			switch (util_EVP_PKEY_base_id(nextpkey)) {
 

  			case EVP_PKEY_RSA:
 

  				cm_log(3, "Next key is an RSA key.\n");
 

  				alg = "RSA";

file modified
+12 -8 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2014,2015 Red Hat, Inc.
 

+  * Copyright (C) 2014,2015,2017 Red Hat, Inc.
 

   *
 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -21,7 +21,11 @@ 
 

  #include <sys/stat.h>
 

  #include <errno.h>
 

  #include <fcntl.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <limits.h>
 

+ #include <stdint.h>
 

  #include <stdlib.h>
 

  #include <stdio.h>
 

  #include <string.h>
 
@@ -89,15 +93,15 @@ 
 

  	q = p;
 

  	len = i2d_PUBKEY(key, &q);
 

  	if (EVP_Digest(p, len, md, &mdlen, EVP_sha1(), NULL)) {
 

- 		skid = M_ASN1_OCTET_STRING_new();
 

- 		M_ASN1_OCTET_STRING_set(skid, md, mdlen);
 

+ 		skid = util_ASN1_OCTET_STRING_new();
 

+ 		util_ASN1_OCTET_STRING_set(skid, md, mdlen);
 

  		memset(&akid, 0, sizeof(akid));
 

  		akid.keyid = skid;
 

  		X509V3_add1_i2d(&exts, NID_subject_key_identifier, skid, 0, 0);
 

  		X509V3_add1_i2d(&exts, NID_authority_key_identifier, &akid, 0, 0);
 

  	}
 

  

- 	ku = M_ASN1_BIT_STRING_new();
 

+ 	ku = util_ASN1_BIT_STRING_new();
 

  	ASN1_BIT_STRING_set_bit(ku, 0, 1);
 

  	ASN1_BIT_STRING_set_bit(ku, 5, 1);
 

  	ASN1_BIT_STRING_set_bit(ku, 6, 1);
 
@@ -120,9 +124,9 @@ 
 

  	req = X509_REQ_new();
 

  	if (req != NULL) {
 

  		if ((oldcert != NULL) &&
 

- 		    (oldcert->cert_info->subject != NULL)) {
 

+ 		    (X509_get_subject_name(oldcert) != NULL)) {
 

  			X509_REQ_set_subject_name(req,
 

- 						  oldcert->cert_info->subject);
 

+ 						  X509_get_subject_name(oldcert));
 

  		} else {
 

  			subject = X509_NAME_new();
 

  			if (subject != NULL) {
 
@@ -246,7 +250,7 @@ 
 

  	 * left. */
 

  	if (*signer_cert != NULL) {
 

  		if (cas == NULL) {
 

- 			cas = sk_X509_new(X509_cmp);
 

+ 			cas = sk_X509_new(util_o_cert_cmp);
 

  			if (cas == NULL) {
 

  				cm_log(1, "Out of memory.\n");
 

  				return CM_SUBMIT_STATUS_UNREACHABLE;
 
@@ -500,7 +504,7 @@ 
 

  		/* we're good */
 

  	} else
 

  #endif
 

- 	if (!RAND_pseudo_bytes(uuid, sizeof(uuid))) {
 

+ 	if (!RAND_bytes(uuid, sizeof(uuid))) {
 

  		/* Try again sometime later. */
 

  		cm_log(1, "Error generating UUID.\n");
 

  		return CM_SUBMIT_STATUS_UNREACHABLE;

file modified
+1 -1 
@@ -77,7 +77,7 @@ 
 

  		{"only-listening-socket", 'L', POPT_ARG_NONE, NULL, 'L', N_("only use a dedicated listening socket"), NULL},
 

  		{"listening-socket-path", 'P', POPT_ARG_STRING, &path, 0, N_("specify the dedicated listening socket"), N_("PATHNAME")},
 

  		{"nofork", 'n', POPT_ARG_NONE, NULL, 'n', N_("don't become a daemon"), NULL},
 

- 		{"fork", 'f', POPT_ARG_NONE, NULL, 'f', N_("do become a daemon"), NULL, NULL},
 

+ 		{"fork", 'f', POPT_ARG_NONE, NULL, 'f', N_("do become a daemon"), NULL},
 

  		{"bus-activation-timeout", 'b', POPT_ARG_INT, NULL, 'b', N_("bus-activated, idle timeout"), N_("SECONDS")},
 

  		{"no-bus-activation-timeout", 'B', POPT_ARG_NONE, NULL, 'B', N_("don't use an idle timeout"), NULL},
 

  		{"debug-level", 'd', POPT_ARG_INT, NULL, 'd', N_("set debugging level (implies -n)"), N_("NUMBER")},

file modified
+41 -74 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2015 Red Hat, Inc.
 

+  * Copyright (C) 2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -18,7 +18,11 @@ 
 

  #include "config.h"
 

  

  #include <sys/types.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <stdarg.h>
 

+ #include <stdint.h>
 

  #include <string.h>
 

  #include <unistd.h>
 

  
@@ -44,6 +48,7 @@ 
 

  #include "scep-o.h"
 

  #include "store.h"
 

  #include "submit-u.h"
 

+ #include "util-o.h"
 

  

  #ifdef ENABLE_NLS
 

  #include <libintl.h>
 
@@ -57,35 +62,11 @@ 
 

  static int
 

  issuerissued(X509 *issuer, X509 *issued)
 

  {
 

- 	GENERAL_NAME *gn;
 

- 	int i;
 

- 

- 	if ((issuer->skid != NULL) &&
 

- 	    (issued->akid != NULL) &&
 

- 	    (issued->akid->keyid != NULL)) {
 

- 		if (M_ASN1_OCTET_STRING_cmp(issuer->skid,
 

- 					    issued->akid->keyid) == 0) {
 

- 			return 0;
 

- 		}
 

+ 	if (X509_check_issued(issuer, issued) == X509_V_OK) {
 

+ 		return 0;
 

  	}
 

- 	if ((issued->akid != NULL) &&
 

- 	    (issued->akid->issuer != NULL) &&
 

- 	    (issued->akid->serial != NULL)) {
 

- 		for (i = 0;
 

- 		     i < sk_GENERAL_NAME_num(issued->akid->issuer);
 

- 		     i++) {
 

- 			gn = sk_GENERAL_NAME_value(issued->akid->issuer, i);
 

- 			if ((gn->type == GEN_DIRNAME) &&
 

- 			    (X509_NAME_cmp(issuer->cert_info->issuer,
 

- 					   gn->d.dirn) == 0) &&
 

- 			    (M_ASN1_INTEGER_cmp(issuer->cert_info->serialNumber,
 

- 						issued->akid->serial) == 0)) {
 

- 				return 0;
 

- 			}
 

- 		}
 

- 	}
 

- 	return X509_name_cmp(issuer->cert_info->subject,
 

- 			     issued->cert_info->issuer);
 

+ 	return X509_name_cmp(util_X509_get0_subject_name(issuer),
 

+ 			     util_X509_get0_issuer_name(issued));
 

  }
 

  

  /* Render the certificate as a PEM string. */
 
@@ -121,23 +102,13 @@ 
 

  	return ret;
 

  }
 

  

- /* Wrap the comparison function to handle the callback indirection. */
 

- static int
 

- cert_cmp(const void *a, const void *b)
 

- {
 

- 	X509 * const *x, * const *y;
 

- 	x = a;
 

- 	y = b;
 

- 	return X509_cmp(*x, *y);
 

- }
 

- 

  /* Return 0 if "candidate" is more like what we're looking for than "current". */
 

  static int
 

  betterleaf(X509 *candidate, X509 *current, unsigned int flags)
 

  {
 

  	if (flags & CM_PKCS7_LEAF_PREFER_ENCRYPT) {
 

- 		if (((candidate->ex_kusage & (KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT)) != 0) &&
 

- 		    ((current->ex_kusage & (KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT)) == 0)) {
 

+ 		if (((util_X509_get_key_usage(candidate) & (KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT)) != 0) &&
 

+ 		    ((util_X509_get_key_usage(current) & (KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT)) == 0)) {
 

  			return 0;
 

  		}
 

  	}
 
@@ -330,7 +301,7 @@ 
 

  		*certtop = NULL;
 

  	}
 

  

- 	sk = sk_X509_new(cert_cmp);
 

+ 	sk = sk_X509_new(util_o_cert_cmp);
 

  	if (sk == NULL) {
 

  		return -1;
 

  	}
 
@@ -559,7 +530,7 @@ 
 

  	}
 

  	BIO_free(in);
 

  

- 	recipients = sk_X509_new(cert_cmp);
 

+ 	recipients = sk_X509_new(util_o_cert_cmp);
 

  	if (recipients == NULL) {
 

  		cm_log(1, "Out of memory.\n");
 

  		goto done;
 
@@ -722,7 +693,7 @@ 
 

  		goto done;
 

  	}
 

  

- 	issuerlen = i2d_X509_NAME(ca->cert_info->issuer, NULL);
 

+ 	issuerlen = i2d_X509_NAME(X509_get_issuer_name(ca), NULL);
 

  	if (issuerlen < 0) {
 

  		cm_log(1, "Error encoding CA certificate issuer name.\n");
 

  		goto done;
 
@@ -733,12 +704,12 @@ 
 

  		goto done;
 

  	}
 

  	u = issuer;
 

- 	if (i2d_X509_NAME(ca->cert_info->issuer, &u) != issuerlen) {
 

+ 	if (i2d_X509_NAME(X509_get_issuer_name(ca), &u) != issuerlen) {
 

  		cm_log(1, "Error encoding CA certificate issuer name.\n");
 

  		goto done;
 

  	}
 

  

- 	subjectlen = i2d_X509_NAME(mini->cert_info->subject, NULL);
 

+ 	subjectlen = i2d_X509_NAME(X509_get_subject_name(mini), NULL);
 

  	if (subjectlen < 0) {
 

  		cm_log(1, "Error encoding client certificate subject name.\n");
 

  		goto done;
 
@@ -749,7 +720,7 @@ 
 

  		goto done;
 

  	}
 

  	u = subject;
 

- 	if (i2d_X509_NAME(mini->cert_info->subject, &u) != subjectlen) {
 

+ 	if (i2d_X509_NAME(X509_get_subject_name(mini), &u) != subjectlen) {
 

  		cm_log(1, "Error encoding client certificate subject name.\n");
 

  		goto done;
 

