From b1194b891eccc0937db4d4de150fee7fae8074d5 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Sep 05 2025 12:44:22 +0000 Subject: [PATCH 1/7] Use the IPA API by default for dogtag requests This retains compatibility with the XML-based PKI API but will default to using IPA. The ultimate purpose is to limit the number of dogtag PKI APIs that certmonger needs to support. The bootstrap issue, where we have to talk directly to the CA because IPA is not fully setup yet, will be handled at a later date. Fixes: https://pagure.io/certmonger/issue/284 Signed-off-by: Rob Crittenden --- diff --git a/src/Makefile.am b/src/Makefile.am index f11024a..b20cb43 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -119,7 +119,9 @@ libcm_a_SOURCES = \ util-m.c \ util-m.h \ util-n.c \ - util-n.h + util-n.h \ + util-ipa.c \ + util-ipa.h if WITH_XMLRPC libcm_a_SOURCES += \ submit-x.c \ @@ -144,7 +146,9 @@ libcm_o_a_SOURCES += \ submit-o.c \ submit-o.h \ util-o.c \ - util-o.h + util-o.h \ + util-ipa.c \ + util-ipa.h endif libcm_o_a_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(OPENSSL_CFLAGS) libcm_a_LIBADD = $(libcm_o_a_OBJECTS) @@ -221,7 +225,8 @@ noinst_PROGRAMS += submit-h submit-d ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) $(JANSSON_CFLAGS) ipa_submit_SOURCES = ipa.c srvloc.c srvloc.h store.h store-gen.c \ submit-h.c submit-h.h submit-u.c submit-u.h \ - submit-e.h util.c util.h log.c log.h tm.c tm.h + submit-e.h util.c util.h log.c log.h tm.c tm.h \ + util-ipa.c util-ipa.h ipa_submit_LDADD = $(XMLRPC_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \ $(GMP_LIBS) $(IDN_LIBS) $(OPENSSL_LIBS) $(UUID_LIBS) \ $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS) $(CURL_LIBS) \ @@ -235,27 +240,35 @@ certmaster_submit_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \ $(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) $(POPT_LIBS) endif dogtag_ipa_renew_agent_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) \ - $(NSS_CFLAGS) $(CURL_CFLAGS) \ + $(NSS_CFLAGS) $(CURL_CFLAGS) $(LDAP_CFLAGS) \ + $(KRB5_CFLAGS) $(JANSSON_CFLAGS) \ + $(IDN_CFLAGS) $(RESOLV_CFLAGS) \ -DDOGTAG_IPA_RENEW_AGENT=1 dogtag_ipa_renew_agent_submit_SOURCES = dogtag.c submit-d.c submit-d.h \ submit-h.c submit-h.h util-m.c util-m.h util-n.c util-n.h \ submit-u.c submit-u.h submit-e.h util.c util.h log.c log.h \ store.h store-gen.c tm.c tm.h prefs.c prefs.h \ - dogtag-ipa.c dogtag-ipa.h env.h env-system.c + dogtag-ipa.c dogtag-ipa.h env.h env-system.c util-ipa.c \ + srvloc.c srvloc.h dogtag_ipa_renew_agent_submit_LDADD = $(CURL_LIBS) $(XML_LIBS) $(NSS_LIBS) \ $(OPENSSL_LIBS) $(TALLOC_LIBS) \ $(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) \ - $(POPT_LIBS) -dogtag_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) + $(POPT_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(JANSSON_LIBS) \ + $(IDN_LIBS) $(RESOLV_LIBS) +dogtag_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) \ + $(JANSSON_CFLAGS) $(LDAP_CFLAGS) $(IDN_FLAGS) \ + $(RESOLV_FLAGS) $(KRB5_FLAGS) dogtag_submit_SOURCES = dogtag.c submit-d.c submit-d.h \ submit-h.c submit-h.h util-m.c util-m.h util-n.c util-n.h \ submit-u.c submit-u.h submit-e.h util.c util.h log.c log.h \ store.h store-gen.c tm.c tm.h prefs.c prefs.h \ - env.h env-system.c + env.h env-system.c util-ipa.c util-ipa.h \ + srvloc.c srvloc.h dogtag_submit_LDADD = $(CURL_LIBS) $(XML_LIBS) $(NSS_LIBS) \ $(OPENSSL_LIBS) $(TALLOC_LIBS) \ $(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) \ - $(POPT_LIBS) + $(POPT_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(JANSSON_LIBS) \ + $(IDN_LIBS) $(RESOLV_LIBS) scep_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) scep_submit_SOURCES = scep.c scep.h \ submit-h.c submit-h.h util-m.c util-m.h util-o.c util-o.h \ @@ -277,8 +290,9 @@ submit_d_SOURCES = submit-d.c submit-d.h submit-h.c submit-h.h \ submit-u.c submit-u.h log.c log.h tm.c tm.h util-m.c util-m.h submit_d_LDADD = libcm-o.a $(CURL_LIBS) $(OPENSSL_LIBS) $(XML_LIBS) \ $(TALLOC_LIBS) $(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) \ - $(POPT_LIBS) -submit_h_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) $(XML_CFLAGS) -DCM_SUBMIT_H_MAIN + $(POPT_LIBS) $(JANSSON_LIBS) +submit_h_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) $(XML_CFLAGS) \ + $(JANSSON_CFLAGS) -DCM_SUBMIT_H_MAIN submit_h_SOURCES = submit-h.c submit-h.h log.c log.h tm.c tm.h submit_h_LDADD = $(CURL_LIBS) $(XML_LIBS) $(TALLOC_LIBS) $(LTLIBICONV) \ $(POPT_LIBS) diff --git a/src/dogtag.c b/src/dogtag.c index 6b82ffd..853cd2c 100644 --- a/src/dogtag.c +++ b/src/dogtag.c @@ -33,6 +33,8 @@ #include #include +#include + #include #include @@ -49,6 +51,7 @@ #include "util.h" #include "util-m.h" #include "util-n.h" +#include "util-ipa.h" #ifdef ENABLE_NLS #include @@ -61,6 +64,15 @@ #include "dogtag-ipa.h" #endif +enum op_type { + op_none, op_submit, op_check, op_approve, op_retrieve, op_profiles +}; + +struct options { + char *name; + char *value; +}; + static char * statevar(const char *state, const char *what) { @@ -110,473 +122,137 @@ serial_hex_from_cert(const char *cert) return ret; } -int -main(int argc, const char **argv) +static int +xml_workflow( + void *ctx, + poptContext pctx, + enum op_type op, + char *savedstate, + const char *eeurl, const char *agenturl, + dbus_bool_t use_agent_submission, + const char *serial, const char *template, + int force_new, + struct options *aoptions, struct options *soptions, + size_t num_aoptions, size_t num_soptions, + const char *uid, + const char *udn, + const char *pwd, + const char *pin, + dbus_bool_t use_agent_approval, + const char *sslcert, const char *sslkey, + const char *sslpin, const char *sslpinfile, + const char *ssldir, const char *cainfo, const char *capath, + dbus_bool_t can_agent, + int verbose +) { - const char *eeurl = NULL, *agenturl = NULL, *url = NULL, *url2 = NULL; const char *method = NULL, *method2 = NULL; - const char *ssldir = NULL, *cainfo = NULL, *capath = NULL; - const char *sslcert = NULL, *sslkey = NULL; - const char *sslpin = NULL, *sslpinfile = NULL; - const char *serial = NULL, *template = NULL; - const char *uid = NULL, *pwd = NULL, *pwdfile = NULL; - const char *udn = NULL, *pin = NULL, *pinfile = NULL; - char *csr = NULL; - char *poptarg; - struct { - char *name; - char *value; - } *aoptions = NULL, *soptions = NULL; - size_t num_aoptions = 0, num_soptions = 0, j; - char *savedstate = NULL; + const char *url = NULL, *url2 = NULL; char *p, *q, *params = NULL, *params2 = NULL; const char *lasturl = NULL, *lastparams = NULL; - const char *tmp = NULL, *results = NULL; + const char *results = NULL; + const char *csrfile = NULL; struct cm_submit_h_context *hctx; - void *ctx; - int c, verbose = 0, force_new = 0, force_renew = 0, i; -#ifdef DOGTAG_IPA_RENEW_AGENT - const char *host = NULL, *dogtag_version = NULL; - int eeport, agentport; -#endif - enum { op_none, op_submit, op_check, op_approve, op_retrieve, op_profiles } op = op_submit; - dbus_bool_t can_agent, use_agent_approval = FALSE, missing_args = FALSE; - dbus_bool_t use_agent_submission = FALSE; + char *csr = NULL; + size_t j; + int i; struct dogtag_default **defaults; enum cm_external_status ret; - NSSInitContext *nctx; - const char *es; - const char *mode = CM_OP_SUBMIT, *csrfile; - poptContext pctx; - const struct poptOption popts[] = { - {"ee-url", 'E', POPT_ARG_STRING, &eeurl, 0, "end-entity services location", "URL"}, - {"agent-url", 'A', POPT_ARG_STRING, &agenturl, 0, "agent services location", "URL"}, - {"cafile", 'i', POPT_ARG_STRING, &cainfo, 0, NULL, "FILENAME"}, - {"capath", 'C', POPT_ARG_STRING, &capath, 0, NULL, "DIRECTORY"}, - {"dbdir", 'd', POPT_ARG_STRING, &ssldir, 0, "database containing agent or client creds", "DIRECTORY"}, - {"nickname", 'n', POPT_ARG_STRING, &sslcert, 0, "nickname of agent or client creds", "NAME"}, - {"certfile", 'c', POPT_ARG_STRING, &sslcert, 0, "agent or client certificate", "FILENAME"}, - {"keyfile", 'k', POPT_ARG_STRING, &sslkey, 0, "agent or client key", "FILENAME"}, - {"sslpinfile", 'p', POPT_ARG_STRING, &sslpinfile, 0, "agent or client key pinfile", "FILENAME"}, - {"sslpin", 'P', POPT_ARG_STRING, &sslpin, 0, "agent or client key pin", NULL}, - {"hex-serial", 's', POPT_ARG_STRING, NULL, 's', "request renewal for certificate by serial number (hexadecimal)", "NUMBER"}, - {"serial", 'D', POPT_ARG_STRING, &serial, 'D', "request renewal for certificate by serial number", "NUMBER"}, - {"submit-option", 'o', POPT_ARG_STRING, NULL, 'o', "key-value pair to send to server", NULL}, - {"approval-option", 'O', POPT_ARG_STRING, NULL, 'O', "key-value pair to set in certificate", NULL}, - {"profile", 'T', POPT_ARG_STRING, &template, 0, "enrollment profile", "NAME"}, - {"profile-list", 't', POPT_ARG_NONE, NULL, 't', "list enrollment profiles", NULL}, - {"state", 'S', POPT_ARG_STRING, &savedstate, 0, "previously-provided state data", "STATE-VALUE"}, -#ifdef DOGTAG_IPA_RENEW_AGENT - {"dogtag-version", 'V', POPT_ARG_STRING, &dogtag_version, 'V', NULL, "NUMBER"}, -#endif - {"force-new", 'N', POPT_ARG_NONE, NULL, 'N', "prefer to obtain a new certificate", NULL}, - {"force-renew", 'R', POPT_ARG_NONE, NULL, 'R', "prefer to renew a certificate", NULL}, - {"agent-submit", 'a', POPT_ARG_NONE, NULL, 'a', "submit enrollment or renewal request using agent or client creds", NULL}, - {"uid", 'u', POPT_ARG_STRING, &uid, 0, "submit enrollment or renewal request using user name", "USERNAME"}, - {"udn", 'U', POPT_ARG_STRING, &udn, 0, "submit enrollment or renewal request using user DN", "USERDN"}, - {"userpwd", 'W', POPT_ARG_STRING, &pwd, 0, "submit password with enrollment or renewal request", NULL}, - {"userpwdfile", 'w', POPT_ARG_STRING, &pwdfile, 0, "submit password from file with enrollment or renewal request", "FILENAME"}, - {"userpin", 'Y', POPT_ARG_STRING, &pin, 0, "submit pin with enrollment or renewal request", NULL}, - {"userpinfile", 'y', POPT_ARG_STRING, &pinfile, 0, "submit pin from file with enrollment or renewal request", "FILENAME"}, - {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, - POPT_AUTOHELP - POPT_TABLEEND - }; - if (getenv(CM_SUBMIT_OPERATION_ENV) != NULL) { - mode = getenv(CM_SUBMIT_OPERATION_ENV); - } - if ((strcasecmp(mode, CM_OP_SUBMIT) == 0) || - (strcasecmp(mode, CM_OP_POLL) == 0)) { - /* fall through */ - } else - if (strcasecmp(mode, CM_OP_FETCH_PROFILES) == 0) { - op = op_profiles; - } else - if (strcasecmp(mode, CM_OP_IDENTIFY) == 0) { -#ifdef DOGTAG_IPA_RENEW_AGENT - printf("Dogtag (IPA,renew,agent) (%s %s)\n", PACKAGE_NAME, - PACKAGE_VERSION); -#else - printf("Dogtag (%s %s)\n", PACKAGE_NAME, PACKAGE_VERSION); -#endif - return 0; + /* Figure out where we are in the multi-step process. */ + if ((savedstate != NULL) && + ((p = statevar(savedstate, "state")) != NULL) && + ((q = statevar(savedstate, "requestId")) != NULL)) { + if (strcmp(p, "check") == 0) { + op = op_check; + } + if ((strcmp(p, "review") == 0) || + (strcmp(p, "approve") == 0)) { + op = op_approve; + } + if ((strcmp(p, "fetch") == 0) || + (strcmp(p, "retrieve") == 0)) { + op = op_retrieve; + } + params = talloc_asprintf(ctx, "requestId=%s", q); + free(p); + free(q); } else { - /* unsupported request */ - return CM_SUBMIT_STATUS_OPERATION_NOT_SUPPORTED; + params = ""; } -#ifdef ENABLE_NLS - bindtextdomain(PACKAGE, MYLOCALEDIR); -#endif - - savedstate = getenv(CM_SUBMIT_COOKIE_ENV); - pctx = poptGetContext(argv[0], argc, argv, popts, 0); - if (pctx == NULL) { + /* Figure out which form and arguments to use. */ + switch (op) { + case op_none: + printf(_("Internal error: unknown state.\n")); return CM_SUBMIT_STATUS_UNCONFIGURED; - } - poptSetOtherOptionHelp(pctx, "[options] -E EE-URL -A AGENT-URL [csrfile]"); - while ((c = poptGetNextOpt(pctx)) > 0) { - switch (c) { - case 's': - serial = util_dec_from_hex(poptGetOptArg(pctx)); - break; - case 'O': - poptarg = poptGetOptArg(pctx); - if (strchr(poptarg, '=') == NULL) { - printf(_("Profile params (-O) must be in the form of param=value.\n")); - poptPrintUsage(pctx, stdout, 0); - free(soptions); - free(aoptions); - return CM_SUBMIT_STATUS_UNCONFIGURED; + break; + case op_submit: + method = DOGTAG_PROFILE_SUBMIT_METHOD; + url = talloc_asprintf(ctx, "%s/%s", eeurl, + use_agent_submission ? + DOGTAG_PROFILE_SUBMIT_AGENT_RESOURCE : + DOGTAG_PROFILE_SUBMIT_RESOURCE); + template = cm_submit_u_url_encode(template); + if ((serial != NULL) && (strlen(serial) > 0) && !force_new) { + /* Renew-by-serial. */ + serial = cm_submit_u_url_encode(serial); + params = talloc_asprintf(ctx, + "profileId=%s&" + "serial_num=%s&" + "renewal=true&" + "xml=true", + template, + serial); + } else { + /* Fresh enrollment. Read the CSR from the + * environment, or from the command-line, that we're + * going to submit for signing. */ + csrfile = poptGetArg(pctx); + if (csrfile != NULL) { + csr = cm_submit_u_from_file(csrfile); + } else { + csr = getenv(CM_SUBMIT_CSR_ENV); + if (csr != NULL) { + csr = strdup(csr); + } } - aoptions = realloc(aoptions, - ++num_aoptions * sizeof(*aoptions)); - if (aoptions == NULL) { - printf(_("Out of memory.\n")); - free(soptions); + if ((csr == NULL) || (strlen(csr) == 0)) { + if (csrfile != NULL) { + printf(_("Unable to read signing request from file \"%s\".\n"), + csrfile); + } else { + printf(_("Unable to read signing request from environment variable \"%s\".\n"), + CM_SUBMIT_CSR_ENV); + } + poptPrintUsage(pctx, stdout, 0); + free(csr); return CM_SUBMIT_STATUS_UNCONFIGURED; } - p = strdup(poptarg); - if (p == NULL) { - printf(_("Out of memory.\n")); - free(aoptions); - free(soptions); - return CM_SUBMIT_STATUS_UNCONFIGURED; + csr = cm_submit_u_url_encode(csr); + params = talloc_asprintf(ctx, + "profileId=%s&" + "cert_request_type=pkcs10&" + "cert_request=%s&" + "xml=true", + template, + csr); + free(csr); + } + /* Check for creds specified as options. */ + for (j = 0; j < num_soptions; j++) { + if (strcmp(soptions[j].name, "uid") == 0) { + uid = NULL; } - i = strcspn(p, "="); - aoptions[num_aoptions - 1].name = p; - p[i] = '\0'; - aoptions[num_aoptions - 1].value = p + i + 1; - break; - case 'o': - poptarg = poptGetOptArg(pctx); - if (strchr(poptarg, '=') == NULL) { - printf(_("Submit params (-o) must be in the form of param=value.