From a5f9b624e2340c323b5752c6267ac9a3a4d5ef21 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: May 14 2021 18:04:48 +0000 Subject: [PATCH 1/2] Update cadata test to reflect non-NULL returned by helper NULL was returned when a helper was non-executable which led to it becoming a zombie process. --- diff --git a/tests/023-cadata/expected.out b/tests/023-cadata/expected.out index e7944df..1279fde 100644 --- a/tests/023-cadata/expected.out +++ b/tests/023-cadata/expected.out @@ -1,5 +1,5 @@ [missing] -Failed to start. +CA helper provided data. Error 255 [i] id=CADataRetrievalTest From 50cec1d8003465c84c26745532b1c6a25dde35a8 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: May 14 2021 18:04:48 +0000 Subject: [PATCH 2/2] Drop hardcoded values for Apache NSS db for IPA < v4 These were used with IPAv3 when the IPA RA certificate was stored in the Apache NSS database and references by nickname. The RA certificate was moved to a set of PEM files starting in IPA v4. The hardcoded values were not particulary distribution friendly. This change isn't explicitly dropping support for IPAv3 but changes would be necessary there to pass in the options for the NSS database directory and nickname. A newer certmonger is not likely to be used with such an old IPA release. https://pagure.io/certmonger/issue/97 Signed-off-by: Rob Crittenden --- diff --git a/doc/selinux.txt b/doc/selinux.txt index 6d5a91a..8ad9d22 100644 --- a/doc/selinux.txt +++ b/doc/selinux.txt @@ -74,7 +74,6 @@ directories. To obtain a list of which path patterns are configured to receive a particular type, you can use a command like this one: # semanage fcontext -l | grep :cert_t: - /etc/httpd/alias(/.*)? all files system_u:object_r:cert_t:s0 /etc/pki(/.*)? all files system_u:object_r:cert_t:s0 /etc/ssl(/.*)? all files system_u:object_r:cert_t:s0 /usr/share/ca-certificates(/.*)? all files system_u:object_r:cert_t:s0 diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in index 33e0648..746684c 100644 --- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in +++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in @@ -4,31 +4,7 @@ dogtag\-ipa\-renew\-agent\-submit .SH SYNOPSIS -dogtag\-ipa\-renew\-agent\-submit \-E EE\-URL \-A AGENT\-URL -[\-d dbdir] -[\-n nickname] -[\-i cainfo] -[\-C capath] -[\-c certfile] -[\-k keyfile] -[\-p pinfile] -[\-P pin] -[\-s serial (hex)] -[\-D serial (decimal)] -[\-S state] -[\-T profile] -[\-O param=value] -[\-N | \-R] -[\-t] -[\-o option=value] -[\-a] -[\-u uid] -[\-U udn] -[\-W pwd] -[\-w pwdfile] -[\-Y pin] -[\-y pinfile] -[csrfile] +dogtag\-ipa\-renew\-agent\-submit [options] [csrfile] .SH DESCRIPTION @@ -86,6 +62,24 @@ the CA server's certificate will be verified. The default is The location of a directory containing a copy of the CA's certificate, against which the CA server's certificate will be verified. .TP +\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR +The NSS database that contains credentials to authenticate to the CA. +.TP +\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR +The nickname of the certificate used for authentication. +.TP +\fB\-c\fR \fIFILENAME\fR, \fR\-\-certfile\fR=\fIFILENAME\fR +The certificate in PEM format used for authentication. +.TP +\fB\-k\fR \fIFILENAME\fR, \fR\-\-keyfile\fR=\fIFILENAME\fR +The private key for the certificate in PEM format used for authentication. It may be encrypted. +.TP +\fB\-p\fR \fIFILENAME\fR, \fR\-\-sslpinfile\fR=\fIFILENAME\fR +A file that contains the pin for the private key file or NSS database. +.TP +\fB\-P\fR \fISTRING\fR, \fR\-\-sslpin\fR=\fISTRING\fR +The pin for the private key file or NSS database. +.TP \fB\-s\fR \fINUMBER\fR, \fB\-\-hex\-serial\fR=\fINUMBER\fB The serial number of an already\-issued certificate for which the client should attempt to obtain a new certificate, in hexidecimal form, if one can not be @@ -204,11 +198,7 @@ which the client should use to authenticate to the CA's agent interface. The values to use depend on which cryptography library your copy of libcurl was linked with. .TP -If none of these options are specified, and none of the \fB\-p\fR, \fB\-P\fR, \fB\-i\fR, nor \fB\-C\fR options are specified, then this set of defaults is used: - \fB\-i\fR \fI/etc/ipa/ca.crt\fR - \fB\-d\fR \fI/etc/httpd/alias\fR - \fB\-n\fR \fIipaCert\fR - \fB\-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR +The location of the certificate used for authentication to the CA needs to be provided in either a combination of PEM files using --certfile and --keyfile or an NSS database using--dbdir and --nickname. The default for --cafile is \fI/etc/ipa/ca.crt\fR. .TP \fB\-d\fR \fIdbdir\fR, \fB\-\-dbdir\fR=\fIdbdir\fR Use an NSS database in the specified directory for this certificate diff --git a/src/dogtag.c b/src/dogtag.c index d36ac00..388ad15 100644 --- a/src/dogtag.c +++ b/src/dogtag.c @@ -402,16 +402,16 @@ main(int argc, const char **argv) } #ifdef DOGTAG_IPA_RENEW_AGENT if ((cainfo == NULL) && - (capath == NULL) && - (ssldir == NULL) && - (sslcert == NULL) && - (sslkey == NULL) && - (sslpin == NULL) && - (sslpinfile == NULL)) { + (capath == NULL)) { cainfo = "/etc/ipa/ca.crt"; - ssldir = "/etc/httpd/alias"; - sslcert = "ipaCert"; - sslpinfile = "/etc/httpd/alias/pwdfile.txt"; + } + if (((ssldir == NULL) && + (sslcert == NULL)) || + ((sslkey == NULL) && + (sslcert == NULL))) { + printf(_("NSS database and nickname or certfile and keyfile " + "must be provided.\n")); + missing_args = TRUE; } #endif if ((sslcert != NULL) && (strlen(sslcert) > 0)) {