  	}
 
@@ -827,23 +798,21 @@ 
 

  	}
 

  	for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
 

  		a = sk_X509_ATTRIBUTE_value(attrs, i);
 

- 		if (OBJ_obj2nid(a->object) != nid) {
 

+ 		if (a == NULL) { /* should not happen */
 

  			continue;
 

  		}
 

- 		if (a->single) {
 

- 			value = a->value.single;
 

- 		} else {
 

- 			if (sk_ASN1_TYPE_num(a->value.set) == 1) {
 

- 				value = sk_ASN1_TYPE_value(a->value.set, 0);
 

- 			} else {
 

- 				value = NULL;
 

- 			}
 

+ 		if (OBJ_obj2nid(util_X509_ATTRIBUTE_get0_object(a)) != nid) {
 

+ 			continue;
 

  		}
 

+ 		if (X509_ATTRIBUTE_count(a) != 1) {
 

+ 			continue;
 

+ 		}
 

+ 		value = X509_ATTRIBUTE_get0_type(a, 0);
 

  		if ((value != NULL) && (value->type == V_ASN1_PRINTABLESTRING)) {
 

  			p = value->value.printablestring;
 

  			if (p != NULL) {
 

- 				len = ASN1_STRING_length(p);
 

- 				s = (const char *) ASN1_STRING_data(p);
 

+ 				len = util_ASN1_STRING_length(p);
 

+ 				s = (const char *) util_ASN1_STRING_get0_data(p);
 

  				ret = talloc_size(parent, len + 1);
 

  				if (ret != NULL) {
 

  					memcpy(ret, s, len);
 
@@ -864,7 +833,7 @@ 
 

  	ASN1_TYPE *value;
 

  	ASN1_OCTET_STRING *p;
 

  	const unsigned char *s;
 

- 	int i;
 

+ 	int i, len;
 

  

  	*ret = NULL;
 

  	*length = 0;
 
@@ -873,27 +842,25 @@ 
 

  	}
 

  	for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
 

  		a = sk_X509_ATTRIBUTE_value(attrs, i);
 

- 		if (OBJ_obj2nid(a->object) != nid) {
 

+ 		if (a == NULL) { /* should not happen */
 

  			continue;
 

  		}
 

- 		if (a->single) {
 

- 			value = a->value.single;
 

- 		} else {
 

- 			if (sk_ASN1_TYPE_num(a->value.set) == 1) {
 

- 				value = sk_ASN1_TYPE_value(a->value.set, 0);
 

- 			} else {
 

- 				value = NULL;
 

- 			}
 

+ 		if (OBJ_obj2nid(util_X509_ATTRIBUTE_get0_object(a)) != nid) {
 

+ 			continue;
 

+ 		}
 

+ 		if (X509_ATTRIBUTE_count(a) != 1) {
 

+ 			continue;
 

  		}
 

+ 		value = X509_ATTRIBUTE_get0_type(a, 0);
 

  		if ((value != NULL) && (value->type == V_ASN1_OCTET_STRING)) {
 

  			p = value->value.octet_string;
 

  			if (p != NULL) {
 

- 				i = ASN1_STRING_length(p);
 

- 				s = ASN1_STRING_data(p);
 

- 				*ret = talloc_size(parent, i + 1);
 

+ 				len = util_ASN1_STRING_length(p);
 

+ 				s = util_ASN1_STRING_get0_data(p);
 

+ 				*ret = talloc_size(parent, len + 1);
 

  				if (*ret != NULL) {
 

- 					memcpy(*ret, s, i);
 

- 					*length = i;
 

+ 					memcpy(*ret, s, len);
 

+ 					*length = len;
 

  					return;
 

  				}
 

  			}
 
@@ -994,7 +961,7 @@ 
 

  		goto done;
 

  	}
 

  	X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors);
 

- 	certs = sk_X509_new(cert_cmp);
 

+ 	certs = sk_X509_new(util_o_cert_cmp);
 

  	if (certs == NULL) {
 

  		cm_log(1, "Out of memory.\n");
 

  		goto done;

file modified
+8 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2010 Red Hat, Inc.
 

+  * Copyright (C) 2010,2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -17,9 +17,16 @@ 
 

  

  #include "config.h"
 

  

+ #include <sys/types.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

+ #include <stdint.h>
 

+ 

  #include <keythi.h>
 

  

  #include <openssl/evp.h>
 

+ #include <openssl/x509.h>
 

  

  #include "prefs.h"
 

  #include "prefs.h"

file modified
+4 
@@ -21,7 +21,11 @@ 
 

  #include <sys/stat.h>
 

  #include <errno.h>
 

  #include <fcntl.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <limits.h>
 

+ #include <stdint.h>
 

  #include <stdlib.h>
 

  #include <stdio.h>
 

  #include <string.h>

file modified
+16 -19 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2015 Red Hat, Inc.
 

+  * Copyright (C) 2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -38,6 +38,7 @@ 
 

  #include <secpkcs7.h>
 

  #include <secport.h>
 

  

+ #include <openssl/asn1t.h>
 

  #include <openssl/bn.h>
 

  #include <openssl/evp.h>
 

  #include <openssl/pkcs7.h>
 
@@ -63,6 +64,7 @@ 
 

  #include "submit-u.h"
 

  #include "subproc.h"
 

  #include "util-n.h"
 

+ #include "util-o.h"
 

  

  struct cm_scepgen_state {
 

  	struct cm_scepgen_state_pvt pvt;
 
@@ -74,12 +76,13 @@ 
 

  cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
 

  {
 

  	unsigned char *sabuf = NULL, *u;
 

- 	int salen;
 

+ 	int salen, l;
 

  	SECItem signature;
 

  	SECOidTag digalg, sigalg;
 

  	PKCS7_SIGNER_INFO *sinfo;
 

  

  	if (p7 == NULL) {
 

+ 		cm_log(1, "Nothing to resign.\n");
 

  		return;
 

  	}
 

  	if (sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info) != 1) {
 
@@ -87,26 +90,21 @@ 
 

  		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

  	}
 

  	sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
 

- 

- 	salen = i2d_ASN1_SET_OF_X509_ATTRIBUTE(sinfo->auth_attr, NULL,
 

- 					       i2d_X509_ATTRIBUTE,
 

- 					       V_ASN1_SET,
 

- 					       V_ASN1_UNIVERSAL,
 

- 					       IS_SET);
 

- 	sabuf = malloc(salen);
 

+ 	salen = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, NULL, &PKCS7_ATTR_SIGN_it);
 

+ 	u = sabuf = malloc(salen);
 

  	if (sabuf == NULL) {
 

  		cm_log(1, "Out of memory.\n");
 

  		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

  	}
 

- 	u = sabuf;
 

- 	if (i2d_ASN1_SET_OF_X509_ATTRIBUTE(sinfo->auth_attr, &u,
 

- 					   i2d_X509_ATTRIBUTE,
 

- 					   V_ASN1_SET,
 

- 					   V_ASN1_UNIVERSAL,
 

- 					   IS_SET) != salen) {
 

- 		cm_log(1, "Encoding error.\n");
 

+ 	/* ASN1_item_i2d doesn't actually modify the passed-in pointer, which
 

+ 	 * allows it to allocate the memory on its own, but we want to handle
 

+ 	 * that ourselves. */
 

+ 	l = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, &u, &PKCS7_ATTR_SIGN_it);
 

+ 	if (l != salen) {
 

+ 		cm_log(1, "Error encoding attributes.\n");
 

  		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

  	}
 

+ 

  	memset(&signature, 0, sizeof(signature));
 

  	digalg = cm_submit_n_tag_from_nid(OBJ_obj2nid(sinfo->digest_alg->algorithm));
 

  	sigalg = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digalg);
 
@@ -120,9 +118,8 @@ 
 

  		       PR_ErrorToName(PORT_GetError()));
 

  		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

  	}
 

- 	M_ASN1_OCTET_STRING_set(sinfo->enc_digest,
 

- 				signature.data, signature.len);
 

- 	free(sabuf);
 

+ 	util_ASN1_OCTET_STRING_set(sinfo->enc_digest,
 

+ 				   signature.data, signature.len);
 

  }
 

  

  static int

file modified
+37 -33 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2015 Red Hat, Inc.
 

+  * Copyright (C) 2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -141,17 +141,6 @@ 
 

  	return NULL;
 

  }
 

  

- static int
 

- cert_cmp(const void *a, const void *b)
 

- {
 

- 	X509 * const *x, * const *y;
 

- 

- 	x = a;
 

- 	y = b;
 

- 	return X509_cmp(*x, *y);
 

- }
 

- 

- 

  static STACK_OF(X509) *
 

  certs_from_nickcerts(struct cm_nickcert **list)
 

  {
 
@@ -176,7 +165,7 @@ 
 

  				_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

  			}
 

  			if (sk == NULL) {
 

- 				sk = sk_X509_new(cert_cmp);
 

+ 				sk = sk_X509_new(util_o_cert_cmp);
 

  				if (sk == NULL) {
 

  					cm_log(1, "Out of memory.\n");
 

  					_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 
@@ -226,7 +215,7 @@ 
 

  	sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
 

  	if (tx != NULL) {
 

  		cm_log(1, "Setting transaction ID \"%s\".\n", tx);
 

- 		t = M_ASN1_PRINTABLE_new();
 

+ 		t = util_ASN1_PRINTABLESTRING_new();
 

  		if (t == NULL) {
 

  			return;
 

  		}
 
@@ -236,7 +225,7 @@ 
 

  	}
 

  	if (msgtype != NULL) {
 

  		cm_log(1, "Setting message type \"%s\".\n", msgtype);
 

- 		m = M_ASN1_PRINTABLE_new();
 

+ 		m = util_ASN1_PRINTABLESTRING_new();
 

  		if (m == NULL) {
 

  			return;
 

  		}
 
@@ -246,7 +235,7 @@ 
 

  	}
 

  	if (pkistatus != NULL) {
 

  		cm_log(1, "Setting pkiStatus \"%s\".\n", pkistatus);
 

- 		p = M_ASN1_PRINTABLE_new();
 

+ 		p = util_ASN1_PRINTABLESTRING_new();
 

  		if (p == NULL) {
 

  			return;
 

  		}
 
@@ -256,7 +245,7 @@ 
 

  	}
 

  	if (failinfo != NULL) {
 

  		cm_log(1, "Setting failInfo \"%s\".\n", failinfo);
 

- 		f = M_ASN1_PRINTABLE_new();
 

+ 		f = util_ASN1_PRINTABLESTRING_new();
 

  		if (f == NULL) {
 

  			return;
 