\n")); - poptPrintUsage(pctx, stdout, 0); - free(soptions); - free(aoptions); - return CM_SUBMIT_STATUS_UNCONFIGURED; + if (strcmp(soptions[j].name, "udn") == 0) { + udn = NULL; } - soptions = realloc(soptions, - ++num_soptions * sizeof(*soptions)); - if (soptions == NULL) { - printf(_("Out of memory.\n")); - free(aoptions); - return CM_SUBMIT_STATUS_UNCONFIGURED; + if (strcmp(soptions[j].name, "pwd") == 0) { + pwd = NULL; } - p = strdup(poptarg); - if (p == NULL) { - printf(_("Out of memory.\n")); - free(soptions); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - i = strcspn(p, "="); - soptions[num_soptions - 1].name = p; - p[i] = '\0'; - soptions[num_soptions - 1].value = p + i + 1; - break; - case 't': - op = op_profiles; - break; - case 'v': - verbose++; - break; -#ifdef DOGTAG_IPA_RENEW_AGENT - case 'V': - dogtag_version = poptGetOptArg(pctx); - break; -#endif - case 'N': - force_new++; - force_renew = 0; - break; - case 'R': - force_renew++; - force_new = 0; - break; - case 'a': - use_agent_submission = TRUE; - break; - } - } - if (c != -1) { - poptPrintUsage(pctx, stdout, 0); - free(soptions); - free(aoptions); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - - umask(S_IRWXG | S_IRWXO); - if (isatty(STDERR_FILENO)) - cm_log_set_method(cm_log_stderr); - else - cm_log_set_method(cm_log_syslog); - cm_log_set_level(verbose); - - nctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION, - NULL, NULL, NULL, NULL, - NSS_INIT_NOCERTDB | - NSS_INIT_READONLY | - NSS_INIT_NOROOTINIT); - if (nctx == NULL) { - cm_log(1, "Unable to initialize NSS.\n"); - _exit(1); - } - es = util_n_fips_hook(); - if (es != NULL) { - cm_log(1, "Error putting NSS into FIPS mode: %s\n", es); - _exit(1); - } - - ctx = talloc_new(NULL); - -#ifdef DOGTAG_IPA_RENEW_AGENT - cm_dogtag_ipa_hostver(&host, &dogtag_version); - if ((dogtag_version != NULL) && (atof(dogtag_version) >= 10)) { - eeport = 8080; - agentport = 8443; - } else { - eeport = 9180; - agentport = 9443; - } - if (eeurl == NULL) { - eeurl = cm_prefs_dogtag_ee_url(); - if ((eeurl == NULL) && (host != NULL)) { - eeurl = talloc_asprintf(ctx, - "http://%s:%d/ca/ee/ca", - host, eeport); - } - } - if (agenturl == NULL) { - agenturl = cm_prefs_dogtag_agent_url(); - if ((agenturl == NULL) && (host != NULL)) { - agenturl = talloc_asprintf(ctx, - "https://%s:%d/ca/agent/ca", - host, agentport); - } - } -#endif - - if (template == NULL) { - template = getenv(CM_SUBMIT_PROFILE_ENV); - if (template == NULL) { - template = cm_prefs_dogtag_profile(); - if (template == NULL) { - /* Maybe we should ask the server for which - * profiles it supports, but for now we just - * assume that this one hasn't been removed. */ - template = "caServerCert"; - } - } - } - if (serial == NULL) { - tmp = getenv(CM_SUBMIT_CERTIFICATE_ENV); - if (tmp != NULL) { - if (cm_prefs_dogtag_renew()) { - serial = serial_hex_from_cert(tmp); - if (serial != NULL) { - serial = util_dec_from_hex(serial); - } - } - } - } - if (cainfo == NULL) { - cainfo = cm_prefs_dogtag_ca_info(); - } - if (capath == NULL) { - capath = cm_prefs_dogtag_ca_path(); - } - if (ssldir == NULL) { - ssldir = cm_prefs_dogtag_ssldir(); - } - if (sslcert == NULL) { - sslcert = cm_prefs_dogtag_sslcert(); - } - if (sslkey == NULL) { - sslkey = cm_prefs_dogtag_sslkey(); - } - if ((sslpinfile == NULL) && (sslpin == NULL)) { - sslpinfile = cm_prefs_dogtag_sslpinfile(); - } -#ifdef DOGTAG_IPA_RENEW_AGENT - if ((cainfo == NULL) && - (capath == NULL)) { - cainfo = "/etc/ipa/ca.crt"; - } - if (((ssldir == NULL) && - (sslcert == NULL)) || - ((sslkey == NULL) && - (sslcert == NULL))) { - printf(_("NSS database and nickname or certfile and keyfile " - "must be provided.\n")); - missing_args = TRUE; - } -#endif - if ((sslcert != NULL) && (strlen(sslcert) > 0)) { - can_agent = TRUE; - } else { - can_agent = FALSE; - } - if (use_agent_approval && !can_agent) { - printf(_("No agent credentials specified, and no " - "default known.\n")); - missing_args = TRUE; - } - if (use_agent_submission && !can_agent) { - printf(_("No agent credentials specified, and no " - "default known.\n")); - missing_args = TRUE; - } - if (force_renew && (serial == NULL)) { - printf(_("Requested renewal, but no serial number provided.\n")); - missing_args = TRUE; - } - if (eeurl == NULL) { - printf(_("No end-entity URL (-E) given, and no default known.\n")); - missing_args = TRUE; - } -#ifdef DOGTAG_IPA_RENEW_AGENT - if (agenturl == NULL) { - printf(_("No agent URL (-A) given, and no default known.\n")); - missing_args = TRUE; - } -#endif - if (template == NULL) { - printf(_("No profile/template (-T) given, and no default known.\n")); - missing_args = TRUE; - } - if (aoptions != NULL) { - if (agenturl == NULL) { - printf(_("No agent URL (-A) given, and no default " - "known.\n")); - missing_args = TRUE; - } - if (!can_agent) { - printf(_("No agent credentials specified, and no " - "default known.\n")); - missing_args = TRUE; - } - } - if (missing_args) { - poptPrintUsage(pctx, stdout, 0); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - if (NSS_ShutdownContext(nctx) != SECSuccess) { - printf(_("Error shutting down NSS.\n")); - return CM_SUBMIT_STATUS_UNREACHABLE; - } - - /* Figure out where we are in the multi-step process. */ - if ((savedstate != NULL) && - ((p = statevar(savedstate, "state")) != NULL) && - ((q = statevar(savedstate, "requestId")) != NULL)) { - if (strcmp(p, "check") == 0) { - op = op_check; - } - if ((strcmp(p, "review") == 0) || - (strcmp(p, "approve") == 0)) { - op = op_approve; - } - if ((strcmp(p, "fetch") == 0) || - (strcmp(p, "retrieve") == 0)) { - op = op_retrieve; - } - params = talloc_asprintf(ctx, "requestId=%s", q); - free(p); - free(q); - } else { - params = ""; - } - - /* Read the client password and/or PIN, if we need to. */ - if ((pwdfile != NULL) && (pwd == NULL)) { - pwd = cm_submit_u_from_file(pwdfile); - if (pwd != NULL) { - pwd = talloc_strndup(ctx, pwd, - strcspn(pwd, "\r\n")); - } - } - if ((pinfile != NULL) && (pin == NULL)) { - pin = cm_submit_u_from_file(pinfile); - if (pin != NULL) { - pin = talloc_strndup(ctx, pin, - strcspn(pin, "\r\n")); - } - } - - /* Figure out which form and arguments to use. */ - switch (op) { - case op_none: - printf(_("Internal error: unknown state.\n")); - return CM_SUBMIT_STATUS_UNCONFIGURED; - break; - case op_submit: - method = DOGTAG_PROFILE_SUBMIT_METHOD; - url = talloc_asprintf(ctx, "%s/%s", eeurl, - use_agent_submission ? - DOGTAG_PROFILE_SUBMIT_AGENT_RESOURCE : - DOGTAG_PROFILE_SUBMIT_RESOURCE); - template = cm_submit_u_url_encode(template); - if ((serial != NULL) && (strlen(serial) > 0) && !force_new) { - /* Renew-by-serial. */ - serial = cm_submit_u_url_encode(serial); - params = talloc_asprintf(ctx, - "profileId=%s&" - "serial_num=%s&" - "renewal=true&" - "xml=true", - template, - serial); - } else { - /* Fresh enrollment. Read the CSR from the - * environment, or from the command-line, that we're - * going to submit for signing. */ - csrfile = poptGetArg(pctx); - if (csrfile != NULL) { - csr = cm_submit_u_from_file(csrfile); - } else { - csr = getenv(CM_SUBMIT_CSR_ENV); - if (csr != NULL) { - csr = strdup(csr); - } - } - if ((csr == NULL) || (strlen(csr) == 0)) { - if (csrfile != NULL) { - printf(_("Unable to read signing request from file \"%s\".\n"), - csrfile); - } else { - printf(_("Unable to read signing request from environment variable \"%s\".\n"), - CM_SUBMIT_CSR_ENV); - } - poptPrintUsage(pctx, stdout, 0); - free(csr); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - csr = cm_submit_u_url_encode(csr); - params = talloc_asprintf(ctx, - "profileId=%s&" - "cert_request_type=pkcs10&" - "cert_request=%s&" - "xml=true", - template, - csr); - free(csr); - } - /* Check for creds specified as options. */ - for (j = 0; j < num_soptions; j++) { - if (strcmp(soptions[j].name, "uid") == 0) { - uid = NULL; - } - if (strcmp(soptions[j].name, "udn") == 0) { - udn = NULL; - } - if (strcmp(soptions[j].name, "pwd") == 0) { - pwd = NULL; - } - if (strcmp(soptions[j].name, "pin") == 0) { - pin = NULL; + if (strcmp(soptions[j].name, "pin") == 0) { + pin = NULL; } } /* Add client creds. */ @@ -713,7 +389,6 @@ main(int argc, const char **argv) } results = cm_submit_h_results(hctx, NULL); if (verbose > 0) { - fprintf(stderr, "results = \"%s\"\n", results); syslog(LOG_DEBUG, "%s", results); } if (cm_submit_h_result_code(hctx) != 0) { @@ -800,56 +475,50 @@ main(int argc, const char **argv) cm_submit_h_result_code(hctx), lasturl); } - talloc_free(ctx); return CM_SUBMIT_STATUS_UNREACHABLE; } if (results == NULL) { printf(_("Internal error: no response to \"%s?%s\".\n"), lasturl, lastparams); - talloc_free(ctx); return CM_SUBMIT_STATUS_REJECTED; } switch (op) { case op_none: printf(_("Internal error: unknown state.\n")); - talloc_free(ctx); return CM_SUBMIT_STATUS_UNCONFIGURED; break; case op_submit: ret = cm_submit_d_submit_eval(ctx, results, lasturl, - can_agent, &p, &q); + can_agent, &p, &q, 1); if (p != NULL) { fprintf(stdout, "%s", p); } if (q != NULL) { fprintf(stderr, "%s", q); } - talloc_free(ctx); return ret; break; case op_check: ret = cm_submit_d_check_eval(ctx, results, lasturl, - can_agent, &p, &q); + can_agent, &p, &q, 0); if (p != NULL) { fprintf(stdout, "%s", p); } if (q != NULL) { fprintf(stderr, "%s", q); } - talloc_free(ctx); return ret; break; case op_approve: if (url2 == NULL) { ret = cm_submit_d_approve_eval(ctx, results, lasturl, - can_agent, &p, &q); + can_agent, &p, &q, 1); if (p != NULL) { fprintf(stdout, "%s", p); } if (q != NULL) { fprintf(stderr, "%s", q); } - talloc_free(ctx); return ret; } else { ret = cm_submit_d_review_eval(ctx, results, lasturl, @@ -860,35 +529,790 @@ main(int argc, const char **argv) if (q != NULL) { fprintf(stderr, "%s", q); } - talloc_free(ctx); return ret; } break; case op_retrieve: ret = cm_submit_d_fetch_eval(ctx, results, lasturl, - can_agent, &p, &q); + can_agent, &p, &q, 1); if (p != NULL) { fprintf(stdout, "%s", p); } if (q != NULL) { fprintf(stderr, "%s", q); } - talloc_free(ctx); return ret; break; case op_profiles: - ret = cm_submit_d_profiles_eval(ctx, results, lasturl, - can_agent, &p, &q); + ret = cm_submit_d_profiles_eval(ctx, results, + &p, &q, 1); if (p != NULL) { fprintf(stdout, "%s", p); } if (q != NULL) { fprintf(stderr, "%s", q); } - talloc_free(ctx); return ret; break; } - talloc_free(ctx); return CM_SUBMIT_STATUS_UNCONFIGURED; } + +static int +ipa_workflow( + void *ctx, + poptContext pctx, + enum op_type op, + char *savedstate, + const char *url, + const char *host, + const char *template, + __attribute__ ((unused)) struct options *aoptions, + __attribute__ ((unused)) size_t num_aoptions, + const char *uid, + const char *udn, + const char *pwd, + const char *pin, + const char *cainfo, const char *capath, + dbus_bool_t can_agent, + int verbose +) +{ + struct cm_submit_h_context *hctx; + char *p, *q; + const char *csrfile = NULL; + char *csr = NULL; + char *request_id = NULL; + json_t *json_req = NULL; + json_error_t j_error; + char *json_str = NULL; + char *referer = NULL; + const char *results = NULL; + json_t *j_root = NULL; + json_t *j_result_outer = NULL; + json_t *j_result = NULL; + int i; + int rval = CM_SUBMIT_STATUS_UNCONFIGURED; + char *error_message = NULL; + const char *reqprinc = NULL; + + reqprinc = talloc_asprintf(ctx, "host/%s", host); + + /* Figure out where we are in the multi-step process. */ + if ((savedstate != NULL) && + ((p = statevar(savedstate, "state")) != NULL) && + ((q = statevar(savedstate, "requestId")) != NULL)) { + if (strcmp(p, "check") == 0) { + op = op_check; + } + if ((strcmp(p, "review") == 0) || + (strcmp(p, "approve") == 0)) { + op = op_approve; + } + if ((strcmp(p, "fetch") == 0) || + (strcmp(p, "retrieve") == 0)) { + op = op_retrieve; + } + request_id = talloc_strdup(ctx, q); + free(p); + free(q); + } + + /* Figure out which form and arguments to use. */ + switch (op) { + case op_none: + printf(_("Internal error: unknown state.\n")); + return CM_SUBMIT_STATUS_UNCONFIGURED; + break; + case op_submit: + /* FIXME: need PKI to add support for submit options */ + + /* Fresh enrollment. Read the CSR from the + * environment, or from the command-line, that we're + * going to submit for signing. */ + csrfile = poptGetArg(pctx); + if (csrfile != NULL) { + csr = cm_submit_u_from_file(csrfile); + } else { + csr = getenv(CM_SUBMIT_CSR_ENV); + if (csr != NULL) { + csr = strdup(csr); + } + } + if ((csr == NULL) || (strlen(csr) == 0)) { + if (csrfile != NULL) { + printf(_("Unable to read signing request from file \"%s\".\n"), + csrfile); + } else { + printf(_("Unable to read signing request from environment variable \"%s\".\n"), + CM_SUBMIT_CSR_ENV); + } + poptPrintUsage(pctx, stdout, 0); + free(csr); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + /* Change the CSR from the format we get it in to the one the + * server expects. IPA just wants base64-encoded binary data, + * no whitepace. */ + p = strstr(csr, "-----BEGIN"); + if (p != NULL) { + p += strcspn(p, "\n"); + if (*p == '\n') { + p++; + } + memmove(csr, p, strlen(p) + 1); + } + p = strstr(csr, "\n-----END"); + if (p != NULL) { + *p = '\0'; + } + while ((p = strchr(csr, '\r')) != NULL) { + memmove(p, p + 1, strlen(p)); + } + while ((p = strchr(csr, '\n')) != NULL) { + memmove(p, p + 1, strlen(p)); + } + + /* The soptions are not supported by the IPA API */ + if ((uid != NULL) || (udn != NULL) || (pwd != NULL) || (pin != NULL)) { + printf(_( + "Specifying uid, udn, pwd and pin are not supported with -J\n") + ); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + + json_req = json_pack_ex(&j_error, 0, + "{s:s, s:[[s], {s:s, s:s}]}", + "method", "cert_request", + "params", + csr, + "principal", reqprinc, + "profile_id", template); + break; + case op_check: + /* Check if the certificate has been issued or rejected. */ + json_req = json_pack_ex(&j_error, 0, + "{s:s, s:[[s],{}]}", + "method", "cert_status", + "params", + request_id); + break; + case op_approve: + /* FIXME: need PKI to add support for approval options + * Then we need to grab the original profile and do replacements. + * This probably needs to happen within IPA which means we'd need + * a mechanism to pass the options in. + * + * HINT: See cm_submit_d_xml_defaults. This might have to + */ + json_req = json_pack_ex(&j_error, 0, + "{s:s, s:[[s],{}]}", + "method", "cert_approve", + "params", + request_id); + break; + case op_retrieve: + /* Retrieving the new certificate. */ + json_req = json_pack_ex(&j_error, 0, + "{s:s, s:[[s],{}]}", + "method", "cert_show", + "params", + request_id); + break; + case op_profiles: + json_req = json_pack_ex(&j_error, 0, + "{s:s, s:[[],{}]}", + "method", "certprofile_find", + "params"); + break; + } + free(csr); + + referer = talloc_asprintf(ctx, "%s", url); + + /* Generate the request */ + if (!json_req) { + cm_log(0, "%d json_pack_ex() failed: %s\n", op, j_error.text); + fprintf(stderr, "%d json_pack_ex() failed: %s\n", op, j_error.text); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + json_str = json_dumps(json_req, 0); + + if (verbose) { + fprintf(stderr, "Submitting request %s\n", json_str); + } + /* Submit the request */ + hctx = cm_submit_h_init(ctx, "POST", url, json_str, + "application/json", "application/json", referer, + cainfo, capath, + NULL, NULL, NULL, + cm_submit_h_negotiate_on, + cm_submit_h_delegate_off, + cm_submit_h_clientauth_off, + cm_submit_h_env_modify_off, + verbose > 1 ? + cm_submit_h_curl_verbose_on : + cm_submit_h_curl_verbose_off); + + if (hctx == NULL) { + fprintf(stderr, "Error setting up JSON-RPC to %s on " + "the client.