From d754e7f1291165088758ae7837341bde75d4887c Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Oct 13 2010 17:40:44 +0000 Subject: - turn off populating unique IDs by default, tag 0.32 --- diff --git a/certmonger.spec b/certmonger.spec index 843c60c..19a38ab 100644 --- a/certmonger.spec +++ b/certmonger.spec @@ -1,5 +1,5 @@ Name: certmonger -Version: 0.31 +Version: 0.32 Release: 1%{?dist} Summary: Certificate status monitor and PKI enrollment client @@ -104,6 +104,10 @@ exit 0 %{_localstatedir}/lib/certmonger %changelog +* Wed Oct 13 2010 Nalin Dahyabhai 0.32-1 +- oops, rfc5280 says we shouldn't be populating unique identifiers, so + make it a configuration option and default the behavior to off + * Tue Oct 12 2010 Nalin Dahyabhai 0.31-1 - start populating the optional unique identifier fields in self-signed certificates diff --git a/configure.ac b/configure.ac index c65982f..3cbcd38 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(certmonger,0.31) +AC_INIT(certmonger,0.32) AM_INIT_AUTOMAKE([foreign]) AC_CONFIG_MACRO_DIR(m4) AM_MAINTAINER_MODE @@ -320,8 +320,11 @@ if pkg-config uuid ; then fi ]) if test x$uuid = xyes ; then - AC_DEFINE(HAVE_UUID,1,[Define to populate subjectUniqueID in self-signed certs.]) + AC_DEFINE(HAVE_UUID,1,[Define to have the ability to populate subjectUniqueID in self-signed certs.]) fi +CM_DEFAULT_POPULATE_UNIQUE_ID=no +AC_SUBST(CM_DEFAULT_POPULATE_UNIQUE_ID) +AC_DEFINE_UNQUOTED(CM_DEFAULT_POPULATE_UNIQUE_ID,"$CM_DEFAULT_POPULATE_UNIQUE_ID",[Define to the default for the selfsign/populate_unique_id configuration setting.]) AM_CONDITIONAL(HAVE_UUID,test x$uuid = xyes) AC_SUBST(UUID_CFLAGS) AC_SUBST(UUID_LIBS) diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in index 5dce180..346a63e 100644 --- a/src/certmonger.conf.5.in +++ b/src/certmonger.conf.5.in @@ -52,6 +52,12 @@ specified as a combination of years (y), months (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is specified, seconds are assumed. The default value is \fI@CM_DEFAULT_CERT_LIFETIME@\fR. +.IP populate_unique_id +This controls whether or not self-signed certificates will have their +subjectUniqueID and issuerUniqueID fields populated. While RFC5280 prohibits +their use, they may be needed and/or used by older applications. The default +value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR. + .SH BUGS Please file tickets for any that you find at https://fedorahosted.org/certmonger/ diff --git a/src/prefs.c b/src/prefs.c index 92d0f73..72b2546 100644 --- a/src/prefs.c +++ b/src/prefs.c @@ -250,6 +250,43 @@ cm_prefs_validity_period(void) return period; } +static const char * +yes_words[] = {"yes", "y", "true", "t", "1"}; + +static const char * +no_words[] = {"no", "n", "false", "f", "0"}; + +int +cm_prefs_populate_unique_id(void) +{ + static int populate = -1; + if (populate == -1) { + const char *val; + val = cm_prefs_config("selfsign", "populate_unique_id"); + if (val == NULL) { + val = CM_DEFAULT_POPULATE_UNIQUE_ID; + } + if (val != NULL) { + unsigned int i; + for (i = 0; + i < sizeof(yes_words) / sizeof(yes_words[0]); + i++) { + if (strcasecmp(yes_words[i], val) == 0) { + populate = 1; + } + } + for (i = 0; + i < sizeof(no_words) / sizeof(no_words[0]); + i++) { + if (strcasecmp(no_words[i], val) == 0) { + populate = 0; + } + } + } + } + return populate; +} + int cm_prefs_monitor(void) { diff --git a/src/prefs.h b/src/prefs.h index cb8dac3..6d2d10d 100644 --- a/src/prefs.h +++ b/src/prefs.h @@ -41,7 +41,8 @@ enum cm_notification_method cm_prefs_notification_method(void); const char *cm_prefs_notification_destination(void); const char *cm_prefs_default_ca(void); const char *cm_prefs_validity_period(void); -int cm_prefs_monitor(); -int cm_prefs_autorenew(); +int cm_prefs_monitor(void); +int cm_prefs_autorenew(void); +int cm_prefs_populate_unique_id(void); #endif diff --git a/src/submit-sn.c b/src/submit-sn.c index 5578e51..be8c21d 100644 --- a/src/submit-sn.c +++ b/src/submit-sn.c @@ -206,17 +206,19 @@ cm_submit_sn_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, ucert->subject = req->subject; ucert->subjectPublicKeyInfo = req->subjectPublicKeyInfo; #ifdef HAVE_UUID - ucert->subjectID.data = PORT_ArenaZAlloc(arena, 16); - if (ucert->subjectID.data != NULL) { - if (cm_submit_uuid_new(ucert->subjectID.data) == 0) { - ucert->subjectID.len = 16 * 8; + if (cm_prefs_populate_unique_id()) { + ucert->subjectID.data = PORT_ArenaZAlloc(arena, 16); + if (ucert->subjectID.data != NULL) { + if (cm_submit_uuid_new(ucert->subjectID.data) == 0) { + ucert->subjectID.len = 16 * 8; + } else { + ucert->subjectID.data = NULL; + } } else { - ucert->subjectID.data = NULL; + ucert->subjectID.len = 0; } - } else { - ucert->subjectID.len = 0; + ucert->issuerID = ucert->subjectID; } - ucert->issuerID = ucert->subjectID; #endif /* Try to copy the extensions from the request into the certificate. */ for (i = 0; diff --git a/src/submit-so.c b/src/submit-so.c index cf7f7bf..2ea2a01 100644 --- a/src/submit-so.c +++ b/src/submit-so.c @@ -130,13 +130,15 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, seriali = d2i_ASN1_INTEGER(NULL, &serialtmp, seriall); X509_set_serialNumber(cert, seriali); #ifdef HAVE_UUID - if (cm_submit_uuid_new(uuid) == 0) { - cert->cert_info->subjectUID = M_ASN1_BIT_STRING_new(); - if (cert->cert_info->subjectUID != NULL) { - ASN1_BIT_STRING_set(cert->cert_info->subjectUID, uuid, 16); - cert->cert_info->issuerUID = M_ASN1_BIT_STRING_new(); - if (cert->cert_info->issuerUID != NULL) { - ASN1_BIT_STRING_set(cert->cert_info->issuerUID, uuid, 16); + if (cm_prefs_populate_unique_id()) { + if (cm_submit_uuid_new(uuid) == 0) { + cert->cert_info->subjectUID = M_ASN1_BIT_STRING_new(); + if (cert->cert_info->subjectUID != NULL) { + ASN1_BIT_STRING_set(cert->cert_info->subjectUID, uuid, 16); + cert->cert_info->issuerUID = M_ASN1_BIT_STRING_new(); + if (cert->cert_info->issuerUID != NULL) { + ASN1_BIT_STRING_set(cert->cert_info->issuerUID, uuid, 16); + } } } }