  		}
 
@@ -266,21 +255,21 @@ 
 

  	}
 

  	if (sender_nonce != NULL) {
 

  		cm_log(1, "Setting sender nonce.\n");
 

- 		s = ASN1_OCTET_STRING_new();
 

+ 		s = util_ASN1_OCTET_STRING_new();
 

  		if (s == NULL) {
 

  			return;
 

  		}
 

- 		M_ASN1_OCTET_STRING_set(s, sender_nonce, sender_nonce_length);
 

+ 		util_ASN1_OCTET_STRING_set(s, sender_nonce, sender_nonce_length);
 

  		PKCS7_add_signed_attribute(sinfo, cm_scep_o_get_sender_nonce_nid(),
 

  					   V_ASN1_OCTET_STRING, s);
 

  	}
 

  	if (recipient_nonce != NULL) {
 

  		cm_log(1, "Setting recipient nonce.\n");
 

- 		r = ASN1_OCTET_STRING_new();
 

+ 		r = util_ASN1_OCTET_STRING_new();
 

  		if (r == NULL) {
 

  			return;
 

  		}
 

- 		M_ASN1_OCTET_STRING_set(r, recipient_nonce, recipient_nonce_length);
 

+ 		util_ASN1_OCTET_STRING_set(r, recipient_nonce, recipient_nonce_length);
 

  		PKCS7_add_signed_attribute(sinfo,
 

  					   cm_scep_o_get_recipient_nonce_nid(),
 

  					   V_ASN1_OCTET_STRING, r);
 
@@ -408,7 +397,7 @@ 
 

  		cm_log(1, "PRNG not seeded for generating key.\n");
 

  		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

  	}
 

- 	if (RAND_pseudo_bytes(nonce, nonce_length) == -1) {
 

+ 	if (RAND_bytes(nonce, nonce_length) == -1) {
 

  		cm_log(1, "PRNG unable to generate nonce.\n");
 

  		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

  	}
 
@@ -510,8 +499,12 @@ 
 

  	if (old_cert != NULL) {
 

  		/* Sign the data using the previously-issued certificate and
 

  		 * the matching key. */
 

- 		pubkey = X509_PUBKEY_get(old_cert->cert_info->key);
 

- 		X509_PUBKEY_set(&old_cert->cert_info->key, old_pkey);
 

+ 		pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(old_cert));
 

+ 		if (pubkey == NULL) {
 

+ 			cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
 

+ 			_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

+ 		}
 

+ 		util_X509_set_pubkey(old_cert, old_pkey);
 

  		cm_log(1, "Generating PKCSREQ pkiMessage.\n");
 

  		*csr_old = build_pkimessage(old_pkey, old_cert, chain, digest,
 

  					    csr, csr_length,
 
@@ -529,15 +522,20 @@ 
 

  					    nonce, nonce_length,
 

  					    NULL, 0);
 

  		cm_log(1, "Signing using previously-issued key and cert.\n");
 

- 		X509_PUBKEY_set(&old_cert->cert_info->key, pubkey);
 

+ 		util_X509_set_pubkey(old_cert, pubkey);
 

+ 		EVP_PKEY_free(pubkey);
 

  		X509_free(old_cert);
 

  	} else {
 

  		if (new_pkey == NULL) {
 

  			/* Sign the data using the old key and the mini certificate,
 

  			 * since we may not have a previously-issued certificate (and
 

  			 * if we do, we did that in another code path. */
 

- 			pubkey = X509_PUBKEY_get(new_cert->cert_info->key);
 

- 			X509_PUBKEY_set(&new_cert->cert_info->key, old_pkey);
 

+ 			pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
 

+ 			if (pubkey == NULL) {
 

+ 				cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
 

+ 				_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

+ 			}
 

+ 			util_X509_set_pubkey(new_cert, old_pkey);
 

  			cm_log(1, "Generating PKCSREQ pkiMessage.\n");
 

  			*csr_old = build_pkimessage(old_pkey, new_cert, chain, digest,
 

  						    csr, csr_length,
 
@@ -555,7 +553,8 @@ 
 

  						    nonce, nonce_length,
 

  						    NULL, 0);
 

  			cm_log(1, "Signing using old key.\n");
 

- 			X509_PUBKEY_set(&new_cert->cert_info->key, pubkey);
 

+ 			util_X509_set_pubkey(new_cert, pubkey);
 

+ 			EVP_PKEY_free(pubkey);
 

  		} else {
 

  			/* No cert, and the minicert matches the new key. */
 

  			*csr_old = NULL;
 
@@ -565,8 +564,12 @@ 
 

  	if (new_pkey != NULL) {
 

  		/* Sign the data using the new key and mini certificate, since
 

  		 * any previously-issued certificate won't match. */
 

- 		pubkey = X509_PUBKEY_get(new_cert->cert_info->key);
 

- 		X509_PUBKEY_set(&new_cert->cert_info->key, new_pkey);
 

+ 		pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
 

+ 		if (pubkey == NULL) {
 

+ 			cm_log(1, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
 

+ 			_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 

+ 		}
 

+ 		util_X509_set_pubkey(new_cert, new_pkey);
 

  		cm_log(1, "Generating rekeying PKCSREQ pkiMessage.\n");
 

  		*csr_new = build_pkimessage(new_pkey, new_cert, chain, digest,
 

  					    csr, csr_length,
 
@@ -584,7 +587,8 @@ 
 

  					    nonce, nonce_length,
 

  					    NULL, 0);
 

  		cm_log(1, "Signing using new key.\n");
 

- 		X509_PUBKEY_set(&new_cert->cert_info->key, pubkey);
 

+ 		util_X509_set_pubkey(new_cert, pubkey);
 

+ 		EVP_PKEY_free(pubkey);
 

  	} else {
 

  		*csr_new = NULL;
 

  		*ias_new = NULL;
 
@@ -644,8 +648,8 @@ 
 

  	} else {
 

  		new_pkey = NULL;
 

  	}
 

- 	if ((EVP_PKEY_type(old_pkey->type) != EVP_PKEY_RSA) ||
 

- 	    ((new_pkey != NULL) && (EVP_PKEY_type(new_pkey->type) != EVP_PKEY_RSA))) {
 

+ 	if ((util_EVP_PKEY_base_id(old_pkey) != EVP_PKEY_RSA) ||
 

+ 	    ((new_pkey != NULL) && (util_EVP_PKEY_base_id(new_pkey) != EVP_PKEY_RSA))) {
 

  		cm_log(1, "Keys aren't RSA.  They won't work with SCEP.\n");
 

  		_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
 

  	}

file modified
+5 -2 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2014 Red Hat, Inc.
 

+  * Copyright (C) 2014,2016,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -20,6 +20,9 @@ 
 

  #include <sys/types.h>
 

  #include <sys/socket.h>
 

  #include <arpa/nameser.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <netdb.h>
 

  #include <resolv.h>
 

  #include <stdint.h>
 
@@ -87,7 +90,7 @@ 
 

  	if (RAND_status() != 1) {
 

  		return 0;
 

  	}
 

- 	if (RAND_pseudo_bytes((unsigned char *) &r, sizeof(r)) == -1) {
 

+ 	if (RAND_bytes((unsigned char *) &r, sizeof(r)) == -1) {
 

  		return 0;
 

  	}
 

  	if (r < 0) {

file modified
+2 
@@ -18,6 +18,8 @@ 
 

  #ifndef cmsrvloc_h
 

  #define cmsrvloc_h
 

  

+ #include <stdint.h>
 

+ 

  struct cm_srvloc {
 

  	char *host;
 

  	uint16_t port;

file modified
+11 -19 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2010,2011,2012,2013,2014,2015 Red Hat, Inc.
 

+  * Copyright (C) 2009,2010,2011,2012,2013,2014,2015,2017 Red Hat, Inc.
 

   *
 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -1769,15 +1769,11 @@ 
 

  static int
 

  cm_store_entry_write(FILE *fp, struct cm_store_entry *entry)
 

  {
 

- 	char timestamp[15], uuidstring[37];
 

+ 	char timestamp[15];
 

  	const char *p;
 

  

  	if (entry->cm_nickname == NULL) {
 

- 		if (cm_store_make_uuid_string_underscore(uuidstring) > 0) {
 

- 			p = uuidstring;
 

- 		} else {
 

- 			return -1;
 

- 		}
 

+ 		p = cm_store_timestamp_from_time(cm_time(NULL), timestamp);
 

  	} else {
 

  		p = entry->cm_nickname;
 

  	}
 
@@ -2198,16 +2194,16 @@ 
 

  cm_store_entry_save(struct cm_store_entry *entry)
 

  {
 

  	FILE *fp;
 

- 	char timestamp[15], path[PATH_MAX], uuidstring[37];
 

+ 	char timestamp[15], path[PATH_MAX];
 

  	int i, fd = -1, give_up;
 

  	const char *directory, *dest;
 

  

  	if (entry->cm_store_private == NULL) {
 

- 		cm_store_make_uuid_string(uuidstring);
 

+ 		cm_store_timestamp_from_time(cm_time(NULL), timestamp);
 

  		directory = cm_env_request_dir();
 

  		if (directory != NULL) {
 

  			snprintf(path, sizeof(path), "%s/%s",
 

- 				 directory, uuidstring);
 

+ 				 directory, timestamp);
 

  			fd = open(path,
 

  				  O_WRONLY | O_CREAT | O_EXCL,
 

  				  S_IRUSR | S_IWUSR);
 
@@ -2344,14 +2340,10 @@ 
 

  cm_store_ca_write(FILE *fp, struct cm_store_ca *ca)
 

  {
 

  	const char *p;
 

- 	char uuidstring[37];
 

+ 	char timestamp[15];
 

  

  	if (ca->cm_nickname == NULL) {
 

- 		if (cm_store_make_uuid_string_underscore(uuidstring) > 0) {
 

- 			p = uuidstring;
 

- 		} else {
 

- 			return -1;
 

- 		}
 

+ 		p = cm_store_timestamp_from_time(cm_time(NULL), timestamp);
 

  	} else {
 

  		p = ca->cm_nickname;
 

  	}
 
@@ -2460,15 +2452,15 @@ 
 

  cm_store_ca_save(struct cm_store_ca *ca)
 

  {
 

  	FILE *fp;
 

- 	char timestamp[15], path[PATH_MAX], uuidstring[37];
 

+ 	char timestamp[15], path[PATH_MAX];
 

  	int i, fd = -1, give_up;
 

  	const char *directory, *dest;
 

  

  	if (ca->cm_store_private == NULL) {
 

- 		cm_store_make_uuid_string(uuidstring);
 

+ 		cm_store_timestamp_from_time(cm_time(NULL), timestamp);
 

  		directory = cm_env_ca_dir();
 

  		if (directory != NULL) {
 

- 			snprintf(path, sizeof(path), "%s/%s", directory, uuidstring);
 

+ 			snprintf(path, sizeof(path), "%s/%s", directory, timestamp);
 

  			fd = open(path,
 

  				  O_WRONLY | O_CREAT | O_EXCL,
 

  				  S_IRUSR | S_IWUSR);

file modified
+4 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2011,2012,2013,2014,2015 Red Hat, Inc.
 