\n", url); + printf(_("Error setting up for JSON-RPC on the client.\n")); + rval = CM_SUBMIT_STATUS_UNCONFIGURED; + goto cleanup; + } + + cm_submit_h_run(hctx); + if (verbose > 0) { + fprintf(stderr, "code = %d\n", cm_submit_h_result_code(hctx)); + fprintf(stderr, "code_text = \"%s\"\n", cm_submit_h_result_code_text(hctx)); + syslog(LOG_DEBUG, "%s\n", json_str); + } + + free(json_str); + if (json_req) + json_decref(json_req); + + results = cm_submit_h_results(hctx, NULL); + if (verbose > 0) { + syslog(LOG_DEBUG, "%s", results); + } + if (cm_submit_h_response_code(hctx) != 200) { + cm_log(0, "JSON-RPC call failed with HTTP status code: %d\n", + cm_submit_h_response_code(hctx)); + cm_log(0, "code = %d, code_text = \"%s\"\n", + cm_submit_h_result_code(hctx), cm_submit_h_result_code_text(hctx)); + rval = CM_SUBMIT_STATUS_UNREACHABLE; + goto cleanup; + } + i = parse_json_result(results, &error_message); + if (i < 0) { + rval = CM_SUBMIT_STATUS_UNREACHABLE; + goto cleanup; + } + if (i > 0) { + /* Interpret the error. See IPA errors.py to get the + * classifications */ + switch (i / 1000) { + case 2: /* authorization error - permanent */ + case 3: /* invocation error - permanent */ + printf("Server at %s denied our request, " + "giving up: %d (%s).\n", url, i, + error_message); + rval = CM_SUBMIT_STATUS_REJECTED; + goto cleanup; + break; + case 1: /* authentication error - transient? */ + case 4: /* execution error - transient? */ + case 5: /* generic error - transient? */ + default: + printf("Server at %s failed request, " + "will retry: %d (%s).\n", url, i, + error_message); + rval = CM_SUBMIT_STATUS_UNREACHABLE; + goto cleanup; + break; + } + } + + j_root = json_loads(results, 0, &j_error); + if (!j_root) { + cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text); + rval = CM_SUBMIT_STATUS_UNREACHABLE; + goto cleanup; + } + j_result_outer = json_object_get(j_root, "result"); + if (!j_result_outer) { + cm_log(0, "Parsing JSON-RPC response failed, no outer result\n"); + rval = CM_SUBMIT_STATUS_UNREACHABLE; + goto cleanup; + } + + j_result = json_object_get(j_result_outer, "result"); + if (!j_result) { + cm_log(0, "Parsing JSON-RPC response failed, no inner result\n"); + rval = CM_SUBMIT_STATUS_UNREACHABLE; + goto cleanup; + } + + switch (op) { + case op_submit: + rval = cm_submit_d_submit_eval(ctx, results, NULL, + can_agent, &p, &q, 0); + if (p != NULL) { + fprintf(stdout, "%s", p); + } + if (q != NULL) { + fprintf(stderr, "%s", q); + } + break; + case op_check: + rval = cm_submit_d_check_eval(ctx, results, NULL, + can_agent, &p, &q, 0); + if (p != NULL) { + fprintf(stdout, "%s", p); + } + if (q != NULL) { + fprintf(stderr, "%s", q); + } + break; + case op_retrieve: + rval = cm_submit_d_fetch_eval(ctx, results, NULL, + can_agent, &p, &q, 0); + if (p != NULL) { + fprintf(stdout, "%s", p); + } + if (q != NULL) { + fprintf(stderr, "%s", q); + } + break; + case op_approve: + rval = cm_submit_d_approve_eval(ctx, results, NULL, + can_agent, &p, &q, 0); + if (p != NULL) { + fprintf(stdout, "%s", p); + } + if (q != NULL) { + fprintf(stderr, "%s", q); + } + break; + case op_profiles: + rval = cm_submit_d_profiles_eval(ctx, results, NULL, + can_agent, &p, &q, 0); + + if (p != NULL) { + fprintf(stdout, "%s", p); + } + if (q != NULL) { + fprintf(stderr, "%s", q); + } + break; + default: + break; + } + +cleanup: + cm_submit_h_cleanup(hctx); + + return rval; +} + +int +main(int argc, const char **argv) +{ + const char *eeurl = NULL, *agenturl = NULL; + const char *jsonrpc_url = NULL; + const char *ssldir = NULL, *cainfo = NULL, *capath = NULL; + const char *sslcert = NULL, *sslkey = NULL; + const char *sslpin = NULL, *sslpinfile = NULL; + const char *serial = NULL, *template = NULL; + const char *uid = NULL, *pwd = NULL, *pwdfile = NULL; + const char *udn = NULL, *pin = NULL, *pinfile = NULL; + char *savedstate = NULL; + char *poptarg; + struct options *aoptions = NULL, *soptions = NULL; + size_t num_aoptions = 0, num_soptions = 0; + int c, verbose = 0, force_new = 0, force_renew = 0, i; + const char *host = NULL; +#ifdef DOGTAG_IPA_RENEW_AGENT + const char *dogtag_version = NULL; + int eeport, agentport; +#endif + enum op_type op = op_submit; + dbus_bool_t can_agent, use_agent_approval = FALSE, missing_args = FALSE; + dbus_bool_t use_agent_submission = FALSE; + NSSInitContext *nctx; + char *p, *tmp; + const char *es; + void *ctx; + const char *mode = CM_OP_SUBMIT; + poptContext pctx; + int rval; + + const struct poptOption popts[] = { + {"ee-url", 'E', POPT_ARG_STRING, &eeurl, 0, "end-entity services location", "URL"}, + {"agent-url", 'A', POPT_ARG_STRING, &agenturl, 0, "agent services location", "URL"}, + {"jsonrpc-url", 'J', POPT_ARG_STRING, &jsonrpc_url, 'J', "IPA JSON-RPC service location", "URL"}, + {"cafile", 'i', POPT_ARG_STRING, &cainfo, 0, NULL, "FILENAME"}, + {"capath", 'C', POPT_ARG_STRING, &capath, 0, NULL, "DIRECTORY"}, + {"dbdir", 'd', POPT_ARG_STRING, &ssldir, 0, "database containing agent or client creds", "DIRECTORY"}, + {"nickname", 'n', POPT_ARG_STRING, &sslcert, 0, "nickname of agent or client creds", "NAME"}, + {"certfile", 'c', POPT_ARG_STRING, &sslcert, 0, "agent or client certificate", "FILENAME"}, + {"keyfile", 'k', POPT_ARG_STRING, &sslkey, 0, "agent or client key", "FILENAME"}, + {"sslpinfile", 'p', POPT_ARG_STRING, &sslpinfile, 0, "agent or client key pinfile", "FILENAME"}, + {"sslpin", 'P', POPT_ARG_STRING, &sslpin, 0, "agent or client key pin", NULL}, + {"hex-serial", 's', POPT_ARG_STRING, NULL, 's', "request renewal for certificate by serial number (hexadecimal)", "NUMBER"}, + {"serial", 'D', POPT_ARG_STRING, &serial, 'D', "request renewal for certificate by serial number", "NUMBER"}, + {"submit-option", 'o', POPT_ARG_STRING, NULL, 'o', "key-value pair to send to server", NULL}, + {"approval-option", 'O', POPT_ARG_STRING, NULL, 'O', "key-value pair to set in certificate", NULL}, + {"profile", 'T', POPT_ARG_STRING, &template, 0, "enrollment profile", "NAME"}, + {"profile-list", 't', POPT_ARG_NONE, NULL, 't', "list enrollment profiles", NULL}, + {"state", 'S', POPT_ARG_STRING, &savedstate, 0, "previously-provided state data", "STATE-VALUE"}, +#ifdef DOGTAG_IPA_RENEW_AGENT + {"dogtag-version", 'V', POPT_ARG_STRING, &dogtag_version, 'V', NULL, "NUMBER"}, +#endif + {"force-new", 'N', POPT_ARG_NONE, NULL, 'N', "prefer to obtain a new certificate", NULL}, + {"force-renew", 'R', POPT_ARG_NONE, NULL, 'R', "prefer to renew a certificate", NULL}, + {"agent-submit", 'a', POPT_ARG_NONE, NULL, 'a', "submit enrollment or renewal request using agent or client creds", NULL}, + {"uid", 'u', POPT_ARG_STRING, &uid, 0, "submit enrollment or renewal request using user name", "USERNAME"}, + {"udn", 'U', POPT_ARG_STRING, &udn, 0, "submit enrollment or renewal request using user DN", "USERDN"}, + {"userpwd", 'W', POPT_ARG_STRING, &pwd, 0, "submit password with enrollment or renewal request", NULL}, + {"userpwdfile", 'w', POPT_ARG_STRING, &pwdfile, 0, "submit password from file with enrollment or renewal request", "FILENAME"}, + {"userpin", 'Y', POPT_ARG_STRING, &pin, 0, "submit pin with enrollment or renewal request", NULL}, + {"userpinfile", 'y', POPT_ARG_STRING, &pinfile, 0, "submit pin from file with enrollment or renewal request", "FILENAME"}, + {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, + POPT_AUTOHELP + POPT_TABLEEND + }; + + if (getenv(CM_SUBMIT_OPERATION_ENV) != NULL) { + mode = getenv(CM_SUBMIT_OPERATION_ENV); + } + if ((strcasecmp(mode, CM_OP_SUBMIT) == 0) || + (strcasecmp(mode, CM_OP_POLL) == 0)) { + /* fall through */ + } else + if (strcasecmp(mode, CM_OP_FETCH_PROFILES) == 0) { + op = op_profiles; + } else + if (strcasecmp(mode, CM_OP_IDENTIFY) == 0) { +#ifdef DOGTAG_IPA_RENEW_AGENT + printf("Dogtag (IPA,renew,agent) (%s %s)\n", PACKAGE_NAME, + PACKAGE_VERSION); +#else + printf("Dogtag (%s %s)\n", PACKAGE_NAME, PACKAGE_VERSION); +#endif + return 0; + } else { + /* unsupported request */ + return CM_SUBMIT_STATUS_OPERATION_NOT_SUPPORTED; + } + +#ifdef ENABLE_NLS + bindtextdomain(PACKAGE, MYLOCALEDIR); +#endif + + savedstate = getenv(CM_SUBMIT_COOKIE_ENV); + + pctx = poptGetContext(argv[0], argc, argv, popts, 0); + if (pctx == NULL) { + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + poptSetOtherOptionHelp(pctx, "[options] -E EE-URL -A AGENT-URL [csrfile]"); + while ((c = poptGetNextOpt(pctx)) > 0) { + switch (c) { + case 's': + serial = util_dec_from_hex(poptGetOptArg(pctx)); + break; + case 'O': + poptarg = poptGetOptArg(pctx); + if (strchr(poptarg, '=') == NULL) { + printf(_("Profile params (-O) must be in the form of param=value.\n")); + poptPrintUsage(pctx, stdout, 0); + free(soptions); + free(aoptions); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + aoptions = realloc(aoptions, + ++num_aoptions * sizeof(*aoptions)); + if (aoptions == NULL) { + printf(_("Out of memory.\n")); + free(soptions); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + p = strdup(poptarg); + if (p == NULL) { + printf(_("Out of memory.\n")); + free(aoptions); + free(soptions); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + i = strcspn(p, "="); + aoptions[num_aoptions - 1].name = p; + p[i] = '\0'; + aoptions[num_aoptions - 1].value = p + i + 1; + break; + case 'o': + poptarg = poptGetOptArg(pctx); + if (strchr(poptarg, '=') == NULL) { + printf(_("Submit params (-o) must be in the form of param=value.\n")); + poptPrintUsage(pctx, stdout, 0); + free(soptions); + free(aoptions); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + soptions = realloc(soptions, + ++num_soptions * sizeof(*soptions)); + if (soptions == NULL) { + printf(_("Out of memory.\n")); + free(aoptions); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + p = strdup(poptarg); + if (p == NULL) { + printf(_("Out of memory.\n")); + free(soptions); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + i = strcspn(p, "="); + soptions[num_soptions - 1].name = p; + p[i] = '\0'; + soptions[num_soptions - 1].value = p + i + 1; + break; + case 't': + op = op_profiles; + break; + case 'v': + verbose++; + break; +#ifdef DOGTAG_IPA_RENEW_AGENT + case 'V': + dogtag_version = poptGetOptArg(pctx); + break; +#endif + case 'N': + force_new++; + force_renew = 0; + break; + case 'R': + force_renew++; + force_new = 0; + break; + case 'a': + use_agent_submission = TRUE; + break; + } + } + if (c != -1) { + poptPrintUsage(pctx, stdout, 0); + free(soptions); + free(aoptions); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + + umask(S_IRWXG | S_IRWXO); + if (isatty(STDERR_FILENO)) + cm_log_set_method(cm_log_stderr); + else + cm_log_set_method(cm_log_syslog); + cm_log_set_level(verbose); + + nctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION, + NULL, NULL, NULL, NULL, + NSS_INIT_NOCERTDB | + NSS_INIT_READONLY | + NSS_INIT_NOROOTINIT); + if (nctx == NULL) { + cm_log(1, "Unable to initialize NSS.\n"); + _exit(1); + } + es = util_n_fips_hook(); + if (es != NULL) { + cm_log(1, "Error putting NSS into FIPS mode: %s\n", es); + _exit(1); + } + + ctx = talloc_new(NULL); + +#ifdef DOGTAG_IPA_RENEW_AGENT + cm_dogtag_ipa_hostver(&host, &dogtag_version); + if (host == NULL) { + printf(_("Host must be set in /etc/ipa/default.conf.\n")); + missing_args = TRUE; + } + if (jsonrpc_url == NULL) { + if ((dogtag_version != NULL) && (atof(dogtag_version) >= 10)) { + eeport = 8080; + agentport = 8443; + } else { + eeport = 9180; + agentport = 9443; + } + if ((eeurl == NULL) && (jsonrpc_url == NULL)) { + cm_log(0, "jsonrpc_url is NULL\n"); + eeurl = cm_prefs_dogtag_ee_url(); + if ((eeurl == NULL) && (host != NULL)) { + eeurl = talloc_asprintf(ctx, + "http://%s:%d/ca/ee/ca", + host, eeport); + } + } + if ((agenturl == NULL) && (jsonrpc_url == NULL)) { + cm_log(0, "jsonrpc_url is NULL\n"); + agenturl = cm_prefs_dogtag_agent_url(); + if ((agenturl == NULL) && (host != NULL)) { + agenturl = talloc_asprintf(ctx, + "https://%s:%d/ca/agent/ca", + host, agentport); + } + } + } +#else + char tmphostname[255]; + int r; + + r = gethostname(tmphostname, 255 - 1); + if (r != 0) { + printf(_("gethostname() failed.\n")); + missing_args = TRUE; + } + host = talloc_strdup(ctx, tmphostname); +#endif + + if (template == NULL) { + template = getenv(CM_SUBMIT_PROFILE_ENV); + if (template == NULL) { + template = cm_prefs_dogtag_profile(); + if (template == NULL) { + /* Maybe we should ask the server for which + * profiles it supports, but for now we just + * assume that this one hasn't been removed. */ + template = "caServerCert"; + } + } + } + if (serial == NULL) { + tmp = getenv(CM_SUBMIT_CERTIFICATE_ENV); + if (tmp != NULL) { + if (cm_prefs_dogtag_renew()) { + serial = serial_hex_from_cert(tmp); + if (serial != NULL) { + serial = util_dec_from_hex(serial); + } + } + } + } + if (!force_new && serial && jsonrpc_url) { + printf(_("Renew-by-serial is not supported over JSON-RPC.