From a934bf42dad50fac55296af63562180a5a7d8986 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: May 15 2015 20:59:31 +0000 Subject: Only record next-key info when we have a next-key Only record the number of times we've made requests for a "next key", and its key generation date, if we actually have a key that we're attempting to switch to as part of a larger rekeying operation. --- diff --git a/src/store-files.c b/src/store-files.c index 0a0e7c4..cf69767 100644 --- a/src/store-files.c +++ b/src/store-files.c @@ -1782,16 +1782,24 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) cm_store_file_write_str(fp, cm_store_entry_field_key_next_pubkey_info, entry->cm_key_next_pubkey_info); - cm_store_file_write_str(fp, cm_store_entry_field_key_generated_date, - cm_store_timestamp_from_time(entry->cm_key_generated_date, - timestamp)); - cm_store_file_write_str(fp, cm_store_entry_field_key_next_generated_date, - cm_store_timestamp_from_time(entry->cm_key_next_generated_date, - timestamp)); + if (entry->cm_key_generated_date != 0) { + cm_store_file_write_str(fp, cm_store_entry_field_key_generated_date, + cm_store_timestamp_from_time(entry->cm_key_generated_date, + timestamp)); + } + if ((entry->cm_key_next_marker != NULL) && + (strlen(entry->cm_key_next_marker) > 0)) { + cm_store_file_write_str(fp, cm_store_entry_field_key_next_generated_date, + cm_store_timestamp_from_time(entry->cm_key_next_generated_date, + timestamp)); + } cm_store_file_write_int(fp, cm_store_entry_field_key_requested_count, entry->cm_key_requested_count); - cm_store_file_write_int(fp, cm_store_entry_field_key_next_requested_count, - entry->cm_key_next_requested_count); + if ((entry->cm_key_next_marker != NULL) && + (strlen(entry->cm_key_next_marker) > 0)) { + cm_store_file_write_int(fp, cm_store_entry_field_key_next_requested_count, + entry->cm_key_next_requested_count); + } cm_store_file_write_int(fp, cm_store_entry_field_key_issued_count, entry->cm_key_issued_count); diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out index ac5704d..d5459d4 100644 --- a/tests/010-iterate/expected.out +++ b/tests/010-iterate/expected.out @@ -6,7 +6,6 @@ HAVE_KEY_PAIR NEED_KEYINFO -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 [Reading back key info.] @@ -18,7 +17,6 @@ NEED_CSR -STOP- key_size=2048 key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 [Generating CSR.] @@ -31,7 +29,6 @@ GENERATING_CSR HAVE_CSR -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 [Getting CSR signed.] @@ -42,7 +39,6 @@ SUBMITTING NEED_TO_SAVE_CERT -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 [Saving certificate.] @@ -64,7 +60,6 @@ Certificate in file "$tmpdir/certfile" issued by CA and saved. MONITORING -STOP- key_issued_count=1 -key_next_requested_count=0 key_requested_count=1 [From-scratch enrollment scenario OK.] @@ -174,7 +169,6 @@ HAVE_KEYINFO NEED_CSR -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 NEED_CSR -(RESET)- @@ -185,7 +179,6 @@ GENERATING_CSR HAVE_CSR -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 HAVE_CSR -START- @@ -194,7 +187,6 @@ SUBMITTING NEED_TO_SAVE_CERT -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 NEED_TO_SAVE_CERT -START- @@ -203,7 +195,6 @@ SAVING_CERT SAVED_CERT -STOP- key_issued_count=1 -key_next_requested_count=0 key_requested_count=1 [Enroll, helper produces noise before.] @@ -226,13 +217,11 @@ HAVE_CSR -START- NEED_TO_SUBMIT SUBMITTING -NEED_TO_SAVE_CERT +NEED_GUIDANCE -STOP- -NEED_TO_SAVE_CERT +NEED_GUIDANCE -START- -START_SAVING_CERT -SAVING_CERT -SAVED_CERT +NEED_GUIDANCE -STOP- [Enroll, helper produces noise after] @@ -284,13 +273,11 @@ HAVE_CSR -START- NEED_TO_SUBMIT SUBMITTING -NEED_TO_SAVE_CERT +NEED_GUIDANCE -STOP- -NEED_TO_SAVE_CERT +NEED_GUIDANCE -START- -START_SAVING_CERT -SAVING_CERT -SAVED_CERT +NEED_GUIDANCE -STOP- [Enroll, helper omits newline at end of certificate.] @@ -413,7 +400,6 @@ HAVE_KEYINFO NEED_CSR -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 NEED_CSR -(RESET)- @@ -424,7 +410,6 @@ GENERATING_CSR HAVE_CSR -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 HAVE_CSR -START- @@ -433,7 +418,6 @@ SUBMITTING NEED_TO_NOTIFY_REJECTION -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 NEED_TO_NOTIFY_REJECTION -START- @@ -442,14 +426,12 @@ Request for certificate to be stored in file "$tmpdir/certfile3" rejected by CA. CA_REJECTED -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 CA_REJECTED -START- CA_REJECTED -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 [Enroll until the CA rejects us after poll.] @@ -640,7 +622,6 @@ HAVE_KEYINFO NEED_CSR -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 NEED_CSR -(RESET)- @@ -651,7 +632,6 @@ GENERATING_CSR HAVE_CSR -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 HAVE_CSR -START- @@ -660,7 +640,6 @@ SUBMITTING NEED_SCEP_DATA -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 NEED_SCEP_DATA -START- @@ -669,7 +648,6 @@ HAVE_SCEP_DATA NEED_TO_SUBMIT -STOP- key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 [CA poll timeout remaining=0.] diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out index faa1d28..0a29579 100644 --- a/tests/030-rekey/expected.out +++ b/tests/030-rekey/expected.out @@ -1,23 +1,20 @@ [ Begin pass (preserve=1,pin=""). ] +(prep NSS) key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 (submit NSS) key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 +(prep