+  * Copyright (C) 2009,2011,2012,2013,2014,2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -21,6 +21,9 @@ 
 

  #include <sys/wait.h>
 

  #include <errno.h>
 

  #include <fcntl.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <limits.h>
 

  #include <stdint.h>
 

  #include <stdlib.h>

file modified
+21 -22 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2015 Red Hat, Inc.
 

+  * Copyright (C) 2015,2017 Red Hat, Inc.
 

   *
 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -29,6 +29,7 @@ 
 

  #include <openssl/bn.h>
 

  #include <openssl/err.h>
 

  #include <openssl/evp.h>
 

+ #include <openssl/objects.h>
 

  #include <openssl/pkcs7.h>
 

  #include <openssl/stack.h>
 

  #include <openssl/x509.h>
 
@@ -61,7 +62,6 @@ 
 

  #include "util-o.h"
 

  

  #define PRIVKEY_LIST_EMPTY(l) PRIVKEY_LIST_END(PRIVKEY_LIST_HEAD(l), l)
 

- #define WINDOW (24 * 60 * 60 * PR_USEC_PER_SEC)
 

  

  SECOidTag
 

  cm_submit_n_tag_from_nid(int nid)
 
@@ -72,26 +72,14 @@ 
 

  	obj = OBJ_nid2obj(nid);
 

  	if (obj != NULL) {
 

  		memset(&oid, 0, sizeof(oid));
 

- 		oid.data = (unsigned char *) obj->data;
 

- 		oid.len = obj->length;
 

+ 		oid.data = (unsigned char *) util_OBJ_get0_data(obj);
 

+ 		oid.len = util_OBJ_length(obj);
 

  		return SECOID_FindOIDTag(&oid);
 

  	} else {
 

  		return SEC_OID_UNKNOWN;
 

  	}
 

  }
 

  

- int
 

- cm_submit_n_nid_from_tag(SECOidTag tag)
 

- {
 

- 	SECOidData *oid = SECOID_FindOIDByTag(tag);
 

- 	ASN1_OBJECT obj;
 

- 

- 	memset(&obj, 0, sizeof(obj));
 

- 	obj.data = oid->oid.data;
 

- 	obj.length = oid->oid.len;
 

- 	return OBJ_obj2nid(&obj);
 

- }
 

- 

  static SECItem *
 

  try_to_decode(void *parent, PLArenaPool *arena, SECItem *item,
 

  	      SECKEYPrivateKey *privkey)
 
@@ -110,7 +98,7 @@ 
 

  	RSA *rsa = NULL;
 

  	char buf[BUFSIZ];
 

  	const unsigned char *u;
 

- 	unsigned char *enc_key, *dec, *reenc;
 

+ 	unsigned char *enc_key, *dec, *reenc, *param_data;
 

  	unsigned int enc_key_len, dec_len;
 

  	ssize_t reenc_len;
 

  	long error, l;
 
@@ -151,14 +139,25 @@ 
 

  	if (p7i->key_enc_algor->parameter->type == V_ASN1_OCTET_STRING) {
 

  		params = p7i->key_enc_algor->parameter->value.octet_string;
 

  		memset(&param, 0, sizeof(param));
 

- 		param.data = M_ASN1_STRING_data(params);
 

- 		param.len = M_ASN1_STRING_length(params);
 

+ 		param.len = util_ASN1_STRING_length(params);
 

+ 		param_data = PORT_ArenaZAlloc(arena, param.len);
 

+ 		if (param_data == NULL) {
 

+ 			cm_log(1, "Out of memory decrypting bulk key.\n");
 

+ 			goto done;
 

+ 		}
 

+ 		memcpy(param_data, util_ASN1_STRING_get0_data(params), param.len);
 

+ 		param.data = param_data;
 

  		parameters = &param;
 

  	} else {
 

  		parameters = NULL;
 

  	}
 

- 	enc_key = M_ASN1_STRING_data(p7i->enc_key);
 

- 	enc_key_len = M_ASN1_STRING_length(p7i->enc_key);
 

+ 	enc_key_len = util_ASN1_STRING_length(p7i->enc_key);
 

+ 	enc_key = PORT_ArenaZAlloc(arena, enc_key_len);
 

+ 	if (enc_key == NULL) {
 

+ 		cm_log(1, "Out of memory decrypting bulk key.\n");
 

+ 		goto done;
 

+ 	}
 

+ 	memcpy(enc_key, util_ASN1_STRING_get0_data(p7i->enc_key), enc_key_len);
 

  	dec_len = enc_key_len + BUFSIZ;
 

  	dec = talloc_size(parent, dec_len);
 

  	if (parameters == NULL) {
 
@@ -229,7 +228,7 @@ 
 

  	/* Set the new encrypted bulk key. */
 

  	p7i->key_enc_algor->algorithm = OBJ_dup(OBJ_nid2obj(NID_rsaEncryption));
 

  	ASN1_TYPE_set(p7i->key_enc_algor->parameter, V_ASN1_NULL, NULL);
 

- 	M_ASN1_OCTET_STRING_set(p7i->enc_key, reenc, reenc_len);
 

+ 	util_ASN1_OCTET_STRING_set(p7i->enc_key, reenc, reenc_len);
 

  

  	/* And now, finally, decrypt the payload. */
 

  	out = BIO_new(BIO_s_mem());

file modified
+168 -36 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2010,2011,2012,2014.2015 Red Hat, Inc.
 

+  * Copyright (C) 2009,2010,2011,2012,2014,2015,2017 Red Hat, Inc.
 

   *
 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -26,14 +26,19 @@ 
 

  #include <time.h>
 

  #include <unistd.h>
 

  

- #include <nss.h>
 

- #include <pk11pub.h>
 

- 

  #include <openssl/err.h>
 

  #include <openssl/pem.h>
 

  #include <openssl/x509.h>
 

  #include <openssl/x509v3.h>
 

  

+ #include <prerror.h>
 

+ #include <prtypes.h>
 

+ #include <certt.h>
 

+ #include <secasn1.h>
 

+ #include <secerr.h>
 

+ #include <secoidt.h>
 

+ #include <secmodt.h>
 

+ 

  #include <krb5.h>
 

  

  #include <talloc.h>
 
@@ -52,6 +57,142 @@ 
 

  #include "subproc.h"
 

  #include "util-o.h"
 

  

+ static void
 

+ cm_submit_o_set_things(X509 **cert, X509 *signer, unsigned char uuid[16], unsigned int uuid_len,
 

+ 		       STACK_OF(X509_EXTENSION) *extensions)
 

+ {
 

+ 	PLArenaPool *arena = NULL;
 

+ 	CERTCertificate subject, issuer;
 

+ 	CERTSignedData scert;
 

+ 	SECItem item, *encoded;
 

+ 	X509_EXTENSION *ext;
 

+ 	unsigned char *p, *q;
 

+ 	const unsigned char *d;
 

+ 	int length, l, i;
 

+ 

+ 	arena = PORT_NewArena(sizeof(double));
 

+ 	if (arena == NULL) {
 

+ 		cm_log(1, "Out of memory for decoding cert_info.");
 

+ 		return;
 

+ 	}
 

+ 	memset(&item, 0, sizeof(item));
 

+ 

+ 	if (signer != NULL) {
 

+ 		length = i2d_X509(signer, NULL);
 

+ 		if (length < 0) {
 

+ 			cm_log(1, "Error encoding signer cert.");
 

+ 			PORT_FreeArena(arena, PR_TRUE);
 

+ 			return;
 

+ 		}
 

+ 		p = q = malloc(length);
 

+ 		l = i2d_X509(signer, &q);
 

+ 		if (l != length) {
 

+ 			cm_log(1, "Error encoding signer cert: %d != %d.", l, length);
 

+ 			free(p);
 

+ 			PORT_FreeArena(arena, PR_TRUE);
 

+ 			return;
 

+ 		}
 

+ 		memset(&scert, 0, sizeof(scert));
 

+ 		item.data = p;
 

+ 		item.len = length;
 

+ 		if (SEC_ASN1DecodeItem(arena, &scert, CERT_SignedDataTemplate, &item) != SECSuccess) {
 

+ 			cm_log(1, "Error decoding signer cert: %s.", PR_ErrorToName(PORT_GetError()));
 

+ 			free(p);
 

+ 			PORT_FreeArena(arena, PR_TRUE);
 

+ 			return;
 

+ 		}
 

+ 		memset(&issuer, 0, sizeof(issuer));
 

+ 		if (SEC_ASN1DecodeItem(arena, &issuer, CERT_CertificateTemplate, &scert.data) != SECSuccess) {
 

+ 			cm_log(1, "Error decoding signer cert info: %s.", PR_ErrorToName(PORT_GetError()));
 

+ 			free(p);
 

+ 			PORT_FreeArena(arena, PR_TRUE);
 

+ 			return;
 

+ 		}
 

+ 		free(p);
 

+ 	}
 

+ 

+ 	for (i = 0; i < sk_X509_EXTENSION_num(extensions); i++) {
 

+ 		ext = sk_X509_EXTENSION_value(extensions, i);
 

+ 		if (ext != NULL) {
 

+ 			if (X509_add_ext(*cert, ext, -1) != 1) {
 

+ 				cm_log(1, "Error adding extension to certificate.");
 

+ 				PORT_FreeArena(arena, PR_TRUE);
 

+ 				return;
 

+ 			}
 

+ 		}
 

+ 	}
 

+ 

+ 	length = i2d_X509(*cert, NULL);
 

+ 	if (length < 0) {
 

+ 		cm_log(1, "Error encoding cert.");
 

+ 		PORT_FreeArena(arena, PR_TRUE);
 

+ 		return;
 

+ 	}
 

+ 	p = q = malloc(length);
 