\n")); + missing_args = TRUE; + } + if (cainfo == NULL) { + cainfo = cm_prefs_dogtag_ca_info(); + } + if (capath == NULL) { + capath = cm_prefs_dogtag_ca_path(); + } + if (ssldir == NULL) { + ssldir = cm_prefs_dogtag_ssldir(); + } + if (sslcert == NULL) { + sslcert = cm_prefs_dogtag_sslcert(); + } + if (sslkey == NULL) { + sslkey = cm_prefs_dogtag_sslkey(); + } + if ((sslpinfile == NULL) && (sslpin == NULL)) { + sslpinfile = cm_prefs_dogtag_sslpinfile(); + } +#ifdef DOGTAG_IPA_RENEW_AGENT + if ((cainfo == NULL) && + (capath == NULL)) { + cainfo = "/etc/ipa/ca.crt"; + } + + if ((((ssldir == NULL) && + (sslcert == NULL)) || + ((sslkey == NULL) && + (sslcert == NULL)))) { + printf(_("NSS database and nickname or certfile and keyfile " + "must be provided.\n")); + missing_args = TRUE; + } +#endif + if ((sslcert != NULL) && (strlen(sslcert) > 0)) { + can_agent = TRUE; + } else { + can_agent = FALSE; + } + if (use_agent_approval && !can_agent) { + printf(_("No agent credentials specified, and no " + "default known.\n")); + missing_args = TRUE; + } + if (use_agent_submission && !can_agent) { + printf(_("No agent credentials specified, and no " + "default known.\n")); + missing_args = TRUE; + } + if (force_renew && (serial == NULL)) { + printf(_("Requested renewal, but no serial number provided.\n")); + missing_args = TRUE; + } + if ((eeurl == NULL) && (jsonrpc_url == NULL)) { + printf(_("No end-entity URL (-E) given, and no default known.\n")); + missing_args = TRUE; + } +#ifdef DOGTAG_IPA_RENEW_AGENT + if (agenturl == NULL && jsonrpc_url == NULL) { + printf(_("No agent URL (-A) given, and no default known.\n")); + missing_args = TRUE; + } +#endif + if (template == NULL) { + printf(_("No profile/template (-T) given, and no default known.\n")); + missing_args = TRUE; + } + if ((aoptions != NULL) && (jsonrpc_url == NULL)) { + if (agenturl == NULL) { + printf(_("No agent URL (-A) given, and no default " + "known.\n")); + missing_args = TRUE; + } + if (!can_agent) { + printf(_("No agent credentials specified, and no " + "default known.\n")); + missing_args = TRUE; + } + } + if (missing_args) { + poptPrintUsage(pctx, stdout, 0); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + if (NSS_ShutdownContext(nctx) != SECSuccess) { + printf(_("Error shutting down NSS.\n")); + return CM_SUBMIT_STATUS_UNREACHABLE; + } + + /* Read the client password and/or PIN, if we need to. */ + if ((pwdfile != NULL) && (pwd == NULL)) { + pwd = cm_submit_u_from_file(pwdfile); + if (pwd != NULL) { + pwd = talloc_strndup(ctx, pwd, + strcspn(pwd, "\r\n")); + } + } + if ((pinfile != NULL) && (pin == NULL)) { + pin = cm_submit_u_from_file(pinfile); + if (pin != NULL) { + pin = talloc_strndup(ctx, pin, + strcspn(pin, "\r\n")); + } + } + if (eeurl || agenturl) { + rval = xml_workflow(ctx, pctx, op, savedstate, eeurl, agenturl, + use_agent_submission, serial, + template, force_new, + aoptions, soptions, num_aoptions, num_soptions, + uid, udn, pwd, pin, use_agent_approval, + sslcert, sslkey, sslpin, sslpinfile, ssldir, + cainfo, capath, can_agent, verbose + ); + } else if (jsonrpc_url) { + rval = ipa_workflow(ctx, pctx, op, savedstate, jsonrpc_url, + host, + template, + aoptions, num_aoptions, + uid, udn, pwd, pin, + cainfo, capath, can_agent, verbose + ); + } else { + printf(_("None of eeurl, agenturl or jsonrpc_url are set.\n")); + rval = CM_SUBMIT_STATUS_UNCONFIGURED; + } + + poptFreeContext(pctx); + talloc_free(ctx); + + fprintf(stderr, "Returning %d\n", rval); + return rval; +} diff --git a/src/ipa.c b/src/ipa.c index 83b4399..59d44a1 100644 --- a/src/ipa.c +++ b/src/ipa.c @@ -47,6 +47,7 @@ #include "submit-u.h" #include "submit-h.h" #include "util.h" +#include "util-ipa.h" #ifdef ENABLE_NLS #include @@ -55,233 +56,6 @@ #define _(_text) (_text) #endif -static char * -get_error_message(krb5_context ctx, krb5_error_code kcode) -{ - const char *ret; -#ifdef HAVE_KRB5_GET_ERROR_MESSAGE - const char *kret; - kret = ctx ? krb5_get_error_message(ctx, kcode) : NULL; - if (kret == NULL) { - ret = error_message(kcode); - } else { - ret = strdup(kret); - krb5_free_error_message(ctx, kret); - } - return ret; -#else - ret = error_message(kcode); - return strdup(ret); -#endif -} - -char * -cm_submit_ccache_realm(char **msg) -{ - krb5_context ctx; - krb5_ccache ccache; - krb5_principal princ; - krb5_error_code kret; - krb5_data *data; - char *ret; - - if (msg != NULL) { - *msg = NULL; - } - - kret = krb5_init_context(&ctx); - if (kret != 0) { - fprintf(stderr, "Error initializing Kerberos: %s.\n", - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return NULL; - } - kret = krb5_cc_default(ctx, &ccache); - if (kret != 0) { - fprintf(stderr, "Error resolving default ccache: %s.\n", - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return NULL; - } - kret = krb5_cc_get_principal(ctx, ccache, &princ); - if (kret != 0) { - fprintf(stderr, "Error reading default principal: %s.\n", - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return NULL; - } - data = krb5_princ_realm(ctx, princ); - if (data == NULL) { - fprintf(stderr, "Error retrieving principal realm.\n"); - if (msg != NULL) { - *msg = strdup("Error retrieving principal realm.\n"); - } - return NULL; - } - ret = malloc(data->length + 1); - if (ret == NULL) { - fprintf(stderr, "Out of memory for principal realm.\n"); - if (msg != NULL) { - *msg = strdup("Out of memory for principal realm.\n"); - } - return NULL; - } - memcpy(ret, data->data, data->length); - ret[data->length] = '\0'; - return ret; -} - -krb5_error_code -cm_submit_make_ccache(const char *ktname, const char *principal, char **msg) -{ - krb5_context ctx; - krb5_keytab keytab; - krb5_ccache ccache; - krb5_creds creds; - krb5_principal princ; - krb5_error_code kret; - krb5_get_init_creds_opt gicopts, *gicoptsp; - char *ret; - - if (msg != NULL) { - *msg = NULL; - } - - kret = krb5_init_context(&ctx); - if (kret != 0) { - ret = get_error_message(ctx, kret); - fprintf(stderr, "Error initializing Kerberos: %s.\n", ret); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return kret; - } - if (ktname != NULL) { - kret = krb5_kt_resolve(ctx, ktname, &keytab); - } else { - kret = krb5_kt_default(ctx, &keytab); - } - if (kret != 0) { - fprintf(stderr, "Error resolving keytab: %s.\n", - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return kret; - } - princ = NULL; - if (principal != NULL) { - kret = krb5_parse_name(ctx, principal, &princ); - if (kret != 0) { - fprintf(stderr, "Error parsing \"%s\": %s.\n", - principal, ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return kret; - } - } else { - kret = krb5_sname_to_principal(ctx, NULL, NULL, - KRB5_NT_SRV_HST, &princ); - if (kret != 0) { - fprintf(stderr, "Error building client name: %s.\n", - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return kret; - } - } - memset(&creds, 0, sizeof(creds)); -#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC - memset(&gicopts, 0, sizeof(gicopts)); - gicoptsp = NULL; - kret = krb5_get_init_creds_opt_alloc(ctx, &gicoptsp); - if (kret != 0) { - fprintf(stderr, "Internal error: %s.\n", - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return kret; - } -#else - krb5_get_init_creds_opt_init(&gicopts); - gicoptsp = &gicopts; -#endif - krb5_get_init_creds_opt_set_forwardable(gicoptsp, 1); - kret = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, - 0, NULL, gicoptsp); -#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC - krb5_get_init_creds_opt_free(ctx, gicoptsp); -#endif - if (kret != 0) { - fprintf(stderr, "Error obtaining initial credentials: %s.\n", - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return kret; - } - ccache = NULL; - kret = krb5_cc_resolve(ctx, "MEMORY:" PACKAGE_NAME "_submit", - &ccache); - if (kret == 0) { - kret = krb5_cc_initialize(ctx, ccache, creds.client); - } - if (kret != 0) { - fprintf(stderr, "Error initializing credential cache: %s.\n", - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return kret; - } - kret = krb5_cc_store_cred(ctx, ccache, &creds); - if (kret != 0) { - fprintf(stderr, - "Error storing creds in credential cache: %s.\n", - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; - } else { - free(ret); - } - return kret; - } - krb5_cc_close(ctx, ccache); - krb5_kt_close(ctx, keytab); - krb5_free_principal(ctx, princ); - krb5_free_context(ctx); - putenv("KRB5CCNAME=MEMORY:" PACKAGE_NAME "_submit"); - return 0; -} static int interact(LDAP *ld, unsigned flags, void *defaults, void *sasl_interact) @@ -585,50 +359,6 @@ done: return rval; } -/* - * Parse the JSON response from the IPA server. - * - * It will return one of three types of values: - * - * < 0 is failure to parse JSON output - * 0 is success, no errors were found - * > 0 is the IPA API error code - */ -static int -parse_json_result(const char *result, char **error_message) { - json_error_t j_error; - - json_t *j_root = NULL; - json_t *j_error_obj = NULL; - - int error_code = 0; - char * message = NULL; - - j_root = json_loads(result, 0, &j_error); - if (!j_root) { - cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text); - return -1; - } - - j_error_obj = json_object_get(j_root, "error"); - if (!j_error_obj || json_is_null(j_error_obj)) { - json_decref(j_root); - return 0; // no errors - } - - if (json_unpack_ex(j_error_obj, &j_error, 0, "{s:i, s:s}", - "code", &error_code, - "message", &message) != 0) { - cm_log(0, "Failed extracting error from JSON-RPC response: %s\n", j_error.text); - json_decref(j_root); - return -1; - } - - cm_log(0, "JSON-RPC error: %d: %s\n", error_code, message); - *error_message = strdup(message); - json_decref(j_root); - return error_code; -} /* Make an XML-RPC request to the "cert_request" method. */ static int diff --git a/src/submit-d.c b/src/submit-d.c index f1877c3..ce7acf7 100644 --- a/src/submit-d.c +++ b/src/submit-d.c @@ -33,6 +33,8 @@ #include #include +#include + #include #include "submit-d.h" @@ -614,15 +616,21 @@ cm_submit_d_profiles_result(void *parent, const char *xml, enum cm_external_status cm_submit_d_submit_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err) + dbus_bool_t can_agent, char **out, char **err, int is_xml) { char *error = NULL, *error_code = NULL, *error_reason = NULL; char *status = NULL, *requestId = NULL, *cert = NULL; *out = NULL; *err = NULL; - cm_submit_d_submit_result(parent, xml, - &error_code, &error_reason, &error, - &status, &requestId, &cert); + if (is_xml) { + cm_submit_d_submit_result(parent, xml, + &error_code, &error_reason, &error, + &status, &requestId, &cert); + } else { + cm_submit_d_rest_submit_result(parent, xml, + &error_code, &error_reason, + &status, &requestId, &cert); + } if ((status != NULL) && (strcmp(status, "0") == 0) && (cert != NULL)) { *out = talloc_asprintf(parent, "%s\n", trim(parent, cert)); @@ -661,21 +669,29 @@ cm_submit_d_submit_eval(void *parent, const char *xml, const char *url, enum cm_external_status cm_submit_d_check_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err) + dbus_bool_t can_agent, char **out, char **err, int is_xml) { char *error = NULL, *error_code = NULL, *error_reason = NULL; char *status = NULL, *requestId = NULL; *out = NULL; *err = NULL; - cm_submit_d_check_result(parent, xml, - &error_code, &error_reason, &error, - &status, &requestId); + if (is_xml) { + cm_submit_d_check_result(parent, xml, + &error_code, &error_reason, &error, + &status, &requestId); + } else { + cm_submit_d_rest_check_result(parent, xml, + &error_code, &error_reason, + &status, &requestId); + } if ((status != NULL) && (strcmp(status, "complete") == 0) && (requestId != NULL)) { + char *encoded = cm_submit_u_url_encode(requestId); *out = talloc_asprintf(parent, "0\nstate=retrieve&requestId=%s\n", - cm_submit_u_url_encode(requestId)); + encoded); + free(encoded); return CM_SUBMIT_STATUS_WAIT_WITH_DELAY; } if ((status != NULL) && @@ -784,15 +800,21 @@ cm_submit_d_review_eval(void *parent, const char *xml, const char *url, enum cm_external_status cm_submit_d_approve_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err) + dbus_bool_t can_agent, char **out, char **err, int is_xml) { char *error = NULL, *error_code = NULL, *error_reason = NULL; char *status = NULL, *requestId = NULL; *out = NULL; *err = NULL; - cm_submit_d_approve_result(parent, xml, - &error_code, &error_reason, &error, - &status, &requestId); + if (is_xml) { + cm_submit_d_approve_result(parent, xml, + &error_code, &error_reason, &error, + &status, &requestId); + } else { + cm_submit_d_rest_approve_result(parent, xml, + &error_code, &error_reason, &status, + &requestId); + } if ((status != NULL) && (strcmp(status, "complete") == 0) && (requestId != NULL)) { *out = talloc_asprintf(parent, @@ -819,15 +841,21 @@ cm_submit_d_approve_eval(void *parent, const char *xml, const char *url, enum cm_external_status cm_submit_d_fetch_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err) + dbus_bool_t can_agent, char **out, char **err, int is_xml) { char *error = NULL, *error_code = NULL, *error_reason = NULL; char *status = NULL, *requestId = NULL, *cert = NULL; *out = NULL; *err = NULL; - cm_submit_d_fetch_result(parent, xml, - &error_code, &error_reason, &error, - &status, &requestId, &cert); + if (is_xml) { + cm_submit_d_fetch_result(parent, xml, + &error_code, &error_reason, &error, + &status, &requestId, &cert); + } else { + cm_submit_d_rest_fetch_result(parent, xml, + &error_code, &error_reason, + &status, &cert); + } if (cert != NULL) { *out = talloc_asprintf(parent, "%s\n", trim(parent, cert)); return CM_SUBMIT_STATUS_ISSUED; @@ -851,7 +879,8 @@ cm_submit_d_fetch_eval(void *parent, const char *xml, const char *url, enum cm_external_status cm_submit_d_profiles_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err) + dbus_bool_t can_agent, char **out, char **err, + int is_xml) { char *error_code = NULL, *error_reason = NULL, *status = NULL; char **profiles = NULL; @@ -859,8 +888,13 @@ cm_submit_d_profiles_eval(void *parent, const char *xml, const char *url, *out = NULL; *err = NULL; - cm_submit_d_profiles_result(parent, xml, &error_code, &error_reason, - err, &status, &profiles); + if (is_xml) { + cm_submit_d_profiles_result(parent, xml, &error_code, &error_reason, + err, &status, &profiles); + } else { + cm_submit_d_rest_profiles_result(parent, xml, &error_code, + &error_reason, &profiles); + } if (profiles != NULL) { for (i = 0; profiles[i] != NULL; i++) { if (*out != NULL) { @@ -874,6 +908,356 @@ cm_submit_d_profiles_eval(void *parent, const char *xml, const char *url, return CM_SUBMIT_STATUS_REJECTED; } +/* Return the result object. + * + * If the result is NULL then *error_reason and *error_code will + * have values. + * + * The caller is responsible for initializing and decref of j_root. + * + * Returns the result object on success, NULL on failure. + */ +static json_t * +cm_submit_d_parse_json(void *parent, json_t *j_root, + char **error_code, char **error_reason) +{ + json_t *j_result_outer = NULL; + json_t *j_result = NULL; + + json_t *j_error_obj = NULL; + + j_error_obj = json_object_get(j_root, "error"); + if (!