certmonger

#146 Re-order the way the SCEP signing and CA certs are collected
Merged by rcritten. Opened by rcritten.
rcritten/certmonger bz1808052  into  master

Re-order the way the SCEP signing and CA certs are collected

Put cacert into the ca store, the racert at the top of the
othercerts list. Then we parse certs, placing all ca certs
we find into the ca store, and all other certs we find after
the racert.

Variables are renamed to match the cm_pkcs7_parse() and
cm_pkcs7_verify_signed() calls.

A special case for IPA (dogtag) was added because dogtag
uses its CA cert to sign the PKCS7 so it is both an RA cert
and a CA cert. If a self-signed CA is detected and no other
certs are provided then the CA is treated as the RA.

https://bugzilla.redhat.com/show_bug.cgi?id=1808052

Graham Leggett did the majority of the work on this patch.

This includes patches from PR https://pagure.io/certmonger/pull-request/145 . Only the top patch is really relevant to the reported issue but it builds upon other SCEP work.

rebased onto 71f5fbdbcddd464711a15d94e8c73cb598f837dd

Pull-Request has been merged by rcritten

A small detail about IPA (dogtag) described above.

The IPA behaviour isn't a special case, but rather a formally supported part of the SCEP spec - https://tools.ietf.org/html/draft-gutmann-scep-15#section-4.2.1.1

It is possible for the CA and RA certificate to be one and the same.

Thanks, I missed that in the spec.
Metadata
None
No Tags
Changes Summary 3
+18 -0
file changed
src/pkcs7.c
+1 -0
file changed
src/pkcs7.h
+70 -34
file changed
src/scep.c
Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.
Red Hat Logo

Fedora is sponsored by Red Hat. Learn more about the relationship between Red Hat and Fedora »

© Red Hat, Inc. and others.