+ 	l = i2d_X509(*cert, &q);
 

+ 	if (l != length) {
 

+ 		cm_log(1, "Error encoding cert: %d != %d.", l, length);
 

+ 		free(p);
 

+ 		PORT_FreeArena(arena, PR_TRUE);
 

+ 		return;
 

+ 	}
 

+ 	memset(&scert, 0, sizeof(scert));
 

+ 	item.data = p;
 

+ 	item.len = length;
 

+ 	if (SEC_ASN1DecodeItem(arena, &scert, CERT_SignedDataTemplate, &item) != SECSuccess) {
 

+ 		cm_log(1, "Error decoding cert: %s.", PR_ErrorToName(PORT_GetError()));
 

+ 		free(p);
 

+ 		PORT_FreeArena(arena, PR_TRUE);
 

+ 		return;
 

+ 	}
 

+ 	memset(&subject, 0, sizeof(subject));
 

+ 	if (SEC_ASN1DecodeItem(arena, &subject, CERT_CertificateTemplate, &scert.data) != SECSuccess) {
 

+ 		cm_log(1, "Error decoding cert info: %s.", PR_ErrorToName(PORT_GetError()));
 

+ 		free(p);
 

+ 		PORT_FreeArena(arena, PR_TRUE);
 

+ 		return;
 

+ 	}
 

+ 	free(p);
 

+ 

+ 	memset(&subject.issuerID, 0, sizeof(subject.issuerID));
 

+ 	memset(&subject.subjectID, 0, sizeof(subject.subjectID));
 

+ 	if (uuid_len > 0) {
 

+ 		subject.subjectID.data = uuid;
 

+ 		subject.subjectID.len = uuid_len;
 

+ 		if (signer != NULL) {
 

+ 			subject.issuerID = issuer.subjectID;
 

+ 		} else {
 

+ 			subject.issuerID.data = uuid;
 

+ 			subject.issuerID.len = uuid_len;
 

+ 		}
 

+ 	}
 

+ 

+ 	memset(&scert.data, 0, sizeof(scert.data));
 

+ 	encoded = SEC_ASN1EncodeItem(arena, &scert.data, &subject, CERT_CertificateTemplate);
 

+ 	if (encoded != &scert.data) {
 

+ 		cm_log(1, "Error re-encoding cert_info: %s.", PR_ErrorToName(PORT_GetError()));
 

+ 		PORT_FreeArena(arena, PR_TRUE);
 

+ 		return;
 

+ 	}
 

+ 	memset(&item, 0, sizeof(item));
 

+ 	encoded = SEC_ASN1EncodeItem(arena, &item, &scert, CERT_SignedDataTemplate);
 

+ 	if (encoded != &item) {
 

+ 		cm_log(1, "Error re-encoding cert: %s.", PR_ErrorToName(PORT_GetError()));
 

+ 		PORT_FreeArena(arena, PR_TRUE);
 

+ 		return;
 

+ 	}
 

+ 

+ 	d = item.data;
 

+ 	*cert = d2i_X509(NULL, &d, item.len);
 

+ 	if (*cert == NULL) {
 

+ 		cm_log(1, "Error re-decoding cert.");
 

+ 		PORT_FreeArena(arena, PR_TRUE);
 

+ 		return;
 

+ 	}
 

+ 

+ 	PORT_FreeArena(arena, PR_TRUE);
 

+ }
 

+ 

  int
 

  cm_submit_o_sign(void *parent, char *csr,
 

  		 X509 *signer, EVP_PKEY *signer_key,
 
@@ -61,6 +202,7 @@ 
 

  	X509_REQ *req;
 

  	BIO *bio;
 

  	ASN1_INTEGER *seriali;
 

+ 	ASN1_TIME *not_before, *not_after;
 

  	BASIC_CONSTRAINTS *basic;
 

  	ASN1_OCTET_STRING *skid;
 

  	AUTHORITY_KEYID akid;
 
@@ -68,10 +210,8 @@ 
 

  	const unsigned char *serialtmp, *basictmp;
 

  	char *serial;
 

  	int status = CM_SUBMIT_STATUS_WAIT, seriall, basicl, crit, i;
 

- 	unsigned int mdlen;
 

- #ifdef HAVE_UUID
 

+ 	unsigned int mdlen, uuid_len;
 

  	unsigned char uuid[16];
 

- #endif
 

  

  	bio = BIO_new_mem_buf(csr, -1);
 

  	if (bio != NULL) {
 
@@ -82,18 +222,21 @@ 
 

  			if (*cert != NULL) {
 

  				X509_set_subject_name(*cert, X509_REQ_get_subject_name(req));
 

  				if (signer != NULL) {
 

- 					X509_set_issuer_name(*cert, signer->cert_info->subject);
 

+ 					X509_set_issuer_name(*cert, X509_get_subject_name(signer));
 

  				} else {
 

  					X509_set_issuer_name(*cert, X509_REQ_get_subject_name(req));
 

  				}
 

- 				X509_set_pubkey(*cert, X509_PUBKEY_get(req->req_info->pubkey));
 

- 				ASN1_TIME_set((*cert)->cert_info->validity->notBefore, now);
 

+ 				X509_set_pubkey(*cert, util_X509_REQ_get0_pubkey(req));
 

+ 				not_before = util_ASN1_TIME_new();
 

+ 				ASN1_TIME_set(not_before, now);
 

+ 				util_X509_set1_notBefore(*cert, not_before);
 

  				if ((life == 0) && (signer != NULL)) {
 

- 					(*cert)->cert_info->validity->notAfter =
 

- 						M_ASN1_TIME_dup(signer->cert_info->validity->notAfter);
 

+ 					not_after = util_ASN1_TIME_dup((ASN1_TIME *)util_X509_get0_notAfter(signer));
 

  				} else {
 

- 					ASN1_TIME_set((*cert)->cert_info->validity->notAfter, now + life);
 

+ 					not_after = util_ASN1_TIME_new();
 

+ 					ASN1_TIME_set(not_after, now + life);
 

  				}
 

+ 				util_X509_set1_notAfter(*cert, not_after);
 

  				X509_set_version(*cert, 2);
 

  				/* set the serial number */
 

  				cm_log(3, "Setting certificate serial number \"%s\".\n",
 
@@ -105,28 +248,20 @@ 
 

  				serialtmp = seriald;
 

  				seriali = d2i_ASN1_INTEGER(NULL, &serialtmp, seriall);
 

  				X509_set_serialNumber(*cert, seriali);
 

+ 				uuid_len = 0;
 

  #ifdef HAVE_UUID
 

  				if (cm_prefs_populate_unique_id()) {
 

  					if (cm_submit_uuid_new(uuid) == 0) {
 

- 						(*cert)->cert_info->subjectUID = M_ASN1_BIT_STRING_new();
 

- 						if ((*cert)->cert_info->subjectUID != NULL) {
 

- 							ASN1_BIT_STRING_set((*cert)->cert_info->subjectUID, uuid, 16);
 

- 						}
 

- 						if (signer != NULL) {
 

- 							if (signer->cert_info->subjectUID != NULL) {
 

- 								(*cert)->cert_info->issuerUID = M_ASN1_BIT_STRING_dup(signer->cert_info->subjectUID);
 

- 							}
 

- 						} else {
 

- 							(*cert)->cert_info->issuerUID = M_ASN1_BIT_STRING_new();
 

- 							if ((*cert)->cert_info->issuerUID != NULL) {
 

- 								ASN1_BIT_STRING_set((*cert)->cert_info->issuerUID, uuid, 16);
 

- 							}
 

- 						}
 

+ 						uuid_len = sizeof(uuid);
 

  					}
 

  				}
 

  #endif
 

+ 				/* Add a signature so that it looks right...ish. */
 

+ 				X509_sign(*cert, signer_key, cm_prefs_ossl_hash());
 

+ 				/* Add extensions and possibly add deprecated UUIDs. */
 

+ 				cm_submit_o_set_things(cert, signer, uuid, uuid_len,
 

+ 						       X509_REQ_get_extensions(req));
 

  				/* add basic constraints if needed */
 

- 				(*cert)->cert_info->extensions = X509_REQ_get_extensions(req);
 

  				i = X509_get_ext_by_NID(*cert, NID_basic_constraints, -1);
 

  				if (i == -1) {
 

  					basicl = strlen(CM_BASIC_CONSTRAINT_NOT_CA) / 2;
 
@@ -147,8 +282,8 @@ 
 

  					i = X509_get_ext_by_NID(*cert, NID_subject_key_identifier, -1);
 

  					if (i == -1) {
 

  						if (X509_pubkey_digest(*cert, EVP_sha1(), md, &mdlen)) {
 

- 							skid = M_ASN1_OCTET_STRING_new();
 

- 							M_ASN1_OCTET_STRING_set(skid, md, mdlen);
 

+ 							skid = util_ASN1_OCTET_STRING_new();
 

+ 							util_ASN1_OCTET_STRING_set(skid, md, mdlen);
 

  							X509_add1_ext_i2d(*cert, NID_subject_key_identifier, skid, 0, 0);
 

  						}
 

  					}
 
@@ -161,18 +296,15 @@ 
 

  					status = CM_SUBMIT_STATUS_UNREACHABLE;
 

  				}
 

  			} else {
 

- 				cm_log(1, "Error building "
 

- 				       "template certificate.\n");
 

+ 				cm_log(1, "Error building template certificate.\n");
 

  				status = CM_SUBMIT_STATUS_REJECTED;
 

  			}
 

  		} else {
 

- 			cm_log(1, "Error reading "
 

- 			       "signing request.\n");
 

+ 			cm_log(1, "Error reading signing request.\n");
 

  		}
 

  		BIO_free(bio);
 

  	} else {
 

- 		cm_log(1, "Error parsing signing "
 

- 		       "request.\n");
 

+ 		cm_log(1, "Error parsing signing request.\n");
 

  	}
 

  	return status;
 

  }

file modified
+1 -2 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2014 Red Hat, Inc.
 

+  * Copyright (C) 2014,2015 Red Hat, Inc.
 