(json_is_null(j_error_obj))) { + json_t *j_code; + json_t *j_message; + + j_code = json_object_get(j_error_obj, "code"); + j_message = json_object_get(j_error_obj, "message"); + *error_reason = talloc_strdup(parent, json_string_value(j_message)); + *error_code = talloc_asprintf(parent, "%lld", json_integer_value(j_code)); + return NULL; + } else { + *error_code = talloc_strdup(parent, "0"); + *error_reason = ""; + } + + j_result_outer = json_object_get(j_root, "result"); + if (!j_result_outer) { + *error_reason = talloc_strdup(parent, + "Parsing JSON-RPC response failed, no outer result\n"); + *error_code = talloc_strdup(parent, "1"); + return NULL; + } + + j_result = json_object_get(j_result_outer, "result"); + if (!j_result) { + *error_reason = talloc_strdup(parent, + "Parsing JSON-RPC response failed, no outer result\n"); + *error_code = talloc_strdup(parent, "1"); + return NULL; + } + + return j_result; +} + +/***************** + * IPA REST API Implementation + */ +int +cm_submit_d_rest_profiles_result(void *parent, const char *result, + char **error_code, char **error_reason, + char ***profiles) +{ + char **ret = NULL; + + json_error_t j_error; + json_t *j_root = NULL; + json_t *j_result = NULL; + size_t i; + int rval = CM_SUBMIT_STATUS_REJECTED; + + j_root = json_loads(result, 0, &j_error); + if (!j_root) { + *error_reason = talloc_asprintf(parent, "cm_submit_d_rest_profiles: Failed to parse JSON string. line %d error %s\n", j_error.line, j_error.text); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + j_result = cm_submit_d_parse_json(parent, j_root, *&error_code, *&error_reason); + if (!j_result) { + goto done; + } + + ret = talloc_zero_array(parent, char *, json_array_size(j_result) + 1); + for (i=0; i < json_array_size(j_result); i++) { + json_t *j_item; + char *dn, *description; + int ipacertprofilestoreissued = 0; + json_t *j_cn, *single;; + + j_item = json_array_get(j_result, i); + json_unpack(j_item, "{s:o,s:s,s:s,s:b}", + "cn", &j_cn, + "description", &description, + "dn", &dn, + "ipacertprofilestoreissued", &ipacertprofilestoreissued + ); + single = json_array_get(j_cn, 0); + + ret[i] = talloc_strdup(parent, json_string_value(single)); + ret[i+1] = NULL; + } + *profiles = ret; + rval = CM_SUBMIT_STATUS_ISSUED; + +done: + json_decref(j_root); + return rval; +} + +int +cm_submit_d_rest_submit_result(void *parent, const char *result, + char **error_code, char **error_reason, + char **status, char **requestId, char **cert) +{ + /* + * "result": { + * "cacn": "ipa", + * "cert_request_status": "pending", + * "request_id": "309294138780295967028732800397256117914" + * }, + * "summary": null, + * "value": "309294138780295967028732800397256117914" + * } + */ + + json_error_t j_error; + json_t *j_root = NULL; + json_t *j_result = NULL; + json_t *j_request_id = NULL; + json_t *j_status = NULL; + json_t *j_cert = NULL; + const char *certstatus = NULL; + + j_root = json_loads(result, 0, &j_error); + if (!j_root) { + *error_reason = talloc_asprintf(parent, "cm_submit_d_rest_profiles: Failed to parse JSON string. line %d error %s\n", j_error.line, j_error.text); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + j_result = cm_submit_d_parse_json(parent, j_root, *&error_code, *&error_reason); + if (!j_result) { + goto done; + } + + j_request_id = json_object_get(j_result, "request_id"); + if (!j_request_id) { + *error_reason = talloc_strdup(parent, "No request_id found in result"); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + j_status = json_object_get(j_result, "cert_request_status"); + if (!j_status) { + *error_reason = talloc_strdup(parent, "No cert_request_status found in result"); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + j_cert = json_object_get(j_result, "certificate"); + if (!(json_is_null(j_cert))) { + char *tmp; + *cert = (char *)json_string_value(j_cert); + if (*cert != NULL) { + tmp = cm_submit_u_pem_from_base64("CERTIFICATE", 0, *cert); + *cert = talloc_strdup(parent, tmp); + free(tmp); + } + } + *requestId = talloc_strdup(parent, json_string_value(j_request_id)); + + // translate the text status into the numeric status certmonger wants + certstatus = talloc_strdup(parent, json_string_value(j_status)); + if (strcmp(certstatus, "complete") == 0) { + *status = talloc_strdup(parent, "0"); + } else if (strcmp(certstatus, "error") == 0) { + *status = talloc_strdup(parent, "1"); + } else if (strcmp(certstatus, "pending") == 0) { + *status = talloc_strdup(parent, "2"); + } else if (strcmp(certstatus, "rejected") == 0) { + *status = talloc_strdup(parent, "3"); + } +done: + json_decref(j_root); + return 0; +} + +int +cm_submit_d_rest_check_result(void *parent, const char *result, + char **error_code, char **error_reason, + char **status, char **requestId) +{ + /* "result": { + * "cert_request_status": "pending", + * "request_id": "73577173089892679894729695106669289136" + * }, + * "summary": null, + * "value": "73577173089892679894729695106669289136" + * }, + */ + json_error_t j_error; + json_t *j_root = NULL; + json_t *j_result = NULL; + json_t *j_request_id = NULL; + json_t *j_serial_number = NULL; + json_t *j_status = NULL; + + j_root = json_loads(result, 0, &j_error); + if (!j_root) { + *error_reason = talloc_asprintf(parent, "cm_submit_d_rest_profiles: Failed to parse JSON string. line %d error %s\n", j_error.line, j_error.text); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + j_result = cm_submit_d_parse_json(parent, j_root, *&error_code, *&error_reason); + if (!j_result) { + goto done; + } + + j_request_id = json_object_get(j_result, "request_id"); + if (!j_request_id) { + *error_reason = talloc_strdup(parent, "No request_id found in result"); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + j_status = json_object_get(j_result, "cert_request_status"); + if (!j_status) { + *error_reason = talloc_strdup(parent, "No cert_request_status found in result"); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + *status = talloc_strdup(parent, json_string_value(j_status)); + + if (strcmp(*status, "complete") == 0) { + j_serial_number = NULL; + + j_serial_number = json_object_get(j_result, "serial_number"); + if (!j_status) { + *error_reason = talloc_strdup(parent, "No serial_number found in result"); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + *requestId = talloc_strdup(parent, json_string_value(j_serial_number)); + } else { + *requestId = talloc_strdup(parent, json_string_value(j_request_id)); + } + +done: + json_decref(j_root); + return 0; +} + +int +cm_submit_d_rest_fetch_result(void *parent, const char *result, + char **error_code, char **error_reason, + char **status, char **cert) +{ + json_error_t j_error; + json_t *j_result = NULL; + json_t *j_root = NULL; + json_t *j_cert = NULL; + char *s, *p; + const char *certificate = NULL; + + j_root = json_loads(result, 0, &j_error); + if (!j_root) { + *error_reason = talloc_asprintf(parent, "cm_submit_d_rest_profiles: Failed to parse JSON string. line %d error %s\n", j_error.line, j_error.text); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + j_result = cm_submit_d_parse_json(parent, j_root, *&error_code, *&error_reason); + if (!j_result) { + goto done; + } + + j_cert = json_object_get(j_result, "certificate"); + if (!j_cert) { + *error_reason = talloc_strdup(parent, "No certificate found in result"); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + certificate = json_string_value(j_cert); + s = cm_submit_u_base64_from_text(certificate); + if (s == NULL) { + *error_reason = talloc_strdup(parent, "Out of memory parsing certificate"); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + p = cm_submit_u_pem_from_base64("CERTIFICATE", FALSE, s); + *cert = talloc_strdup(parent, p); + *status = talloc_strdup(parent, "complete"); + + /* We can't return the status so we can guess on complete but nothing + * else. A bogus ID can be passed in so we can't assume pending. */ + free(s); + free(p); + +done: + json_decref(j_root); + return 0; +} + +int +cm_submit_d_rest_approve_result(void *parent, const char *result, + char **error_code, char **error_reason, + char **status, char **requestId) +{ + json_error_t j_error; + json_t *j_result = NULL; + json_t *j_root = NULL; + json_t *j_status = NULL; + json_t *j_request_id = NULL; + json_t *j_serial = NULL; + + j_root = json_loads(result, 0, &j_error); + if (!j_root) { + *error_reason = talloc_asprintf(parent, "cm_submit_d_rest_profiles: Failed to parse JSON string. line %d error %s\n", j_error.line, j_error.text); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + j_result = cm_submit_d_parse_json(parent, j_root, *&error_code, *&error_reason); + if (!j_result) { + goto done; + } + j_request_id = json_object_get(j_result, "request_id"); + if (!j_request_id) { + *error_reason = talloc_strdup(parent, "Parsing JSON-RPC response failed, no request_id\n"); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + j_status = json_object_get(j_result, "cert_request_status"); + if (!j_status) { + *error_reason = talloc_strdup(parent, "Parsing JSON-RPC response failed, no cert_request_status\n"); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + *status = talloc_strdup(parent, json_string_value(j_status)); + + if ((*status != NULL) && + (strcmp(*status, "complete") == 0)) + { + j_serial = json_object_get(j_result, "serial_number"); + if (!j_serial) { + *error_reason = talloc_strdup(parent, "Parsing JSON-RPC response failed, no serial_number\n"); + *error_code = talloc_strdup(parent, "1"); + goto done; + } + *requestId = talloc_strdup(parent, json_string_value(j_serial)); + } else { + *requestId = talloc_strdup(parent, json_string_value(j_request_id)); + } + +done: + json_decref(j_root); + return 0; +} + #ifdef CM_SUBMIT_D_MAIN int main(int argc, const char **argv) diff --git a/src/submit-d.h b/src/submit-d.h index 912cca1..3084739 100644 --- a/src/submit-d.h +++ b/src/submit-d.h @@ -66,11 +66,11 @@ int cm_submit_d_profiles_result(void *parent, const char *xml, enum cm_external_status cm_submit_d_submit_eval(void *parent, const char *xml, const char *url, dbus_bool_t can_agent, - char **out, char **err); + char **out, char **err, int is_xml); enum cm_external_status cm_submit_d_check_eval(void *parent, const char *xml, const char *url, dbus_bool_t can_agent, - char **out, char **err); + char **out, char **err, int is_xml); enum cm_external_status cm_submit_d_reject_eval(void *parent, const char *xml, const char *url, dbus_bool_t can_agent, @@ -82,15 +82,32 @@ enum cm_external_status cm_submit_d_review_eval(void *parent, const char *xml, enum cm_external_status cm_submit_d_approve_eval(void *parent, const char *xml, const char *url, dbus_bool_t can_agent, - char **out, char **err); + char **out, char **err, int is_xml); enum cm_external_status cm_submit_d_fetch_eval(void *parent, const char *xml, const char *url, dbus_bool_t can_agent, - char **out, char **err); + char **out, char **err, int is_xml); enum cm_external_status cm_submit_d_profiles_eval(void *parent, const char *xml, const char *url, dbus_bool_t can_agent, - char **out, char **err); + char **out, char **err, int is_xml); + +int cm_submit_d_rest_profiles_result(void *parent, const char *result, + char **error_code, char **error_reason, + char ***profiles); +int cm_submit_d_rest_submit_result(void *parent, const char *result, + char **error_code, char **error_reason, + char **status, char **requestId, char **cert); +int cm_submit_d_rest_check_result(void *parent, const char *xml, + char **error_code, char **error_reason, + char **status, char **requestId); +int cm_submit_d_rest_fetch_result(void *parent, const char *result, + char **error_code, char **error_reason, + char **status, char **cert); +int cm_submit_d_rest_approve_result(void *parent, const char *result, + char **error_code, char **error_reason, + char **status, char **requestId); + struct dogtag_default { enum { diff --git a/src/util-ipa.c b/src/util-ipa.c new file mode 100644 index 0000000..af15454 --- /dev/null +++ b/src/util-ipa.c @@ -0,0 +1,329 @@ +/* + * Copyright (C) 2024 Red Hat, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "config.h" + +#include +#include +#include +#include +#ifdef HAVE_INTTYPES_H +#include +#endif +#include +#include +#include +#include +#include +#include + +#include + +#include + +#include +#include + +#include + +#include "log.h" +#include "srvloc.h" +#include "store.h" +#include "submit-e.h" +#include "submit-u.h" +#include "submit-h.h" +#include "util.h" + +#ifdef ENABLE_NLS +#include +#define _(_text) dgettext(PACKAGE, _text) +#else +#define _(_text) (_text) +#endif + +const char * +get_error_message(krb5_context ctx, krb5_error_code kcode) +{ + const char *ret; +#ifdef HAVE_KRB5_GET_ERROR_MESSAGE + const char *kret; + kret = ctx ? krb5_get_error_message(ctx, kcode) : NULL; + if (kret == NULL) { + ret = error_message(kcode); + } else { + ret = strdup(kret); + krb5_free_error_message(ctx, kret); + } + return ret; +#else + ret = error_message(kcode); + return strdup(ret); +#endif +} + +char * +cm_submit_ccache_realm(char **msg) +{ + krb5_context ctx; + krb5_ccache ccache; + krb5_principal princ; + krb5_error_code kret; + krb5_data *data; + char *ret; + + if (msg != NULL) { + *msg = NULL; + } + + kret = krb5_init_context(&ctx); + if (kret != 0) { + fprintf(stderr, "Error initializing Kerberos: %s.\n", + ret = (char *)get_error_message(ctx, kret)); + if (msg != NULL) { + *msg = (char *)ret; + } else { + free(ret); + } + return NULL; + } + kret = krb5_cc_default(ctx, &ccache); + if (kret != 0) { + fprintf(stderr, "Error resolving default ccache: %s.