From 230b640e67ea27db59d59dd7bef776638ac005dc Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Apr 17 2020 20:57:44 +0000 Subject: Add new option to allow overriding the detected SCEP CA chain The -R option was doing double-duty for the SCEP CA. 1. It was required if the SCEP URL used TLS 2. It override the CA certificate downloaded from the SCEP server If the chains were different then validating the SCEP responses would fail. https://bugzilla.redhat.com/show_bug.cgi?id=1808613 --- diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in index 95d674a..42ffcd6 100644 --- a/src/certmonger-scep-submit.8.in +++ b/src/certmonger-scep-submit.8.in @@ -8,6 +8,7 @@ scep-submit -u SERVER-URL [-r ra-cert-file] [-R ca-cert-file] [-I other-certs-file] +[-N ca-cert-file] [-i ca-identifier] [-v] [-n] @@ -57,11 +58,14 @@ typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or always required. .TP \fB\-R\fR CA-certificate-file -The location of the SCEP server's CA certificate, which was used to -issue the SCEP server's certificate, or the SCEP server's own -certificate, if it is self-signed, in PEM form. If the URL specified -with the \fB-u\fR option is an \fIhttps\fR URL, then this option is -required. +The location of the CA certificate which was used to issue the SCEP web +server's certificate in PEM form. If the URL specified with the +\fB-u\fR option is an \fIhttps\fR URL, then this option is required. +.TP +\fB\-N\fR ca-certificate-file +The location of a PEM-formatted copy of the SCEP server's CA certificate. +A discovered value is normally supplied by the certmonger daemon, but one can +be specified for troubleshooting purposes. .TP \fB\-r\fR RA-certificate-file The location of the SCEP server's RA certificate, which is expected to diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in index 11ab4ce..bf07306 100644 --- a/src/getcert-add-scep-ca.1.in +++ b/src/getcert-add-scep-ca.1.in @@ -24,12 +24,16 @@ The location of the SCEP server's enrollment interface. This option must be specified. .TP \fB\-R\fR ca-certificate-file -The location of a PEM-formatted copy of the SCEP server's CA's certificate. -A discovered value is supplied by the certmonger daemon for use in verifying -the signature on data returned by the SCEP server, but it is not used for -verifying HTTPS server certificates. +The location of a PEM-formatted copy of the CA's certificate used to verify +the TLS connection the SCEP server. + This option must be specified if the URL is an \fIhttps\fR location. .TP +\fB\-N\fR ca-certificate-file +The location of a PEM-formatted copy of the SCEP server's CA certificate. +A discovered value is normally supplied by the certmonger daemon, but one can +be specified for troubleshooting purposes. +.TP \fB\-r\fR ra-certificate-file The location of a PEM-formatted copy of the SCEP server's RA's certificate. A discovered value is normally supplied by the certmonger daemon, but one can diff --git a/src/getcert.c b/src/getcert.c index 19df7c1..0d434c3 100644 --- a/src/getcert.c +++ b/src/getcert.c @@ -4522,6 +4522,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS; char *caname = NULL, *url = NULL, *path = NULL, *id = NULL; char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command; + char *signingca = NULL; const char *err; int c, prefer_non_renewal = 0, verbose = 0; dbus_bool_t b; @@ -4534,6 +4535,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME}, {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME}, {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, + {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL}, {"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL}, {"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL}, @@ -4595,7 +4597,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) return 1; } command = talloc_asprintf(globals.tctx, - "%s -u %s %s %s %s %s %s %s %s %s %s", + "%s -u %s %s %s %s %s %s %s %s %s %s %s", shell_escape(globals.tctx, CM_SCEP_HELPER_PATH), shell_escape(globals.tctx, url), @@ -4607,6 +4609,8 @@ add_scep_ca(const char *argv0, int argc, const char **argv) id ? shell_escape(globals.tctx, id) : "", certs ? "-I" : "", certs ? shell_escape(globals.tctx, certs) : "", + signingca ? "-N" : "", + signingca ? shell_escape(globals.tctx, signingca) : "", prefer_non_renewal ? "-n" : ""); for (c = 0; c < verbose; c++) { command = talloc_strdup_append(command, " -v"); diff --git a/src/scep.c b/src/scep.c index a25ea95..1e045ec 100644 --- a/src/scep.c +++ b/src/scep.c @@ -205,7 +205,6 @@ main(int argc, const char **argv) int response_code = 0, response_code2 = 0; enum known_ops op = op_unset; const char *id = NULL, *cainfo = NULL; - char *poptarg; char *message = NULL, *rekey_message = NULL; const char *mode = NULL, *content_type = NULL, *content_type2 = NULL; void *ctx; @@ -234,8 +233,9 @@ main(int argc, const char **argv) {"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL}, {"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL}, {"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"}, - {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"}, + {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"}, {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"}, + {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"}, {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL}, {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, POPT_AUTOHELP @@ -328,9 +328,10 @@ main(int argc, const char **argv) racert = cm_submit_u_from_file(poptGetOptArg(pctx)); break; case 'R': - poptarg = poptGetOptArg(pctx); - cainfo = strdup(poptarg); - cacert = cm_submit_u_from_file(poptarg); + cainfo = poptGetOptArg(pctx); + break; + case 'N': + cacert = cm_submit_u_from_file(poptGetOptArg(pctx)); break; case 'I': certs = cm_submit_u_from_file(poptGetOptArg(pctx)); @@ -339,7 +340,6 @@ main(int argc, const char **argv) } if (c != -1) { poptPrintUsage(pctx, stdout, 0); - free(cainfo); return CM_SUBMIT_STATUS_UNCONFIGURED; } @@ -1188,7 +1188,6 @@ done: if (pctx) { poptFreeContext(pctx); } - free(cainfo); free(id); cm_submit_h_cleanup(hctx); talloc_free(ctx);