   *
 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -19,7 +19,6 @@ 
 

  #define cmsubmito_h
 

  

  SECOidTag cm_submit_n_tag_from_nid(int nid);
 

- int cm_submit_n_nid_from_tag(SECOidTag tag);
 

  

  int cm_submit_o_sign(void *parent, char *csr,
 

  		     X509 *signer, EVP_PKEY *signer_key,

file modified
+1 -1 
@@ -761,7 +761,7 @@ 
 

  main(int argc, const char **argv)
 

  {
 

  	int i, j, c, ret, k5 = FALSE, make_ccache = TRUE, verbose = 0;
 

- 	int64_t i8;
 

+ 	xmlrpc_int64 i8;
 

  	int32_t i32;
 

  	const char *uri = NULL, *method = NULL, *ktname = NULL, *kpname = NULL;
 

  	const char *s, *cainfo = NULL, *capath = NULL, *csrfile, *dictval;

file modified
+1 -1 
@@ -882,7 +882,7 @@ 
 

  		} else
 

  #endif
 

  #ifdef HAVE_OPENSSL
 

- 		if (!RAND_pseudo_bytes(uuid, sizeof(uuid))) {
 

+ 		if (!RAND_bytes(uuid, sizeof(uuid))) {
 

  			/* Try again sometime later. */
 

  			cm_log(1, "Error generating UUID.\n");
 

  			talloc_free(tdb);

file modified
+4 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2009,2010,2011,2012 Red Hat, Inc.
 

+  * Copyright (C) 2009,2010,2011,2012,2014,2015 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -18,6 +18,9 @@ 
 

  #include "config.h"
 

  

  #include <sys/types.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <stdint.h>
 

  #include <stdlib.h>
 

  #include <string.h>

file modified
+448 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2010,2015 Red Hat, Inc.
 

+  * Copyright (C) 2010,2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -22,14 +22,21 @@ 
 

  #include <errno.h>
 

  #include <fcntl.h>
 

  #include <grp.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <pwd.h>
 

+ #include <stdint.h>
 

  #include <string.h>
 

  #include <unistd.h>
 

  

  #include <dbus/dbus.h>
 

  

  #include <openssl/bn.h>
 

+ #include <openssl/evp.h>
 

  #include <openssl/ssl.h>
 

+ #include <openssl/x509.h>
 

+ #include <openssl/x509v3.h>
 

  

  #include "cm.h"
 

  #include "log.h"
 
@@ -149,3 +156,443 @@ 
 

  	util_set_fd_owner_perms(certfd, filename, entry->cm_cert_owner,
 

  				entry->cm_cert_perms);
 

  }
 

+ 

+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 

+ int
 

+ util_o_cert_cmp(const X509 *const *a, const X509 *const *b)
 

+ {
 

+ 	return X509_cmp(*a, *b);
 

+ }
 

+ #else
 

+ int
 

+ util_o_cert_cmp(const void *a, const void *b)
 

+ {
 

+ 	X509 * const *x, * const *y;
 

+ 

+ 	x = a;
 

+ 	y = b;
 

+ 	return X509_cmp(*x, *y);
 

+ }
 

+ #endif
 

+ 

+ ASN1_BIT_STRING *
 

+ util_ASN1_BIT_STRING_new(void)
 

+ {
 

+ #ifdef HAVE_ASN1_BIT_STRING_NEW
 

+ 	return ASN1_BIT_STRING_new();
 

+ #else
 

+ 	return M_ASN1_BIT_STRING_new();
 

+ #endif
 

+ }
 

+ 

+ ASN1_GENERALIZEDTIME *
 

+ util_ASN1_GENERALIZEDTIME_new(void)
 

+ {
 

+ #ifdef HAVE_ASN1_GENERALIZEDTIME_NEW
 

+ 	return ASN1_GENERALIZEDTIME_new();
 

+ #else
 

+ 	return M_ASN1_GENERALIZEDTIME_new();
 

+ #endif
 

+ }
 

+ 

+ ASN1_IA5STRING *
 

+ util_ASN1_IA5STRING_new(void)
 

+ {
 

+ #ifdef HAVE_ASN1_IA5STRING_NEW
 

+ 	return ASN1_IA5STRING_new();
 

+ #else
 

+ 	return M_ASN1_IA5STRING_new();
 

+ #endif
 

+ }
 

+ 

+ ASN1_INTEGER *
 

+ util_ASN1_INTEGER_new(void)
 

+ {
 

+ #ifdef HAVE_ASN1_INTEGER_NEW
 

+ 	return ASN1_INTEGER_new();
 

+ #else
 

+ 	return M_ASN1_INTEGER_new();
 

+ #endif
 

+ }
 

+ 

+ ASN1_OCTET_STRING *
 

+ util_ASN1_OCTET_STRING_new(void)
 

+ {
 

+ #ifdef HAVE_ASN1_OCTET_STRING_NEW
 

+ 	return ASN1_OCTET_STRING_new();
 

+ #else
 

+ 	return M_ASN1_OCTET_STRING_new();
 

+ #endif
 

+ }
 

+ 

+ int
 

+ util_ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, const unsigned char *data,
 

+ 			   int len)
 

+ {
 

+ #ifdef HAVE_ASN1_OCTET_STRING_SET
 

+ 	return ASN1_OCTET_STRING_set(str, data, len);
 

+ #else
 

+ 	return M_ASN1_OCTET_STRING_set(str, data, len);
 

+ #endif
 

+ }
 

+ 

+ ASN1_PRINTABLESTRING *
 

+ util_ASN1_PRINTABLESTRING_new(void)
 

+ {
 

+ #ifdef HAVE_ASN1_PRINTABLESTRING_NEW
 

+ 	return ASN1_PRINTABLESTRING_new();
 

+ #else
 

+ 	return M_ASN1_PRINTABLESTRING_new();
 

+ #endif
 

+ }
 

+ 

+ const unsigned char *
 

+ util_ASN1_STRING_get0_data(const ASN1_STRING *x)
 

+ {
 

+ #ifdef HAVE_ASN1_STRING_GET0_DATA
 

+ 	return ASN1_STRING_get0_data(x);
 

+ #elif defined(HAVE_ASN1_STRING_GET_DATA)
 

+ 	return ASN1_STRING_get_data(x);
 

+ #else
 

+ 	return M_ASN1_STRING_data(x);
 

+ #endif
 

+ }
 

+ 

+ int
 

+ util_ASN1_STRING_length(const ASN1_STRING *x)
 

+ {
 

+ #ifdef HAVE_ASN1_STRING_LENGTH
 

+ 	return ASN1_STRING_length(x);
 

+ #else
 

+ 	return M_ASN1_STRING_length(x);
 

+ #endif
 

+ }
 

+ 

+ ASN1_STRING *
 

+ util_ASN1_STRING_new(void)
 

+ {
 

+ #ifdef HAVE_ASN1_STRING_NEW
 

+ 	return ASN1_STRING_new();
 

+ #else
 

+ 	return M_ASN1_STRING_new();
 

+ #endif
 

+ }
 

+ 

+ ASN1_TIME *
 

+ util_ASN1_TIME_dup(ASN1_TIME *t)
 

+ {
 

+ 	unsigned char *p, *pp;
 

+ 	const unsigned char *cp;
 

+ 	long len;
 

+ 

+ 	len = i2d_ASN1_TIME(t, NULL);
 

+ 	p = malloc(len);
 

+ 	if (p != NULL) {
 

+ 		pp = p;
 

+ 		if (i2d_ASN1_TIME(t, &pp) < 0) {
 

+ 			free(p);
 

+ 			return NULL;
 

+ 		}
 

+ 		cp = p;
 

+ 		t = d2i_ASN1_TIME(NULL, &cp, len);
 

+ 		if (cp - p != len) {
 

+ 			t = NULL;
 

+ 		}
 

+ 		free(p);
 

+ 		return t;
 

+ 	}
 

+ 	return NULL;
 

+ }
 

+ 

+ ASN1_TIME *
 

+ util_ASN1_TIME_new(void)
 

+ {
 

+ #ifdef HAVE_ASN1_TIME_NEW
 

+ 	return ASN1_TIME_new();
 

+ #else
 

+ 	return M_ASN1_TIME_new();
 

+ #endif
 

+ }
 

+ 

+ ASN1_TIME *
 

+ util_ASN1_TIME_set(ASN1_TIME *str, time_t t)
 

+ {
 

+ #ifdef HAVE_ASN1_TIME_SET
 

+ 	return ASN1_TIME_set(str, t);
 

+ #else
 

+ 	return M_ASN1_TIME_set(str, t);
 

+ #endif
 

+ }
 

+ 

+ int
 

+ util_EVP_PKEY_id(const EVP_PKEY *pkey)
 

+ {
 

+ #ifdef HAVE_EVP_PKEY_ID
 

+ 	return EVP_PKEY_id(pkey);
 

+ #else
 

+ 	return pkey->type;
 

+ #endif
 

+ }
 

+ 

+ int
 

+ util_EVP_PKEY_base_id(const EVP_PKEY *pkey)
 

+ {
 

+ #ifdef HAVE_EVP_PKEY_BASE_ID
 

+ 	return EVP_PKEY_base_id(pkey);
 

+ #else
 

+ 	return EVP_PKEY_type(util_EVP_PKEY_id(pkey));
 

+ #endif
 

+ }
 

+ 

+ const unsigned char *
 

+ util_OBJ_get0_data(const ASN1_OBJECT *obj)
 

+ {
 

+ #ifdef HAVE_OBJ_GET0_DATA
 

+ 	return OBJ_get0_data(obj);
 

+ #else
 

+ 	return obj->data;
 

+ #endif
 

+ }
 

+ 

+ size_t
 

+ util_OBJ_length(const ASN1_OBJECT *obj)
 

+ {
 

+ #ifdef HAVE_OBJ_LENGTH
 

+ 	return OBJ_length(obj);
 

+ #else
 

+ 	return obj->length;
 

+ #endif
 

+ }
 

+ 

+ ASN1_OBJECT *
 

+ util_X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *a)
 

+ {
 

+ #ifdef HAVE_X509_ATTRIBUTE_GET0_OBJECT
 

+ 	return X509_ATTRIBUTE_get0_object(a);
 

+ #else
 

+ 	return a->object;
 

+ #endif
 

+ }
 

+ 

+ const ASN1_TIME *
 

+ util_X509_get0_notAfter(X509 *x)
 

+ {
 

+ #ifdef HAVE_X509_GET0_NOTAFTER
 

+ 	return X509_get0_notAfter(x);
 

+ #else
 

+ 	return x->cert_info->validity->notAfter;
 

+ #endif
 

+ }
 

+ 

+ EVP_PKEY *
 

+ util_X509_get0_pubkey(X509 *cert)
 

+ {
 

+ #ifdef HAVE_X509_GET0_PUBKEY
 

+ 	return X509_get0_pubkey(cert);
 