\n", + ret = (char *)get_error_message(ctx, kret)); + if (msg != NULL) { + *msg = ret; + } else { + free(ret); + } + return NULL; + } + kret = krb5_cc_get_principal(ctx, ccache, &princ); + if (kret != 0) { + fprintf(stderr, "Error reading default principal: %s.\n", + ret = (char *)get_error_message(ctx, kret)); + if (msg != NULL) { + *msg = ret; + } else { + free(ret); + } + return NULL; + } + data = krb5_princ_realm(ctx, princ); + if (data == NULL) { + fprintf(stderr, "Error retrieving principal realm.\n"); + if (msg != NULL) { + *msg = strdup("Error retrieving principal realm.\n"); + } + return NULL; + } + ret = malloc(data->length + 1); + if (ret == NULL) { + fprintf(stderr, "Out of memory for principal realm.\n"); + if (msg != NULL) { + *msg = strdup("Out of memory for principal realm.\n"); + } + return NULL; + } + memcpy(ret, data->data, data->length); + ret[data->length] = '\0'; + return ret; +} + +krb5_error_code +cm_submit_make_ccache(const char *ktname, const char *principal, char **msg) +{ + krb5_context ctx; + krb5_keytab keytab; + krb5_ccache ccache; + krb5_creds creds; + krb5_principal princ; + krb5_error_code kret; + krb5_get_init_creds_opt gicopts, *gicoptsp; + char *ret; + + if (msg != NULL) { + *msg = NULL; + } + + kret = krb5_init_context(&ctx); + if (kret != 0) { + ret = (char *)get_error_message(ctx, kret); + fprintf(stderr, "Error initializing Kerberos: %s.\n", ret); + if (msg != NULL) { + *msg = ret; + } else { + free(ret); + } + return kret; + } + if (ktname != NULL) { + kret = krb5_kt_resolve(ctx, ktname, &keytab); + } else { + kret = krb5_kt_default(ctx, &keytab); + } + if (kret != 0) { + fprintf(stderr, "Error resolving keytab: %s.\n", + ret = (char *)get_error_message(ctx, kret)); + if (msg != NULL) { + *msg = ret; + } else { + free(ret); + } + return kret; + } + princ = NULL; + if (principal != NULL) { + kret = krb5_parse_name(ctx, principal, &princ); + if (kret != 0) { + fprintf(stderr, "Error parsing \"%s\": %s.\n", + principal, ret = (char *)get_error_message(ctx, kret)); + if (msg != NULL) { + *msg = ret; + } else { + free(ret); + } + return kret; + } + } else { + kret = krb5_sname_to_principal(ctx, NULL, NULL, + KRB5_NT_SRV_HST, &princ); + if (kret != 0) { + fprintf(stderr, "Error building client name: %s.\n", + ret = (char *)get_error_message(ctx, kret)); + if (msg != NULL) { + *msg = ret; + } else { + free(ret); + } + return kret; + } + } + memset(&creds, 0, sizeof(creds)); +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC + memset(&gicopts, 0, sizeof(gicopts)); + gicoptsp = NULL; + kret = krb5_get_init_creds_opt_alloc(ctx, &gicoptsp); + if (kret != 0) { + fprintf(stderr, "Internal error: %s.\n", + ret = (char *)get_error_message(ctx, kret)); + if (msg != NULL) { + *msg = ret; + } else { + free(ret); + } + return kret; + } +#else + krb5_get_init_creds_opt_init(&gicopts); + gicoptsp = &gicopts; +#endif + krb5_get_init_creds_opt_set_forwardable(gicoptsp, 1); + kret = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, + 0, NULL, gicoptsp); +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC + krb5_get_init_creds_opt_free(ctx, gicoptsp); +#endif + if (kret != 0) { + fprintf(stderr, "Error obtaining initial credentials: %s.\n", + ret = (char *)get_error_message(ctx, kret)); + if (msg != NULL) { + *msg = ret; + } else { + free(ret); + } + return kret; + } + ccache = NULL; + kret = krb5_cc_resolve(ctx, "MEMORY:" PACKAGE_NAME "_submit", + &ccache); + if (kret == 0) { + kret = krb5_cc_initialize(ctx, ccache, creds.client); + } + if (kret != 0) { + fprintf(stderr, "Error initializing credential cache: %s.\n", + ret = (char *)get_error_message(ctx, kret)); + if (msg != NULL) { + *msg = ret; + } else { + free(ret); + } + return kret; + } + kret = krb5_cc_store_cred(ctx, ccache, &creds); + if (kret != 0) { + fprintf(stderr, + "Error storing creds in credential cache: %s.\n", + ret = (char *)get_error_message(ctx, kret)); + if (msg != NULL) { + *msg = ret; + } else { + free(ret); + } + return kret; + } + krb5_cc_close(ctx, ccache); + krb5_kt_close(ctx, keytab); + krb5_free_principal(ctx, princ); + krb5_free_context(ctx); + putenv("KRB5CCNAME=MEMORY:" PACKAGE_NAME "_submit"); + return 0; +} + +/* + * Parse the JSON response from the IPA server. + * + * It will return one of three types of values: + * + * < 0 is failure to parse JSON output + * 0 is success, no errors were found + * > 0 is the IPA API error code + */ +int +parse_json_result(const char *result, char **error_message) { + json_error_t j_error; + + json_t *j_root = NULL; + json_t *j_error_obj = NULL; + + int error_code = 0; + char * message = NULL; + + j_root = json_loads(result, 0, &j_error); + if (!j_root) { + cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text); + return -1; + } + + j_error_obj = json_object_get(j_root, "error"); + if (!j_error_obj || json_is_null(j_error_obj)) { + json_decref(j_root); + return 0; // no errors + } + + if (json_unpack_ex(j_error_obj, &j_error, 0, "{s:i, s:s}", + "code", &error_code, + "message", &message) != 0) { + cm_log(0, "Failed extracting error from JSON-RPC response: %s\n", j_error.text); + json_decref(j_root); + return -1; + } + + cm_log(0, "JSON-RPC error: %d: %s\n", error_code, message); + *error_message = strdup(message); + json_decref(j_root); + return error_code; +} diff --git a/src/util-ipa.h b/src/util-ipa.h new file mode 100644 index 0000000..47063a4 --- /dev/null +++ b/src/util-ipa.h @@ -0,0 +1,28 @@ +/* + * Copyright (C) 2024 Red Hat, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#ifndef util_ipa_h +#define util_ipa_h + +#include +#include + +char * get_error_message(krb5_context ctx, krb5_error_code kcode); +char * cm_submit_ccache_realm(char **msg); +krb5_error_code cm_submit_make_ccache(const char *ktname, const char *principal, char **msg); +int parse_json_result(const char *result, char **error_message); +#endif From e1637da7484a97131ce37140aca6ef2e1402f590 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Sep 05 2025 12:44:22 +0000 Subject: [PATCH 2/7] Add tests for the expanded dogtag requests through IPA API This extends the current 019-dparse tests to include IPA json output validation. Fixes: https://pagure.io/certmonger/issue/284 Signed-off-by: Rob Crittenden --- diff --git a/tests/019-dparse/bad.checkRequest.nosuch b/tests/019-dparse/bad.checkRequest.nosuch deleted file mode 100644 index 0005a18..0000000 --- a/tests/019-dparse/bad.checkRequest.nosuch +++ /dev/null @@ -1 +0,0 @@ -
Certificate ManagerRequest ID 29 was not found in the request queue.7 diff --git a/tests/019-dparse/bad.checkRequest.nosuch.json b/tests/019-dparse/bad.checkRequest.nosuch.json new file mode 100644 index 0000000..e136573 --- /dev/null +++ b/tests/019-dparse/bad.checkRequest.nosuch.json @@ -0,0 +1,14 @@ +{ + "error": { + "code": 4001, + "data": { + "reason": "Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x270f not found (404)" + }, + "message": "Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x270f not found (404)", + "name": "NotFound" + }, + "id": 0, + "principal": "admin@EXAMPLE.TEST", + "result": null, + "version": "4.13.0.dev202411011518+git7fa527164" +} diff --git a/tests/019-dparse/bad.checkRequest.nosuch.xml b/tests/019-dparse/bad.checkRequest.nosuch.xml new file mode 100644 index 0000000..0005a18 --- /dev/null +++ b/tests/019-dparse/bad.checkRequest.nosuch.xml @@ -0,0 +1 @@ +
Certificate ManagerRequest ID 29 was not found in the request queue.7 diff --git a/tests/019-dparse/bad.displayCertFromRequest.incomplete b/tests/019-dparse/bad.displayCertFromRequest.incomplete deleted file mode 100644 index eeb1893..0000000 --- a/tests/019-dparse/bad.displayCertFromRequest.incomplete +++ /dev/null @@ -1 +0,0 @@ -
Certificate ManagerRequest ID 14 was not completed.7 diff --git a/tests/019-dparse/bad.displayCertFromRequest.incomplete.xml b/tests/019-dparse/bad.displayCertFromRequest.incomplete.xml new file mode 100644 index 0000000..eeb1893 --- /dev/null +++ b/tests/019-dparse/bad.displayCertFromRequest.incomplete.xml @@ -0,0 +1 @@ +
Certificate ManagerRequest ID 14 was not completed.7 diff --git a/tests/019-dparse/bad.displayCertFromRequest.no-such-request b/tests/019-dparse/bad.displayCertFromRequest.no-such-request deleted file mode 100644 index 19c1367..0000000 --- a/tests/019-dparse/bad.displayCertFromRequest.no-such-request +++ /dev/null @@ -1 +0,0 @@ -
Certificate ManagerRequest ID 19 was not found in the request queue.7 diff --git a/tests/019-dparse/bad.displayCertFromRequest.no-such-request.json b/tests/019-dparse/bad.displayCertFromRequest.no-such-request.json new file mode 100644 index 0000000..e136573 --- /dev/null +++ b/tests/019-dparse/bad.displayCertFromRequest.no-such-request.json @@ -0,0 +1,14 @@ +{ + "error": { + "code": 4001, + "data": { + "reason": "Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x270f not found (404)" + }, + "message": "Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x270f not found (404)", + "name": "NotFound" + }, + "id": 0, + "principal": "admin@EXAMPLE.TEST", + "result": null, + "version": "4.13.0.dev202411011518+git7fa527164" +} diff --git a/tests/019-dparse/bad.displayCertFromRequest.no-such-request.xml b/tests/019-dparse/bad.displayCertFromRequest.no-such-request.xml new file mode 100644 index 0000000..19c1367 --- /dev/null +++ b/tests/019-dparse/bad.displayCertFromRequest.no-such-request.xml @@ -0,0 +1 @@ +
Certificate ManagerRequest ID 19 was not found in the request queue.7 diff --git a/tests/019-dparse/bad.displayCertFromRequest.rejected b/tests/019-dparse/bad.displayCertFromRequest.rejected deleted file mode 100644 index a4ee970..0000000 --- a/tests/019-dparse/bad.displayCertFromRequest.rejected +++ /dev/null @@ -1 +0,0 @@ -
Certificate ManagerRequest ID 17 was not completed.7 diff --git a/tests/019-dparse/bad.displayCertFromRequest.rejected.xml b/tests/019-dparse/bad.displayCertFromRequest.rejected.xml new file mode 100644 index 0000000..a4ee970 --- /dev/null +++ b/tests/019-dparse/bad.displayCertFromRequest.rejected.xml @@ -0,0 +1 @@ +
Certificate ManagerRequest ID 17 was not completed.7 diff --git a/tests/019-dparse/bad.profileProcess.bad-property b/tests/019-dparse/bad.profileProcess.bad-property deleted file mode 100644 index ac0a32b..0000000 --- a/tests/019-dparse/bad.profileProcess.bad-property +++ /dev/null @@ -1,27 +0,0 @@ - - - - -Property Error - Invalid Property notBefore - - -renewal - - -caServerCert - - -17 - - -1 - - -pending - - -approve - - - - diff --git a/tests/019-dparse/bad.profileProcess.bad-property.xml b/tests/019-dparse/bad.profileProcess.bad-property.xml new file mode 100644 index 0000000..ac0a32b --- /dev/null +++ b/tests/019-dparse/bad.profileProcess.bad-property.xml @@ -0,0 +1,27 @@ + + + + +Property Error - Invalid Property notBefore + + +renewal + + +caServerCert + + +17 + + +1 + + +pending + + +approve + + + + diff --git a/tests/019-dparse/bad.profileProcess.no-agent-cert b/tests/019-dparse/bad.profileProcess.no-agent-cert deleted file mode 100644 index 5652aa5..0000000 --- a/tests/019-dparse/bad.profileProcess.no-agent-cert +++ /dev/null @@ -1,2 +0,0 @@ -Error 58. -Problem with the local SSL certificate diff --git a/tests/019-dparse/bad.profileProcess.no-agent-cert.xml b/tests/019-dparse/bad.profileProcess.no-agent-cert.xml new file mode 100644 index 0000000..5652aa5 --- /dev/null +++ b/tests/019-dparse/bad.profileProcess.no-agent-cert.xml @@ -0,0 +1,2 @@ +Error 58. +Problem with the local SSL certificate diff --git a/tests/019-dparse/bad.profileProcess.no-ca-cert b/tests/019-dparse/bad.profileProcess.no-ca-cert deleted file mode 100644 index 09477c5..0000000 --- a/tests/019-dparse/bad.profileProcess.no-ca-cert +++ /dev/null @@ -1,2 +0,0 @@ -Error 60. -Peer certificate cannot be authenticated with given CA certificates diff --git a/tests/019-dparse/bad.profileProcess.no-ca-cert.xml b/tests/019-dparse/bad.profileProcess.no-ca-cert.xml new file mode 100644 index 0000000..09477c5 --- /dev/null +++ b/tests/019-dparse/bad.profileProcess.no-ca-cert.xml @@ -0,0 +1,2 @@ +Error 60. +Peer certificate cannot be authenticated with given CA certificates diff --git a/tests/019-dparse/bad.profileProcess.no-property b/tests/019-dparse/bad.profileProcess.no-property deleted file mode 100644 index ac0a32b..0000000 --- a/tests/019-dparse/bad.profileProcess.no-property +++ /dev/null @@ -1,27 +0,0 @@ - - - - -Property Error - Invalid Property notBefore - - -renewal - - -caServerCert - - -17 - - -1 - - -pending - - -approve - - - - diff --git a/tests/019-dparse/bad.profileProcess.no-property.xml b/tests/019-dparse/bad.profileProcess.no-property.xml new file mode 100644 index 0000000..ac0a32b --- /dev/null +++ b/tests/019-dparse/bad.profileProcess.no-property.xml @@ -0,0 +1,27 @@ + + + + +Property Error - Invalid Property notBefore + + +renewal + + +caServerCert + + +17 + + +1 + + +pending + + +approve + + + + diff --git a/tests/019-dparse/bad.profileProcess.not-pending b/tests/019-dparse/bad.profileProcess.not-pending deleted file mode 100644 index ae92bdf..0000000 --- a/tests/019-dparse/bad.profileProcess.not-pending +++ /dev/null @@ -1,15 +0,0 @@ - - - - -Request Not In Pending State - - -17 - - -1 - - - - diff --git a/tests/019-dparse/bad.profileProcess.not-pending.xml b/tests/019-dparse/bad.profileProcess.not-pending.xml new file mode 100644 index 0000000..ae92bdf --- /dev/null +++ b/tests/019-dparse/bad.profileProcess.not-pending.xml @@ -0,0 +1,15 @@ + + + + +Request Not In Pending State + + +17 + + +1 + + + + diff --git a/tests/019-dparse/bad.profileReview.no-such-request b/tests/019-dparse/bad.profileReview.no-such-request deleted file mode 100644 index 8c5b114..0000000 --- a/tests/019-dparse/bad.profileReview.no-such-request +++ /dev/null @@ -1,12 +0,0 @@ - - - - -Request 0 Not Found - - -1 - - - - diff --git a/tests/019-dparse/bad.profileReview.no-such-request.xml b/tests/019-dparse/bad.profileReview.no-such-request.xml new file mode 100644 index 0000000..8c5b114 --- /dev/null +++ b/tests/019-dparse/bad.profileReview.no-such-request.xml @@ -0,0 +1,12 @@ + + + + +Request 0 Not Found + + +1 + + + + diff --git a/tests/019-dparse/bad.profileReview.unauthorized-cert b/tests/019-dparse/bad.profileReview.unauthorized-cert deleted file mode 100644 index 24eca55..0000000 --- a/tests/019-dparse/bad.profileReview.unauthorized-cert +++ /dev/null @@ -1,12 +0,0 @@ - - - - -Authentication Error - - -1 - - - - diff --git a/tests/019-dparse/bad.profileReview.unauthorized-cert.xml b/tests/019-dparse/bad.profileReview.unauthorized-cert.xml new file mode 100644 index 0000000..24eca55 --- /dev/null +++ b/tests/019-dparse/bad.profileReview.unauthorized-cert.xml @@ -0,0 +1,12 @@ + + + + +Authentication Error + + +1 + + + + diff --git a/tests/019-dparse/bad.profileReview.wrong-nssdb b/tests/019-dparse/bad.profileReview.wrong-nssdb deleted file mode 100644 index 5652aa5..0000000 --- a/tests/019-dparse/bad.profileReview.wrong-nssdb +++ /dev/null @@ -1,2 +0,0 @@ -Error 58. -Problem with the local SSL certificate diff --git a/tests/019-dparse/bad.profileReview.wrong-nssdb.xml b/tests/019-dparse/bad.profileReview.wrong-nssdb.xml new file mode 100644 index 0000000..5652aa5 --- /dev/null +++ b/tests/019-dparse/bad.profileReview.wrong-nssdb.xml @@ -0,0 +1,2 @@ +Error 58. +Problem with the local SSL certificate diff --git a/tests/019-dparse/bad.profileSubmit.csr.empty b/tests/019-dparse/bad.profileSubmit.csr.empty deleted file mode 100644 index 25c9bb0..0000000 --- a/tests/019-dparse/bad.profileSubmit.csr.empty +++ /dev/null @@ -1 +0,0 @@ -1Invalid Request diff --git a/tests/019-dparse/bad.profileSubmit.csr.empty.json b/tests/019-dparse/bad.profileSubmit.csr.empty.json new file mode 100644 index 0000000..363797e --- /dev/null +++ b/tests/019-dparse/bad.profileSubmit.csr.empty.json @@ -0,0 +1,14 @@ +{ + "error": { + "code": 3007, + "data": { + "name": "csr" + }, + "message": "'csr' is required", + "name": "RequirementError" + }, + "id": 0, + "principal": "admin@EXAMPLE.TEST", + "result": null, + "version": "4.13.0.dev202409181703+git4bfbf0ba9" +} diff --git a/tests/019-dparse/bad.profileSubmit.csr.empty.xml b/tests/019-dparse/bad.profileSubmit.csr.empty.xml new file mode 100644 index 0000000..25c9bb0 --- /dev/null +++ b/tests/019-dparse/bad.profileSubmit.csr.empty.xml @@ -0,0 +1 @@ +1Invalid Request diff --git a/tests/019-dparse/bad.profileSubmit.csr.invalid.json b/tests/019-dparse/bad.profileSubmit.csr.invalid.json new file mode 100644 index 0000000..a37066e --- /dev/null +++ b/tests/019-dparse/bad.profileSubmit.csr.invalid.json @@ -0,0 +1,14 @@ +{ + "error": { + "code": 4301, + "data": { + "error": "not a valid CSR: Incorrect padding" + }, + "message": "Certificate operation cannot be completed: not a valid CSR: Incorrect padding", + "name": "CertificateOperationError" + }, + "id": null, + "principal": "admin@EXAMPLE.TEST", + "result": null, + "version": "4.13.0.dev202409181703+git4bfbf0ba9" +} diff --git a/tests/019-dparse/bad.profileSubmit.csr.subject-mismatch b/tests/019-dparse/bad.profileSubmit.csr.subject-mismatch deleted file mode 100644 index bc1dd4a..0000000 --- a/tests/019-dparse/bad.profileSubmit.csr.subject-mismatch +++ /dev/null @@ -1 +0,0 @@ -3Request Rejected - Subject Name Not Matched O=Default Company Ltd,L=Default City,C=XX 13 diff --git a/tests/019-dparse/bad.profileSubmit.csr.subject-mismatch.xml b/tests/019-dparse/bad.profileSubmit.csr.subject-mismatch.xml new file mode 100644 index 0000000..bc1dd4a --- /dev/null +++ b/tests/019-dparse/bad.profileSubmit.csr.subject-mismatch.xml @@ -0,0 +1 @@ +3Request Rejected - Subject Name Not Matched O=Default Company Ltd,L=Default City,C=XX 13 diff --git a/tests/019-dparse/bad.profileSubmit.serial.empty b/tests/019-dparse/bad.profileSubmit.serial.empty deleted file mode 100644 index 804aae6..0000000 --- a/tests/019-dparse/bad.profileSubmit.serial.empty +++ /dev/null @@ -1,11 +0,0 @@ - - -

-The Certificate System has encountered an unrecoverable error. -

-Error Message:
-java.lang.NumberFormatException: Zero length BigInteger -

-Please contact your local administrator for assistance. - - diff --git a/tests/019-dparse/bad.profileSubmit.serial.empty.xml b/tests/019-dparse/bad.profileSubmit.serial.empty.xml new file mode 100644 index 0000000..804aae6 --- /dev/null +++ b/tests/019-dparse/bad.profileSubmit.serial.empty.xml @@ -0,0 +1,11 @@ + + +

+The Certificate System has encountered an unrecoverable error. +

+Error Message:
+java.lang.NumberFormatException: Zero length BigInteger +

+Please contact your local administrator for assistance. + + diff --git a/tests/019-dparse/bad.profileSubmit.serial.invalid b/tests/019-dparse/bad.profileSubmit.serial.invalid deleted file mode 100644 index a69e077..0000000 --- a/tests/019-dparse/bad.profileSubmit.serial.invalid +++ /dev/null @@ -1,11 +0,0 @@ - - -

-The Certificate System has encountered an unrecoverable error. -

-Error Message:
-java.lang.NumberFormatException: For input string: "B" -

-Please contact your local administrator for assistance. - - diff --git a/tests/019-dparse/bad.profileSubmit.serial.invalid.xml b/tests/019-dparse/bad.profileSubmit.serial.invalid.xml new file mode 100644 index 0000000..a69e077 --- /dev/null +++ b/tests/019-dparse/bad.profileSubmit.serial.invalid.xml @@ -0,0 +1,11 @@ + + +

+The Certificate System has encountered an unrecoverable error. +

+Error Message:
+java.lang.NumberFormatException: For input string: "B" +

+Please contact your local administrator for assistance. + + diff --git a/tests/019-dparse/bad.profileSubmit.serial.out-of-range b/tests/019-dparse/bad.profileSubmit.serial.out-of-range deleted file mode 100644 index 8f6dec7..0000000 --- a/tests/019-dparse/bad.profileSubmit.serial.out-of-range +++ /dev/null @@ -1,12 +0,0 @@ - - - - -Server Internal Error - - -1 - - - - diff --git a/tests/019-dparse/bad.profileSubmit.serial.out-of-range.xml b/tests/019-dparse/bad.profileSubmit.serial.out-of-range.xml new file mode 100644 index 0000000..8f6dec7 --- /dev/null +++ b/tests/019-dparse/bad.profileSubmit.serial.out-of-range.xml @@ -0,0 +1,12 @@ + + + + +Server Internal Error + + +1 + + + + diff --git a/tests/019-dparse/expected.out b/tests/019-dparse/expected.out index 5b03c05..6e269b4 100644 --- a/tests/019-dparse/expected.out +++ b/tests/019-dparse/expected.out @@ -1,4 +1,4 @@ -[submit-as-agent(good.profileSubmit.issued) = ISSUED] +[submit-as-agent(good.profileSubmit.issued.xml) = ISSUED] status="0",cert="-----BEGIN CERTIFICATE-----" -----BEGIN CERTIFICATE----- MIIDyDCCArCgAwIBAgIBKjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1Mu @@ -24,27 +24,27 @@ RfOVKrVpzilh6++ZIbeFYqd3z4vIMLedjk2hSUwK5A3bPgFlqzYii8j4scn+0mZM AsSesPzyAiutWBAX -----END CERTIFICATE----- -[submit-as-agent(good.profileSubmit.serial.in-range) = WAIT_WITH_DELAY] +[submit-as-agent(good.profileSubmit.serial.in-range.xml) = WAIT_WITH_DELAY] error="Request Deferred - defer request",status="2",requestId="12" 0 state=approve&requestId=12 -[review-as-agent(good.profileReview) = WAIT_WITH_DELAY] +[review-as-agent(good.profileReview.xml) = WAIT_WITH_DELAY] error_code="0",status="pending",requestId="17" 0 state=approve&requestId=17 -[check-as-agent(good.checkRequest.complete) = WAIT_WITH_DELAY] +[check-as-agent(good.checkRequest.complete.xml) = WAIT_WITH_DELAY] status="complete",requestId="23" 0 state=retrieve&requestId=23 -[check-as-agent(good.checkRequest.pending) = WAIT_WITH_DELAY] +[check-as-agent(good.checkRequest.pending.xml) = WAIT_WITH_DELAY] status="pending",requestId="22" 0 state=approve&requestId=22 -[fetch-as-agent(good.displayCertFromRequest) = ISSUED] +[fetch-as-agent(good.displayCertFromRequest-extra-line.xml) = ISSUED] requestId="11",cert="-----BEGIN CERTIFICATE-----" -----BEGIN CERTIFICATE----- MIIDEDCCAfigAwIBAgIBCzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1Mu @@ -66,7 +66,7 @@ LCT7m5N535pDf4tELcXRQAUv/xTp7F5O84pp8Bez14iVTtKazqseq5K7EKCsRXfW FxfR4qHzwpD9Q7rvTzFP2/J/Cr8= -----END CERTIFICATE----- -[fetch-as-agent(good.displayCertFromRequest-extra-line) = ISSUED] +[fetch-as-agent(good.displayCertFromRequest.xml) = ISSUED] requestId="11",cert="-----BEGIN CERTIFICATE-----" -----BEGIN CERTIFICATE----- MIIDEDCCAfigAwIBAgIBCzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1Mu @@ -88,7 +88,7 @@ LCT7m5N535pDf4tELcXRQAUv/xTp7F5O84pp8Bez14iVTtKazqseq5K7EKCsRXfW FxfR4qHzwpD9Q7rvTzFP2/J/Cr8= -----END CERTIFICATE----- -[profiles-as-agent(good.profileList) = ISSUED] +[profiles-as-agent(good.profileList.xml) = ISSUED] error_code="0",error_reason="" caUserCert caUserSMIMEcapCert @@ -114,53 +114,55 @@ caSSLClientSelfRenewal caDirUserRenewal caManualRenewal -[submit-as-agent(bad.profileSubmit.csr.empty) = REJECTED] +[submit-as-agent(bad.profileSubmit.csr.empty.xml) = REJECTED] error="Invalid Request",status="1" Server at "SUBMIT" replied: Invalid Request -[submit-as-agent(bad.profileSubmit.csr.subject-mismatch) = REJECTED] +[submit-as-agent(bad.profileSubmit.csr.subject-mismatch.xml) = REJECTED] error="Request Rejected - Subject Name Not Matched O=Default Company Ltd,L=Default City,C=XX",status="3",requestId="13" Server at "SUBMIT" replied: Request Rejected - Subject Name Not Matched O=Default Company Ltd,L=Default City,C=XX -[submit-as-agent(bad.profileSubmit.serial.empty) = REJECTED] +[submit-as-agent(bad.profileSubmit.serial.empty.xml) = REJECTED] -[submit-as-agent(bad.profileSubmit.serial.invalid) = REJECTED] +[submit-as-agent(bad.profileSubmit.serial.invalid.xml) = REJECTED] -[submit-as-agent(bad.profileSubmit.serial.out-of-range) = REJECTED] +[submit-as-agent(bad.profileSubmit.serial.out-of-range.xml) = REJECTED] error_code="1",error_reason="Server Internal Error" Server at "SUBMIT" replied: 1: Server Internal Error -[review-as-agent(bad.profileReview.no-such-request) = REJECTED] +[review-as-agent(bad.profileReview.no-such-request.xml) = REJECTED] error_code="1",error_reason="Request 0 Not Found" Server at "REVIEW" replied: 1: Request 0 Not Found -[review-as-agent(bad.profileReview.unauthorized-cert) = REJECTED] +[review-as-agent(bad.profileReview.unauthorized-cert.xml) = REJECTED] error_code="1",error_reason="Authentication Error" Server at "REVIEW" replied: 1: Authentication Error -[review-as-agent(bad.profileReview.wrong-nssdb) = REJECTED] +[review-as-agent(bad.profileReview.wrong-nssdb.xml) = REJECTED] -[approve-as-agent(bad.profileProcess.bad-property) = REJECTED] +[approve-as-agent(bad.profileProcess.bad-property.xml) = REJECTED] error_code="1",error_reason="Property Error - Invalid Property notBefore",status="pending",requestId="17" Server at "APPROVE" replied: 1: Property Error - Invalid Property notBefore -[approve-as-agent(bad.profileProcess.no-agent-cert) = REJECTED] +[approve-as-agent(bad.profileProcess.no-agent-cert.xml) = REJECTED] -[approve-as-agent(bad.profileProcess.no-ca-cert) = REJECTED] +[approve-as-agent(bad.profileProcess.no-ca-cert.xml) = REJECTED] -[approve-as-agent(bad.profileProcess.no-property) = REJECTED] +[approve-as-agent(bad.profileProcess.no-property.xml) = REJECTED] error_code="1",error_reason="Property Error - Invalid Property notBefore",status="pending",requestId="17" Server at "APPROVE" replied: 1: Property Error - Invalid Property notBefore -[approve-as-agent(bad.profileProcess.not-pending) = REJECTED] +[approve-as-agent(bad.profileProcess.not-pending.xml) = REJECTED] error_code="1",error_reason="Request Not In Pending State",requestId="17" Server at "APPROVE" replied: 1: Request Not In Pending State -[check-as-agent(bad.checkRequest.nosuch) = REJECTED] +[check-as-agent(bad.checkRequest.nosuch.xml) = REJECTED] error="Request ID 29 was not found in the request queue." Server at "CHECK" replied: Request ID 29 was not found in the request queue. -[fetch-as-agent(bad.displayCertFromRequest.incomplete) = REJECTED] +[fetch-as-agent(bad.displayCertFromRequest.incomplete.xml) = REJECTED] error="Request ID 14 was not completed.",status="7" Server at "FETCH" replied: Request ID 14 was not completed. -[fetch-as-agent(bad.displayCertFromRequest.no-such-request) = REJECTED] +[fetch-as-agent(bad.displayCertFromRequest.no-such-request.json) = REJECTED] + +[fetch-as-agent(bad.displayCertFromRequest.no-such-request.xml) = REJECTED] error="Request ID 19 was not found in the request queue.",status="7" Server at "FETCH" replied: Request ID 19 was not found in the request queue. -[fetch-as-agent(bad.displayCertFromRequest.rejected) = REJECTED] +[fetch-as-agent(bad.displayCertFromRequest.rejected.xml) = REJECTED] error="Request ID 17 was not completed.",status="7" Server at "FETCH" replied: Request ID 17 was not completed. -[submit-as-end-entity(good.profileSubmit.issued) = ISSUED] +[submit-as-end-entity(good.profileSubmit.issued.xml) = ISSUED] status="0",cert="-----BEGIN CERTIFICATE-----" -----BEGIN CERTIFICATE----- MIIDyDCCArCgAwIBAgIBKjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1Mu @@ -186,25 +188,25 @@ RfOVKrVpzilh6++ZIbeFYqd3z4vIMLedjk2hSUwK5A3bPgFlqzYii8j4scn+0mZM AsSesPzyAiutWBAX -----END CERTIFICATE----- -[submit-as-end-entity(good.profileSubmit.serial.in-range) = WAIT] +[submit-as-end-entity(good.profileSubmit.serial.in-range.xml) = WAIT] error="Request Deferred - defer request",status="2",requestId="12" state=check&requestId=12 -[review-as-end-entity(good.profileReview) = WAIT_WITH_DELAY] +[review-as-end-entity(good.profileReview.xml) = WAIT_WITH_DELAY] error_code="0",status="pending",requestId="17" 0 state=approve&requestId=17 -[check-as-end-entity(good.checkRequest.complete) = WAIT_WITH_DELAY] +[check-as-end-entity(good.checkRequest.complete.xml) = WAIT_WITH_DELAY] status="complete",requestId="23" 0 state=retrieve&requestId=23 -[check-as-end-entity(good.checkRequest.pending) = WAIT] +[check-as-end-entity(good.checkRequest.pending.xml) = WAIT] status="pending",requestId="22" state=check&requestId=22 -[fetch-as-end-entity(good.displayCertFromRequest) = ISSUED] +[fetch-as-end-entity(good.displayCertFromRequest-extra-line.xml) = ISSUED] requestId="11",cert="-----BEGIN CERTIFICATE-----" -----BEGIN CERTIFICATE----- MIIDEDCCAfigAwIBAgIBCzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1Mu @@ -226,7 +228,7 @@ LCT7m5N535pDf4tELcXRQAUv/xTp7F5O84pp8Bez14iVTtKazqseq5K7EKCsRXfW FxfR4qHzwpD9Q7rvTzFP2/J/Cr8= -----END CERTIFICATE----- -[fetch-as-end-entity(good.displayCertFromRequest-extra-line) = ISSUED] +[fetch-as-end-entity(good.displayCertFromRequest.xml) = ISSUED] requestId="11",cert="-----BEGIN CERTIFICATE-----" -----BEGIN CERTIFICATE----- MIIDEDCCAfigAwIBAgIBCzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1Mu @@ -248,7 +250,7 @@ LCT7m5N535pDf4tELcXRQAUv/xTp7F5O84pp8Bez14iVTtKazqseq5K7EKCsRXfW FxfR4qHzwpD9Q7rvTzFP2/J/Cr8= -----END