From e92b21d84a0166cee33a00c5475916c4bd61979e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 06 2022 20:07:13 +0000
Subject: Don't include "NEW" in certificate signing requests


Per https://datatracker.ietf.org/doc/html/rfc7468#section-7
NEW is still acceptable for parsing but generators should no
longer be including it.

I also fixed the dbm test cases which no longer execute in the
off-chance this gets backported to some distribution that has
an NSS version that still supports it.

https://pagure.io/certmonger/issue/228

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/src/csrgen-n.c b/src/csrgen-n.c
index f8560bc..8d5aa52 100644
--- a/src/csrgen-n.c
+++ b/src/csrgen-n.c
@@ -941,14 +941,14 @@ cm_csrgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 	b642 = NSSBase64_EncodeItem(arena, NULL, -1, &espkac);
 	b643 = NSSBase64_EncodeItem(arena, NULL, -1, &esminicert);
 	if ((b64 != NULL) && (b642 != NULL)) {
-		fprintf(status, "-----BEGIN NEW CERTIFICATE REQUEST-----\n");
+		fprintf(status, "-----BEGIN CERTIFICATE REQUEST-----\n");
 		p = b64;
 		while (*p != '\0') {
 			q = p + strcspn(p, "\r\n");
 			fprintf(status, "%.*s\n", (int) (q - p), p);
 			p = q + strspn(q, "\r\n");
 		}
-		fprintf(status, "-----END NEW CERTIFICATE REQUEST-----\n");
+		fprintf(status, "-----END CERTIFICATE REQUEST-----\n");
 		p = b642;
 		while (*p != '\0') {
 			q = p + strcspn(p, "\r\n");
diff --git a/src/csrgen-o.c b/src/csrgen-o.c
index e2c59ad..f1091c5 100644
--- a/src/csrgen-o.c
+++ b/src/csrgen-o.c
@@ -345,7 +345,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 							  strlen(password));
 			}
 			X509_REQ_sign(req, pkey, cm_prefs_ossl_hash());
-			PEM_write_X509_REQ_NEW(status, req);
+			PEM_write_X509_REQ(status, req);
 			/* Generate the SPKAC. */
 			memset(&spkac, 0, sizeof(spkac));
 			spkac.challenge = util_ASN1_IA5STRING_new();
diff --git a/tests/013-enckey-dbm/expected.out b/tests/013-enckey-dbm/expected.out
index 087513e..a378cb1 100644
--- a/tests/013-enckey-dbm/expected.out
+++ b/tests/013-enckey-dbm/expected.out
@@ -7,8 +7,8 @@ OK.
 -----BEGIN ENCRYPTED PRIVATE KEY-----
 -----END ENCRYPTED PRIVATE KEY-----
 [Generate CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Not Pre-creating database.]
 [Generating key (dbm) with PIN.]
 OK.
@@ -19,8 +19,8 @@ OK (RSA:2048).
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Creating database.]
@@ -33,8 +33,8 @@ OK (RSA:2048).
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Test complete.]
diff --git a/tests/013-enckey-sql/expected.out b/tests/013-enckey-sql/expected.out
index d3a48f8..a0ce867 100644
--- a/tests/013-enckey-sql/expected.out
+++ b/tests/013-enckey-sql/expected.out
@@ -7,8 +7,8 @@ OK.
 -----BEGIN ENCRYPTED PRIVATE KEY-----
 -----END ENCRYPTED PRIVATE KEY-----
 [Generate CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Not Pre-creating database.]
 [Generating key (sql) with PIN.]
 OK.
@@ -19,8 +19,8 @@ OK (RSA:2048).
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Creating database.]
@@ -33,8 +33,8 @@ OK (RSA:2048).
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Test complete.]
diff --git a/tests/013-enckey/expected.out b/tests/013-enckey/expected.out
index cdf0a76..09397fd 100644
--- a/tests/013-enckey/expected.out
+++ b/tests/013-enckey/expected.out
@@ -7,8 +7,8 @@ OK.
 -----BEGIN ENCRYPTED PRIVATE KEY-----
 -----END ENCRYPTED PRIVATE KEY-----
 [Generate CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Not Pre-creating database.]
 [Generating key with PIN.]
 OK.
@@ -19,8 +19,8 @@ OK (RSA:2048).
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Creating database.]
@@ -33,8 +33,8 @@ OK (RSA:2048).
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 < 0> rsa PRIVATE-KEY Test
 [Test complete.]
diff --git a/tests/015-lockedkey-dbm/expected.out b/tests/015-lockedkey-dbm/expected.out
index 1f62bfe..1b54017 100644
--- a/tests/015-lockedkey-dbm/expected.out
+++ b/tests/015-lockedkey-dbm/expected.out
@@ -31,8 +31,8 @@ Failed to read key "$tmpdir/keyfile".
 [Retry With PIN File.]
 OK (RSA:2048).
 [Generate CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Not pre-creating database.]
 [Generating key (dbm) without PIN.]
 OK.
@@ -72,8 +72,8 @@ OK (RSA:2048).
 [Generating CSR Without PIN.]
 [Generating CSR With Bogus PIN Location.]
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Creating database with PIN.]
 [Generating key (dbm) with PIN.]
 OK.
@@ -91,6 +91,6 @@ OK (RSA:2048).
 [Generating CSR Without PIN.]
 [Generating CSR With Bogus PIN Location.]
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Test complete.]
diff --git a/tests/015-lockedkey-sql/expected.out b/tests/015-lockedkey-sql/expected.out
index c118162..587d7af 100644
--- a/tests/015-lockedkey-sql/expected.out
+++ b/tests/015-lockedkey-sql/expected.out
@@ -31,8 +31,8 @@ Failed to read key "$tmpdir/keyfile".
 [Retry With PIN File.]
 OK (RSA:2048).
 [Generate CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Not pre-creating database.]
 [Generating key (sql) without PIN.]
 OK.
@@ -72,8 +72,8 @@ OK (RSA:2048).
 [Generating CSR Without PIN.]
 [Generating CSR With Bogus PIN Location.]
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Creating database with PIN.]
 [Generating key (sql) with PIN.]
 OK.
@@ -91,6 +91,6 @@ OK (RSA:2048).
 [Generating CSR Without PIN.]
 [Generating CSR With Bogus PIN Location.]
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Test complete.]
diff --git a/tests/015-lockedkey/expected.out b/tests/015-lockedkey/expected.out
index 52f2289..2232a56 100644
--- a/tests/015-lockedkey/expected.out
+++ b/tests/015-lockedkey/expected.out
@@ -31,8 +31,8 @@ Failed to read key "$tmpdir/keyfile".
 [Retry With PIN File.]
 OK (RSA:2048).
 [Generate CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Not pre-creating database.]
 [Generating key without PIN.]
 OK.
@@ -72,8 +72,8 @@ OK (RSA:2048).
 [Generating CSR Without PIN.]
 [Generating CSR With Bogus PIN Location.]
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Creating database with PIN.]
 [Generating key with PIN.]
 OK.
@@ -91,6 +91,6 @@ OK (RSA:2048).
 [Generating CSR Without PIN.]
 [Generating CSR With Bogus PIN Location.]
 [Generating CSR With PIN.]
------BEGIN NEW CERTIFICATE REQUEST-----
------END NEW CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+-----END CERTIFICATE REQUEST-----
 [Test complete.]