+ #else
 

+ 	return X509_PUBKEY_get(cert->cert_info->key);
 

+ #endif
 

+ }
 

+ 

+ const ASN1_INTEGER *
 

+ util_X509_get0_serialNumber(X509 *cert)
 

+ {
 

+ #ifdef HAVE_X509_GET0_SERIALNUMBER
 

+ 	return X509_get0_serialNumber(cert);
 

+ #else
 

+ 	return cert->cert_info->serialNumber;
 

+ #endif
 

+ }
 

+ 

+ X509_NAME *
 

+ util_X509_get0_issuer_name(X509 *x)
 

+ {
 

+ #ifdef HAVE_X509_GET_ISSUER_NAME
 

+ 	return X509_get_issuer_name(x);
 

+ #else
 

+ 	return x->cert_info->issuer;
 

+ #endif
 

+ }
 

+ 

+ uint32_t
 

+ util_X509_get_key_usage(X509 *x)
 

+ {
 

+ #ifdef HAVE_X509_GET_KEY_USAGE
 

+ 	return X509_get_key_usage(x);
 

+ #else
 

+ 	/* Call for side-effect of computing hash and caching extensions */
 

+ 	X509_check_purpose(x, -1, -1);
 

+ 	return x->ex_kusage;
 

+ #endif
 

+ }
 

+ 

+ X509_NAME *
 

+ util_X509_get0_subject_name(X509 *x)
 

+ {
 

+ #ifdef HAVE_X509_GET_SUBJECT_NAME
 

+ 	return X509_get_subject_name(x);
 

+ #else
 

+ 	return x->cert_info->subject;
 

+ #endif
 

+ }
 

+ 

+ EVP_PKEY *
 

+ util_X509_REQ_get0_pubkey(X509_REQ *req)
 

+ {
 

+ #ifdef HAVE_X509_REQ_GET0_PUBKEY
 

+ 	return X509_REQ_get0_pubkey(req);
 

+ #else
 

+ 	return X509_PUBKEY_get(req->req_info->pubkey);
 

+ #endif
 

+ }
 

+ 

+ void
 

+ util_X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
 

+ 			     const X509_ALGOR **palg)
 

+ {
 

+ #ifdef HAVE_X509_REQ_GET0_SIGNATURE
 

+ 	X509_REQ_get0_signature(req, psig, palg);
 

+ #else
 

+ 	if (psig != NULL) {
 

+ 		*psig = req->signature;
 

+ 	}
 

+ 	if (palg != NULL) {
 

+ 		*palg = req->sig_alg;
 

+ 	}
 

+ #endif
 

+ }
 

+ 

+ int
 

+ util_X509_set_pubkey(X509 *cert, EVP_PKEY *pkey)
 

+ {
 

+ 	return X509_set_pubkey(cert, pkey);
 

+ }
 

+ 

+ int
 

+ util_X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name)
 

+ {
 

+ #ifdef HAVE_X509_REQ_SET_SUBJECT_NAME
 

+ 	return X509_REQ_set_subject_name(req, name);
 

+ #else
 

+ 	return X509_NAME_set(&req->req_info->subject, name);
 

+ #endif
 

+ }
 

+ 

+ int
 

+ util_X509_set1_notAfter(X509 *x, ASN1_TIME *tm)
 

+ {
 

+ #ifdef HAVE_X509_SET1_NOTAFTER
 

+ 	return X509_set1_notAfter(x, tm);
 

+ #else
 

+ 	if (x != NULL) {
 

+ 		x->cert_info->validity->notAfter = tm;
 

+ 		return 1;
 

+ 	}
 

+ 	return 0;
 

+ #endif
 

+ }
 

+ 

+ int
 

+ util_X509_set1_notBefore(X509 *x, ASN1_TIME *tm)
 

+ {
 

+ #ifdef HAVE_X509_SET1_NOTBEFORE
 

+ 	return X509_set1_notBefore(x, tm);
 

+ #else
 

+ 	if (x != NULL) {
 

+ 		x->cert_info->validity->notBefore = tm;
 

+ 		return 1;
 

+ 	}
 

+ 	return 0;
 

+ #endif
 

+ }
 

+ 

+ int
 

+ util_X509_set_issuer_name(X509 *x, X509_NAME *name)
 

+ {
 

+ #ifdef HAVE_X509_SET_ISSUER_NAME
 

+ 	return X509_set_issuer_name(x, name);
 

+ #else
 

+ 	return X509_NAME_set(&x->cert_info->issuer, name);
 

+ #endif
 

+ }
 

+ 

+ int
 

+ util_X509_set_subject_name(X509 *x, X509_NAME *name)
 

+ {
 

+ #ifdef HAVE_X509_SET_SUBJECT_NAME
 

+ 	return X509_set_subject_name(x, name);
 

+ #else
 

+ 	return X509_NAME_set(&x->cert_info->subject, name);
 

+ #endif
 

+ }
 

+ 

+ int
 

+ util_X509_set1_version(X509 *x, ASN1_INTEGER *version)
 

+ {
 

+ #ifdef HAVE_X509_CERT_INFO
 

+ 	x->cert_info->version = ASN1_INTEGER_dup(version);
 

+ 	return x->cert_info->version != NULL;
 

+ #else
 

+ 	return X509_set_version(x, ASN1_INTEGER_get(version));
 

+ #endif
 

+ }
 

+ 

+ void
 

+ util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg)
 

+ {
 

+ #ifdef CM_NETSCAPE_SPKI_SIG_ALGOR_IS_POINTER
 

+ 	spki->sig_algor = X509_ALGOR_dup((X509_ALGOR *)sig_alg);
 

+ #else
 

+ 	spki->sig_algor = *X509_ALGOR_dup((X509_ALGOR *)sig_alg);
 

+ #endif
 

+ }
 

+ 

+ static EVP_PKEY *
 

+ util_EVP_PKEY_dup(EVP_PKEY *pkey,
 

+ 		  int (*i2d)(EVP_PKEY *, unsigned char **),
 

+ 		  EVP_PKEY *(*d2i)(int, EVP_PKEY **, const unsigned char **, long))
 

+ {
 

+ 	EVP_PKEY *k;
 

+ 	unsigned char *p, *q;
 

+ 	const unsigned char *d;
 

+ 	int l, len;
 

+ 

+ 	l = i2d(pkey, NULL);
 

+ 	if (l < 0) {
 

+ 		cm_log(1, "Error determining size of key.");
 

+ 		return NULL;
 

+ 	}
 

+ 	p = q = malloc(l);
 

+ 	if (p == NULL) {
 

+ 		cm_log(1, "Out of memory copying key.");
 

+ 		return NULL;
 

+ 	}
 

+ 	len = i2d(pkey, &q);
 

+ 	if (len != l) {
 

+ 		cm_log(1, "Unexpected error copying key.");
 

+ 		memset(p, 0, l);
 

+ 		free(p);
 

+ 		return NULL;
 

+ 	}
 

+ 	d = p;
 

+ 	k = d2i(util_EVP_PKEY_base_id(pkey), NULL, &d, len);
 

+ 	memset(p, 0, l);
 

+ 	free(p);
 

+ 	if (k == NULL) {
 

+ 		cm_log(1, "Unexpected error decoding copy of key.");
 

+ 		return NULL;
 

+ 	}
 

+ 	return k;
 

+ }
 

+ 

+ EVP_PKEY *
 

+ util_public_EVP_PKEY_dup(EVP_PKEY *pkey)
 

+ {
 

+ 	return util_EVP_PKEY_dup(pkey, i2d_PublicKey, d2i_PublicKey);
 

+ }
 

+ 

+ EVP_PKEY *
 

+ util_private_EVP_PKEY_dup(EVP_PKEY *pkey)
 

+ {
 

+ 	return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey);
 

+ }

file modified
+42 
@@ -29,5 +29,47 @@ 
 

  				 struct cm_store_entry *entry);
 

  void util_set_fd_entry_cert_owner(int certfd, const char *filename,
 

  				  struct cm_store_entry *entry);
 

+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 

+ int util_o_cert_cmp(const X509 *const *a, const X509 *const *b);
 

+ #else
 

+ int util_o_cert_cmp(const void *a, const void *b);
 

+ #endif
 

+ 

+ ASN1_BIT_STRING *util_ASN1_BIT_STRING_new(void);
 

+ ASN1_GENERALIZEDTIME *util_ASN1_GENERALIZEDTIME_new(void);
 

+ ASN1_IA5STRING *util_ASN1_IA5STRING_new(void);
 

+ ASN1_INTEGER *util_ASN1_INTEGER_new(void);
 

+ ASN1_OCTET_STRING *util_ASN1_OCTET_STRING_new(void);
 

+ int util_ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, const unsigned char *data, int len);
 

+ ASN1_PRINTABLESTRING *util_ASN1_PRINTABLESTRING_new(void);
 

+ const unsigned char *util_ASN1_STRING_get0_data(const ASN1_STRING *x);
 

+ int util_ASN1_STRING_length(const ASN1_STRING *x);
 

+ ASN1_STRING *util_ASN1_STRING_new(void);
 

+ ASN1_TIME *util_ASN1_TIME_dup(ASN1_TIME *t);
 

+ ASN1_TIME *util_ASN1_TIME_new(void);
 

+ ASN1_TIME *util_ASN1_TIME_set(ASN1_TIME *str, time_t t);
 

+ int util_EVP_PKEY_base_id(const EVP_PKEY *pkey);
 

+ int util_EVP_PKEY_id(const EVP_PKEY *pkey);
 

+ const unsigned char *util_OBJ_get0_data(const ASN1_OBJECT *obj);
 

+ size_t util_OBJ_length(const ASN1_OBJECT *obj);
 

+ ASN1_OBJECT *util_X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *a);
 

+ const ASN1_TIME *util_X509_get0_notAfter(X509 *x);
 

+ EVP_PKEY *util_X509_get0_pubkey(X509 *cert);
 

+ const ASN1_INTEGER *util_X509_get0_serialNumber(X509 *cert);
 

+ X509_NAME *util_X509_get0_issuer_name(X509 *x);
 

+ uint32_t util_X509_get_key_usage(X509 *x);
 

+ X509_NAME *util_X509_get0_subject_name(X509 *x);
 

+ EVP_PKEY *util_X509_REQ_get0_pubkey(X509_REQ *req);
 

+ void util_X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, const X509_ALGOR **palg);
 