OpenSSL) key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 (submit OpenSSL) key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 First round certificates OK. NSS keys before re-keygen (preserve=1,pin=""): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 OK. NSS keys after re-keygen (preserve=1,pin=""): @@ -41,7 +38,6 @@ NSS Verify: This is the plaintext. (saving) key_issued_count=1 -key_next_requested_count=0 key_requested_count=1 NSS certs after saving (preserve=1,pin=""): i2048 u,u,u @@ -55,7 +51,6 @@ This is the plaintext. PEM keys before re-keygen (preserve=1,pin=""): ${tmpdir}/keyi2048 key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 OK. PEM keys after re-keygen (preserve=1,pin=""): @@ -79,7 +74,6 @@ OpenSSL Verify: This is the plaintext. (saving) key_issued_count=1 -key_next_requested_count=0 key_requested_count=1 PEM certs after saving (preserve=1,pin=""): ${tmpdir}/certi2048 @@ -92,25 +86,22 @@ OpenSSL Verify: This is the plaintext. [ End pass (preserve=1,pin=""). ] [ Begin pass (preserve=1,pin="password"). ] +(prep NSS) key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 (submit NSS) key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 +(prep OpenSSL) key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 (submit OpenSSL) key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 First round certificates OK. NSS keys before re-keygen (preserve=1,pin="password"): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 OK. NSS keys after re-keygen (preserve=1,pin="password"): @@ -134,7 +125,6 @@ NSS Verify: This is the plaintext. (saving) key_issued_count=1 -key_next_requested_count=0 key_requested_count=1 NSS certs after saving (preserve=1,pin="password"): i2048 u,u,u @@ -148,7 +138,6 @@ This is the plaintext. PEM keys before re-keygen (preserve=1,pin="password"): ${tmpdir}/keyi2048 key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 OK. PEM keys after re-keygen (preserve=1,pin="password"): @@ -172,7 +161,6 @@ OpenSSL Verify: This is the plaintext. (saving) key_issued_count=1 -key_next_requested_count=0 key_requested_count=1 PEM certs after saving (preserve=1,pin="password"): ${tmpdir}/certi2048 @@ -185,25 +173,22 @@ OpenSSL Verify: This is the plaintext. [ End pass (preserve=1,pin="password"). ] [ Begin pass (preserve=0,pin=""). ] +(prep NSS) key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 (submit NSS) key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 +(prep OpenSSL) key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 (submit OpenSSL) key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 First round certificates OK. NSS keys before re-keygen (preserve=0,pin=""): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 OK. NSS keys after re-keygen (preserve=0,pin=""): @@ -227,7 +212,6 @@ NSS Verify: This is the plaintext. (saving) key_issued_count=1 -key_next_requested_count=0 key_requested_count=1 NSS certs after saving (preserve=0,pin=""): i2048 u,u,u @@ -240,7 +224,6 @@ This is the plaintext. PEM keys before re-keygen (preserve=0,pin=""): ${tmpdir}/keyi2048 key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 OK. PEM keys after re-keygen (preserve=0,pin=""): @@ -264,7 +247,6 @@ OpenSSL Verify: This is the plaintext. (saving) key_issued_count=1 -key_next_requested_count=0 key_requested_count=1 PEM certs after saving (preserve=0,pin=""): ${tmpdir}/certi2048 @@ -276,25 +258,22 @@ OpenSSL Verify: This is the plaintext. [ End pass (preserve=0,pin=""). ] [ Begin pass (preserve=0,pin="password"). ] +(prep NSS) key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 (submit NSS) key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 +(prep OpenSSL) key_issued_count=0 -key_next_requested_count=0 key_requested_count=0 (submit OpenSSL) key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 First round certificates OK. NSS keys before re-keygen (preserve=0,pin="password"): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 OK. NSS keys after re-keygen (preserve=0,pin="password"): @@ -318,7 +297,6 @@ NSS Verify: This is the plaintext. (saving) key_issued_count=1 -key_next_requested_count=0 key_requested_count=1 NSS certs after saving (preserve=0,pin="password"): i2048 u,u,u @@ -331,7 +309,6 @@ This is the plaintext. PEM keys before re-keygen (preserve=0,pin="password"): ${tmpdir}/keyi2048 key_issued_count=0 -key_next_requested_count=0 key_requested_count=1 OK. PEM keys after re-keygen (preserve=0,pin="password"): @@ -355,7 +332,6 @@ OpenSSL Verify: This is the plaintext. (saving) key_issued_count=1 -key_next_requested_count=0 key_requested_count=1 PEM certs after saving (preserve=0,pin="password"): ${tmpdir}/certi2048 diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh index 078e1e8..27ae401 100755 --- a/tests/030-rekey/run.sh +++ b/tests/030-rekey/run.sh @@ -62,6 +62,7 @@ for preserve in 1 0 ; do echo key_pin_file=`pwd`/pinfile >> entry.openssl.$size $toolsdir/keyiread entry.openssl.$size > /dev/null 2>&1 # Use that NSS key to generate a self-signed certificate. + echo '(prep NSS)' cat > entry.nss.$size <<- EOF ca_name=self_signer key_storage_type=NSSDB @@ -82,6 +83,7 @@ for preserve in 1 0 ; do $toolsdir/submit ca.self entry.nss.$size > cert.nss.$size grep ^key.\*count= entry.nss.$size | LANG=C sort # Use that OpenSSL key to generate a self-signed certificate. + echo '(prep OpenSSL)' cat > entry.openssl.$size <<- EOF ca_name=self_signer key_storage_type=FILE