+ int util_X509_set_pubkey(X509 *cert, EVP_PKEY *pkey);
 

+ int util_X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
 

+ int util_X509_set1_notAfter(X509 *x, ASN1_TIME *tm);
 

+ int util_X509_set1_notBefore(X509 *x, ASN1_TIME *tm);
 

+ int util_X509_set_issuer_name(X509 *x, X509_NAME *name);
 

+ int util_X509_set_subject_name(X509 *x, X509_NAME *name);
 

+ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version);
 

+ void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg);
 

+ EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey);
 

+ EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey);
 

  

  #endif

file modified
+1 -1 
@@ -12,7 +12,7 @@ 
 

  	-x -t u -k dsa
 

  # Export the key.
 

  pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
 

- openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
 

+ openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | grep -v '^MAC verified OK$' || :
 

  # Read the public key and cache it.
 

  cat > entry.openssl.$size <<- EOF
 

  key_storage_type=FILE

file modified
+1 -1 
@@ -13,7 +13,7 @@ 
 

  	-x -t u -k ec -q $size
 

  # Export the key.
 

  pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
 

- openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
 

+ openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : )
 

  # Read the public key and cache it.
 

  cat > entry.openssl.$size <<- EOF
 

  key_storage_type=FILE

file modified
-5 
@@ -1,21 +1,16 @@ 
 

  pk12util: PKCS12 EXPORT SUCCESSFUL
 

- MAC verified OK
 

  1024 OK.
 

  Signature OK
 

  pk12util: PKCS12 EXPORT SUCCESSFUL
 

- MAC verified OK
 

  1536 OK.
 

  Signature OK
 

  pk12util: PKCS12 EXPORT SUCCESSFUL
 

- MAC verified OK
 

  2048 OK.
 

  Signature OK
 

  pk12util: PKCS12 EXPORT SUCCESSFUL
 

- MAC verified OK
 

  3072 OK.
 

  Signature OK
 

  pk12util: PKCS12 EXPORT SUCCESSFUL
 

- MAC verified OK
 

  4096 OK.
 

  Signature OK
 

  The last CSR (the one with everything) was:

file modified
+1 -1 
@@ -12,7 +12,7 @@ 
 

  		-x -t u -k rsa
 

  	# Export the key.
 

  	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
 

- 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1
 

+ 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : )
 

  	# Read the public key and cache it.
 

  	cat > entry.openssl.$size <<- EOF
 

  	key_storage_type=FILE

file modified
-5 
@@ -1,25 +1,20 @@ 
 

  pk12util: PKCS12 EXPORT SUCCESSFUL
 

- MAC verified OK
 

  Signature OK
 

  minicert.openssl.1024.pem: OK
 

  1024 OK.
 

  pk12util: PKCS12 EXPORT SUCCESSFUL
 

- MAC verified OK
 

  Signature OK
 

  minicert.openssl.1536.pem: OK
 

  1536 OK.
 

  pk12util: PKCS12 EXPORT SUCCESSFUL
 

- MAC verified OK
 

  Signature OK
 

  minicert.openssl.2048.pem: OK
 

  2048 OK.
 

  pk12util: PKCS12 EXPORT SUCCESSFUL
 

- MAC verified OK
 

  Signature OK
 

  minicert.openssl.3072.pem: OK
 

  3072 OK.
 

  pk12util: PKCS12 EXPORT SUCCESSFUL
 

- MAC verified OK
 

  Signature OK
 

  minicert.openssl.4096.pem: OK
 

  4096 OK.

file modified
+1 -1 
@@ -12,7 +12,7 @@ 
 

  		-x -t u
 

  	# Export the key.
 

  	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
 

- 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1
 

+ 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : )
 

  	# Read the public key and cache it.
 

  	cat > entry.openssl.$size <<- EOF
 

  	key_storage_type=FILE

file modified
+1 -1 
@@ -3,7 +3,7 @@ 
 

  [csr]
 

  Certificate Request:
 

      Data:
 

-         Version: 0 (0x0)
 

+         Version: 1 (0x0)
 

          Subject: CN=Babs Jensen's Signer
 

          Attributes:
 

              friendlyName             :unable to print attribute

file modified
+2 
@@ -17,6 +17,8 @@ 
 

  template_no_ocsp_check=1
 

  EOF
 

  filter() {
 

+ 	sed -re 's,Version: 0 \(0x0\),Version: 1 (0x0),g' |\
 

+ 	sed -re 's,CN = ,CN=,g' |\
 

  	sed -re 's,CN=[[:xdigit:]]{8}-[[:xdigit:]]{8}-[[:xdigit:]]{8}-[[:xdigit:]]{8},CN=$UUID,g' |\
 

  	sed -re 's,[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2},(160 bits),g' |\
 

  	sed s,'^        Signature Algorithm,    Signature Algorithm,g'

file added
+1038
The added file is too large to be shown here, see it at: tests/028-dbus/expected.out.nodsa
file modified
+5 
@@ -52,6 +52,11 @@ 
 

  	int fd, ret, i;
 

  	void *parent;
 

  	char *p;
 

+ 

+ 	/* Make minicerts claim to be v3 so that OpenSSL won't skip the version
 

+ 	 * number field, which is optional, because we default to the spec's
 

+ 	 * default value. */
 

+ 	cm_csrgen_version_for_testing_minicerts = 2;
 

  	cm_log_set_method(cm_log_stderr);
 

  	cm_log_set_level(3);
 

  	cm_set_fips_from_env();

file modified
+4 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2015 Red Hat, Inc.
 

+  * Copyright (C) 2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -19,6 +19,9 @@ 
 

  

  #include <sys/types.h>
 

  #include <errno.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <stdio.h>
 

  #include <stdint.h>
 

  #include <stdlib.h>

file modified
+4 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2015 Red Hat, Inc.
 

+  * Copyright (C) 2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -21,6 +21,9 @@ 
 

  #include <sys/stat.h>
 

  #include <errno.h>
 

  #include <fcntl.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <stdio.h>
 

  #include <stdint.h>
 

  #include <stdlib.h>

file modified
+7 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2014 Red Hat, Inc.
 

+  * Copyright (C) 2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -21,7 +21,11 @@ 
 

  #include <sys/stat.h>
 

  #include <errno.h>
 

  #include <fcntl.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <limits.h>
 

+ #include <stdint.h>
 

  #include <stdio.h>
 

  #include <stdlib.h>
 

  #include <string.h>
 
@@ -30,6 +34,8 @@ 
 

  

  #include <openssl/err.h>
 

  #include <openssl/objects.h>
 

+ #include <openssl/x509.h>
 

+ #include <openssl/x509v3.h>
 

  

  #include "../../src/log.h"
 

  #include "../../src/pkcs7.h"

file modified
+7 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2014 Red Hat, Inc.
 

+  * Copyright (C) 2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -21,7 +21,11 @@ 
 

  #include <sys/stat.h>
 

  #include <errno.h>
 

  #include <fcntl.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <limits.h>
 

+ #include <stdint.h>
 

  #include <stdio.h>
 

  #include <stdlib.h>
 

  #include <string.h>
 
@@ -30,6 +34,8 @@ 
 

  

  #include <openssl/err.h>
 

  #include <openssl/objects.h>
 

+ #include <openssl/x509.h>
 

+ #include <openssl/x509v3.h>
 

  

  #include "../../src/log.h"
 

  #include "../../src/pkcs7.h"

file modified
+4 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright (C) 2014,2015 Red Hat, Inc.
 

+  * Copyright (C) 2014,2015,2017 Red Hat, Inc.
 

   * 

   * This program is free software: you can redistribute it and/or modify
 

   * it under the terms of the GNU General Public License as published by
 
@@ -18,6 +18,9 @@ 
 

  #include "../../src/config.h"
 

  

  #include <sys/types.h>
 

+ #ifdef HAVE_INTTYPES_H
 

+ #include <inttypes.h>
 

+ #endif
 

  #include <limits.h>
 

  #include <stdint.h>
 

  #include <stdio.h>

This includes a number of patches, some from Lukas Slebodnik and Tomas Mraz, either directly or as portions of patches from ticket #64.

Pull-Request has been merged by nalin
7 years ago
Metadata
None
No Tags
Changes Summary 45
+62 -9
file changed
configure.ac
+2 -2
file changed
src/certsave-o.c
+39 -13
file changed
src/cm.c
+3 -2
file changed
src/csrgen-n.c
+20 -19
file changed
src/csrgen-o.c
+3 -1
file changed
src/csrgen.c
+3 -1
file changed
src/csrgen.h
+4 -0
file changed
src/ipa.c
+4 -1
file changed
src/json.c
+1 -1
file changed
src/keygen-o.c
+3 -3
file changed
src/keyiread-o.c
+12 -8
file changed
src/local.c
+1 -1
file changed
src/main.c
+41 -74
file changed
src/pkcs7.c
+8 -1
file changed
src/prefs-o.c
+4 -0
file changed
src/scep.c
+16 -19
file changed
src/scepgen-n.c
+37 -33
file changed
src/scepgen-o.c
+5 -2
file changed
src/srvloc.c
+2 -0
file changed
src/srvloc.h
+11 -19
file changed
src/store-files.c
+4 -1
file changed
src/submit-e.c
+21 -22
file changed
src/submit-n.c
+168 -36
file changed
src/submit-o.c
+1 -2
file changed
src/submit-o.h
+1 -1
file changed
src/submit-x.c
+1 -1
file changed
src/tdbus.c
+4 -1
file changed
src/tdbusm.c
+448 -1
file changed
src/util-o.c
+42 -0
file changed
src/util-o.h
+1 -1
file changed
tests/003-csrgen-dsa/run.sh
+1 -1
file changed
tests/003-csrgen-ec/run.sh
+0 -5
file changed
tests/003-csrgen-rsa/expected.out
+1 -1
file changed
tests/003-csrgen-rsa/run.sh
+0 -5
file changed
tests/003-csrgen/expected.out
+1 -1
file changed
tests/003-csrgen/run.sh
+1 -1
file changed
tests/026-local/expected.out
+2 -0
file changed
tests/026-local/run.sh
+1038
file added
tests/028-dbus/expected.out.nodsa
+5 -0
file changed
tests/tools/csrgen.c
+4 -1
file changed
tests/tools/json-utf8.c
+4 -1
file changed
tests/tools/json.c
+7 -1
file changed
tests/tools/pk7decrypt.c
+7 -1
file changed
tests/tools/pk7verify.c
+4 -1
file changed
tests/tools/srv.c
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.