CERTIFICATE----- -[profiles-as-end-entity(good.profileList) = ISSUED] +[profiles-as-end-entity(good.profileList.xml) = ISSUED] error_code="0",error_reason="" caUserCert caUserSMIMEcapCert @@ -274,50 +276,229 @@ caSSLClientSelfRenewal caDirUserRenewal caManualRenewal -[submit-as-end-entity(bad.profileSubmit.csr.empty) = REJECTED] +[submit-as-end-entity(bad.profileSubmit.csr.empty.xml) = REJECTED] error="Invalid Request",status="1" Server at "SUBMIT" replied: Invalid Request -[submit-as-end-entity(bad.profileSubmit.csr.subject-mismatch) = REJECTED] +[submit-as-end-entity(bad.profileSubmit.csr.subject-mismatch.xml) = REJECTED] error="Request Rejected - Subject Name Not Matched O=Default Company Ltd,L=Default City,C=XX",status="3",requestId="13" Server at "SUBMIT" replied: Request Rejected - Subject Name Not Matched O=Default Company Ltd,L=Default City,C=XX -[submit-as-end-entity(bad.profileSubmit.serial.empty) = REJECTED] +[submit-as-end-entity(bad.profileSubmit.serial.empty.xml) = REJECTED] -[submit-as-end-entity(bad.profileSubmit.serial.invalid) = REJECTED] +[submit-as-end-entity(bad.profileSubmit.serial.invalid.xml) = REJECTED] -[submit-as-end-entity(bad.profileSubmit.serial.out-of-range) = REJECTED] +[submit-as-end-entity(bad.profileSubmit.serial.out-of-range.xml) = REJECTED] error_code="1",error_reason="Server Internal Error" Server at "SUBMIT" replied: 1: Server Internal Error -[review-as-end-entity(bad.profileReview.no-such-request) = REJECTED] +[review-as-end-entity(bad.profileReview.no-such-request.xml) = REJECTED] error_code="1",error_reason="Request 0 Not Found" Server at "REVIEW" replied: 1: Request 0 Not Found -[review-as-end-entity(bad.profileReview.unauthorized-cert) = REJECTED] +[review-as-end-entity(bad.profileReview.unauthorized-cert.xml) = REJECTED] error_code="1",error_reason="Authentication Error" Server at "REVIEW" replied: 1: Authentication Error -[review-as-end-entity(bad.profileReview.wrong-nssdb) = REJECTED] +[review-as-end-entity(bad.profileReview.wrong-nssdb.xml) = REJECTED] -[approve-as-end-entity(bad.profileProcess.bad-property) = REJECTED] +[approve-as-end-entity(bad.profileProcess.bad-property.xml) = REJECTED] error_code="1",error_reason="Property Error - Invalid Property notBefore",status="pending",requestId="17" Server at "APPROVE" replied: 1: Property Error - Invalid Property notBefore -[approve-as-end-entity(bad.profileProcess.no-agent-cert) = REJECTED] +[approve-as-end-entity(bad.profileProcess.no-agent-cert.xml) = REJECTED] -[approve-as-end-entity(bad.profileProcess.no-ca-cert) = REJECTED] +[approve-as-end-entity(bad.profileProcess.no-ca-cert.xml) = REJECTED] -[approve-as-end-entity(bad.profileProcess.no-property) = REJECTED] +[approve-as-end-entity(bad.profileProcess.no-property.xml) = REJECTED] error_code="1",error_reason="Property Error - Invalid Property notBefore",status="pending",requestId="17" Server at "APPROVE" replied: 1: Property Error - Invalid Property notBefore -[approve-as-end-entity(bad.profileProcess.not-pending) = REJECTED] +[approve-as-end-entity(bad.profileProcess.not-pending.xml) = REJECTED] error_code="1",error_reason="Request Not In Pending State",requestId="17" Server at "APPROVE" replied: 1: Request Not In Pending State -[check-as-end-entity(bad.checkRequest.nosuch) = REJECTED] +[check-as-end-entity(bad.checkRequest.nosuch.xml) = REJECTED] error="Request ID 29 was not found in the request queue." Server at "CHECK" replied: Request ID 29 was not found in the request queue. -[fetch-as-end-entity(bad.displayCertFromRequest.incomplete) = REJECTED] +[fetch-as-end-entity(bad.displayCertFromRequest.incomplete.xml) = REJECTED] error="Request ID 14 was not completed.",status="7" Server at "FETCH" replied: Request ID 14 was not completed. -[fetch-as-end-entity(bad.displayCertFromRequest.no-such-request) = REJECTED] +[fetch-as-end-entity(bad.displayCertFromRequest.no-such-request.json) = REJECTED] + +[fetch-as-end-entity(bad.displayCertFromRequest.no-such-request.xml) = REJECTED] error="Request ID 19 was not found in the request queue.",status="7" Server at "FETCH" replied: Request ID 19 was not found in the request queue. -[fetch-as-end-entity(bad.displayCertFromRequest.rejected) = REJECTED] +[fetch-as-end-entity(bad.displayCertFromRequest.rejected.xml) = REJECTED] error="Request ID 17 was not completed.",status="7" Server at "FETCH" replied: Request ID 17 was not completed. -50 samples. +[submit-as-json(good.profileSubmit.issued.json) = ISSUED] +error_code="0",error_reason="",status="0",requestId="332621425870192170580644617633640391310",cert="-----BEGIN CERTIFICATE-----" +-----BEGIN CERTIFICATE----- +MIIFODCCA6CgAwIBAgIQdlK5QebTx77rrNFpsVOHmTANBgkqhkiG9w0BAQsFADA3 +MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1 +dGhvcml0eTAeFw0yNDExMTgxOTEyMTFaFw0yNjExMTkxOTEyMTFaMDIxFTATBgNV +BAoMDEVYQU1QTEUuVEVTVDEZMBcGA1UEAwwQaXBhLmV4YW1wbGUudGVzdDCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN0G465levl0RkaYb0YmJHLnYnst +Y35tvODdWcpIoQ8qe57Cid4TDesECpN/xVZ9fUHBPoDNsDb+JzTcCd+JocleuZqj +08Ln+Irb5Xhd3DXaCGUUCJ3/+eOVEGnZkp1licZbkkjeRrjiHXYdFia3zzZIokXV ++vuJSbasy8o/rWCUCgJBFLqRDBslsQJKqk7rs5w4wcT629Q6Z4jzb+oWbemUS8Pu +xk2rmubV2EDWlYjgJftkxLLeecPx6h0zEO02hBZngF7x+hKjsJ38f+KL2JqE0yfa ++OcSaSkDT94EMVqbhUpuV3I7ilVRC9xv818fUBGjJfRTVCXQizSHYIvfPRcCAwEA +AaOCAcMwggG/MB8GA1UdIwQYMBaAFKiEhUhIcDVO6mAnUKaNttlPFiGhMD4GCCsG +AQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5leGFtcGxlLnRl +c3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG +CCsGAQUFBwMCMHcGA1UdHwRwMG4wbKA0oDKGMGh0dHA6Ly9pcGEtY2EuZXhhbXBs +ZS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBh +Y2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUe/DN +hx8ZWM+1WfGJEkcMG99yg7kwgZQGA1UdEQSBjDCBiYIQaXBhLmV4YW1wbGUudGVz +dKAyBgorBgEEAYI3FAIDoCQMImxkYXAvaXBhLmV4YW1wbGUudGVzdEBFWEFNUExF +LlRFU1SgQQYGKwYBBQICoDcwNaAOGwxFWEFNUExFLlRFU1ShIzAhoAMCAQGhGjAY +GwRsZGFwGxBpcGEuZXhhbXBsZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBgQCSd1tu +yjcl5R/kdvyWDzIz3FqzxithbNmaGy9t2carSi3Ndvnh5PNSrhQ1gWM0lLCjoU0v +P7p64u7/DLRJR+1d27p8QmEZMeCoh1Qe68iD3jjolzF/j8ReTHN1zKAKMcyJpBKl +O89N2XsYnxRlJC/keQVXC5TrEzSTWBwr9RckK9wYhKB8U1U+2Y0/t+HWvvpQELAF +1TmSpbHM51trZoFN09nO/grB1m28R8E/34WxwnWo1f2+WaUCOa4wNoZYvgF2beBy +pjX6/tEzaNeXUe6zpGnCpQ/wGfE1YnDaO8nF4y1fYNxEV+c0REOHXVr8qyHhHAN0 +7fPtlV9YqIk/meB8pMYs8iO45uqoGfrxL4JIXUNjZHp4zOfmZqZ8iNoSAXen/BGp +I9tBgnVN6PiEMBBp6QrR//2H1ZTgYbCTn/T9F8XeLDHtakSMzTM5vqDYz6QJ2F/R +kcXpPVbd+6Cqb3CelMXTzPhMJxW6IKEgIQj4VtdKm32MyUkR5IlRwCOIbU8= +-----END CERTIFICATE----- + +[check-as-json(good.checkRequest.complete.json) = WAIT_WITH_DELAY] +error_code="0",error_reason="",status="complete",requestId="270317855924125321275412697561729983788" +0 +state=retrieve&requestId=270317855924125321275412697561729983788 + +[check-as-json(good.checkRequest.pending.json) = WAIT] +error_code="0",error_reason="",status="pending",requestId="73577173089892679894729695106669289136" +state=check&requestId=73577173089892679894729695106669289136 + +[fetch-as-json(good.displayCertFromRequest.json) = ISSUED] +error_code="0",error_reason="",status="complete",cert="-----BEGIN CERTIFICATE-----" +-----BEGIN CERTIFICATE----- +MIIEGzCCAoOgAwIBAgIRANnvcOIqsXHMhcZSZiOYmeAwDQYJKoZIhvcNAQELBQAw +NzEVMBMGA1UECgwMRVhBTVBMRS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkwHhcNMjQxMTEyMTUzNTE3WhcNMjYxMTAyMTUzNTE3WjAyMRUwEwYD +VQQKDAxFWEFNUExFLlRFU1QxGTAXBgNVBAMMEGlwYS5leGFtcGxlLnRlc3QwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD6uMp+bGs72KACvmpnSBoGWchL +BFxfZiuWXJr9TeYM3h1DGXdW7JwRgADJwgdg6UVjCuDYb5zCQBtCUbAmM7USqH5h +Aeu48qjVzQcewUR24TchnX/VgpuYShb50WxxSWAV6upQ78WgOQvCP5BjjhnLkOro +hHdkkXvnNTxKZ7EeSwa79ajSuGCf30qhISvkxErGJUL7td7bLnxGF9cbEsUNop5w +kRpgRhNpu7Kkubj8/yYkMhY6Ju0BhvHTYmyhKmAv98uaDWaOjcNwJpoeuhaAZCSG +nvusKzb/W2I5wAGxcQNY4GHJSB8KAzeTSF9Ujx0zprGZh3NK7vpI90nt0j41AgMB +AAGjgaYwgaMwHwYDVR0jBBgwFoAUqISFSEhwNU7qYCdQpo222U8WIaEwPgYIKwYB +BQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vaXBhLWNhLmV4YW1wbGUudGVz +dC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATAb +BgNVHREEFDASghBpcGEuZXhhbXBsZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBgQC2 +s/38mrzgWBCSPXFQp6chRjN2H1KxJj/FPyd/iKSapv8yboSMdIy5pstiLQE+NLzv +Fv8OwrpmNKs0BBaB9m6/zCFk5ZI/j1iS9wfeJMZHTJfPS7ZA113iqGmfBZXjNsj8 +5wuPo77mcm/EIEru2IxD6/5qmDIEZiT3PwDKS7rH2w0r4z2DlumOjv6e8+qIq6+z +vux1rdVFrsKVSBicVDfUKITlz4AayRJ4lUqBxgKWnG0n06z8eYQxPxyi+2z1ZFg5 +f2G6M7ZnPv+F/S/vqnTJcYFZqSVyRBGY0p+hL8t0aTxn0hQTXK/yiPnU8UzMky5b +sA86qdFzqUtBkSzV63L6YoSbsMJxCIWiv16NjbIBzgVSDbpPTXGkeDhTAfJDioTp +63lDFCobRMXuyL6Ohb1+UGx/HMhrJa0w6+tkNJunVCUCy16GK7w6l3dp1GFe+tTR +VvmyCX0MCPJa2OHEanSDn711OG4TLnHHzZefp2hlgWUaZ2PlKIgnZ82UK96gTR8= +-----END CERTIFICATE----- + +[profiles-as-json(good.profileList.json) = ISSUED] +error_code="0",error_reason="" +acmeIPAServerCert +caIPAserviceCert +IECUserRoles +KDCs_PKINIT_Certs +acmeServerCert +caCMCserverCert +caCMCECserverCert +caCMCECsubsystemCert +caCMCsubsystemCert +caCMCauditSigningCert +caCMCcaCert +caCMCocspCert +caCMCkraTransportCert +caCMCkraStorageCert +caServerKeygen_UserCert +caServerKeygen_DirUserCert +caUserCert +caECUserCert +caUserSMIMEcapCert +caDualCert +caDirBasedDualCert +AdminCert +ECAdminCert +caSignedLogCert +caTPSCert +caRARouterCert +caRouterCert +caServerCert +caECServerCert +caServerCertWithSCT +caECServerCertWithSCT +caSubsystemCert +caECSubsystemCert +caOtherCert +caCACert +caCrossSignedCACert +caInstallCACert +caRACert +caOCSPCert +caStorageCert +caTransportCert +caDirPinUserCert +caECDirPinUserCert +caDirUserCert +caECDirUserCert +caAgentServerCert +caECAgentServerCert +caAgentFileSigning +caCMCUserCert +caCMCECUserCert +caCMCcaIssuanceProtectionCert +caFullCMCUserCert +caECFullCMCUserCert +caFullCMCUserSignedCert +caECFullCMCUserSignedCert +caFullCMCSharedTokenCert +caECFullCMCSharedTokenCert +caSimpleCMCUserCert +caECSimpleCMCUserCert +caTokenDeviceKeyEnrollment +caTokenUserEncryptionKeyEnrollment +caTokenUserSigningKeyEnrollment +caTempTokenDeviceKeyEnrollment +caTempTokenUserEncryptionKeyEnrollment +caTempTokenUserSigningKeyEnrollment +caAdminCert +caECAdminCert +caInternalAuthServerCert +caECInternalAuthServerCert +caInternalAuthTransportCert +caInternalAuthDRMstorageCert +caInternalAuthSubsystemCert +caECInternalAuthSubsystemCert +caInternalAuthOCSPCert +caInternalAuthAuditSigningCert +DomainController +caDualRAuserCert +caRAagentCert +caRAserverCert +caUUIDdeviceCert +caSSLClientSelfRenewal +caDirUserRenewal +caManualRenewal +caTokenMSLoginEnrollment +caTokenUserSigningKeyRenewal +caTokenUserEncryptionKeyRenewal +caTokenUserAuthKeyRenewal +caJarSigningCert +caAuditSigningCert +caEncUserCert +caSigningUserCert +caTokenUserDelegateAuthKeyEnrollment +caTokenUserDelegateSigningKeyEnrollment + +[submit-as-json(bad.profileSubmit.csr.empty.json) = REJECTED] +error_code="3007",error_reason="'csr' is required" +Server at "SUBMIT" replied: 3007: 'csr' is required +[submit-as-json(bad.profileSubmit.csr.invalid.json) = REJECTED] +error_code="4301",error_reason="Certificate operation cannot be completed: not a valid CSR: Incorrect padding" +Server at "SUBMIT" replied: 4301: Certificate operation cannot be completed: not a valid CSR: Incorrect padding +[check-as-json(bad.checkRequest.nosuch.json) = REJECTED] +error_code="4001",error_reason="Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x270f not found (404)" +Server at "CHECK" replied: 4001: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x270f not found (404) +[fetch-as-json(bad.displayCertFromRequest.no-such-request.json) = REJECTED] +error_code="4001",error_reason="Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x270f not found (404)" +Server at "FETCH" replied: 4001: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x270f not found (404) +61 samples. diff --git a/tests/019-dparse/good.checkRequest.complete b/tests/019-dparse/good.checkRequest.complete deleted file mode 100644 index 17388ef..0000000 --- a/tests/019-dparse/good.checkRequest.complete +++ /dev/null @@ -1 +0,0 @@ -

completeMIIG3gYJKoZIhvcNAQcCoIIGzzCCBssCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIG rzCCAxAwggH4oAMCAQICAQwwDQYJKoZIhvcNAQELBQAwOTEXMBUGA1UEChMOQk9T LlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x MjA2MjYxOTE3NTdaFw0xNjA2MjYxOTE3NTdaMDcxFzAVBgNVBAoTDkJPUy5SRURI QVQuQ09NMRwwGgYDVQQDExNPYmplY3QgU2lnbmluZyBDZXJ0MIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEApmaKlG/IR0uhPzJq5YpkJYSx5T3cZSWZ93Xt CvLx1grsgajPbZiErKEmBznQpv3Or61cMEjJJ+RzI41rCRijXWaLgZpQNVrojA41 ha+1nsRlHd+JVJZYhulUHSHZEDJ/a4xvlvMExDjwsZVAVMFAcyMmd1w3tHgiDezQ S8Ie3n2WY0YJZ/Jh+2hBmlLoNrTqo9p4rnV2WSyzLYVP3++KXQUw/hF4gJBIzfI9 dm2tmb+Zg8g6mp+VgzH/WvRGw8DJxSlO/0hAwr62to60DTyrv3UbAbxnc6oBCQ7j Wlq5/5Es9sKK21tnO1fYy4LGEo0y3mCALpQonyMwRvW4rAE/AwIDAQABoyUwIzAO BgNVHQ8BAf8EBAMCAoQwEQYJYIZIAYb4QgEBBAQDAgQQMA0GCSqGSIb3DQEBCwUA A4IBAQBW9rkKwDOoIxtzQ+x4HYJsmwf1nTRcm8oAtLCINkFQvMvpMOvEgQ0w5RQb 8/hb7nBmQMxkht8imYh0nw3ztpDmYLmeSYjWY0moD8AU8QdH5VJTHCLrVTwToJVp +Ol8CrjhCk9vIEHWR56w50ZHIsl3uA4NJZu5cdrZvbo3K/Ng2uucwyruInjN13WC UERcopy1I6HxeOWItsKA7VahGNC4xAEWw0/0YCybg5Tt6LaZMG4JpQOpYID2KT9h W8JKQg9YZJt11IK5j9EMy//Va3CPdYCXLntUYBCF2g2Zx/zgwdyCxz4g5dtiyavH XNm4C7eQeMg+ZXm5D39cktk1mIFHMIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0B AQsFADA5MRcwFQYDVQQKEw5CT1MuUkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlm aWNhdGUgQXV0aG9yaXR5MB4XDTEyMDYyNTIxMDQxNFoXDTIwMDYyNTIxMDQxNFow OTEXMBUGA1UEChMOQk9TLlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRl IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQDgery 1wgDVSs2yLo1vM0QCPOFi12T5ree2J/ian0dfHbSS9T2GC2TQwjgJLFUnQGkKZ9P TnASJSbPrILl19W/k+QwW3fPqvt+ryvXtK2Ezd3nFVUt6oKxj2bqxC0vS04k0Bab qBfAiRILI4VKUgPWu3YI3k8Nret4+dUmA8EkfBe/FiCdAXdlxWRfkXiiKX6JRfVx 0xweVfw0IDJopNFqAeznvre6fHpzROqw3JKXgagBGYLRgLlontbHnY8teJjlrbBe HQDKn3iOpjkWwHihYkODVSNr3lK8NnfeRjX2+qMOKzX6nkEpz1wigS+/BTtkrRDa AB+oRKKR5D9Zy2sCAwEAAaOBqTCBpjAfBgNVHSMEGDAWgBT5QugkOI4hLnyQxmRS gyB6JXCJmDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4E FgQU+ULoJDiOIS58kMZkUoMgeiVwiZgwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUF BzABhidodHRwOi8vcmFwaWVyLmJvcy5yZWRoYXQuY29tOjgwL2NhL29jc3AwDQYJ KoZIhvcNAQELBQADggEBAC/7xtbqCLTNX/ctz3NW+TDRQcSBftVWMDK8G+4TAjKa vsZdVnEKJAxo9UAcQL7A8/NFhxDwFGc3gF4agkGuZAMyZzUwynpY26yLyM4mBviv KhJBvbNOykB5BdAags04/Zlb1Bgg9PZqc5ErjcICKTmBAmVxQ0Nzlv49Ts9kNTa+ RZfNvne05dxNdJdPOWX7SHlh0GA/E6d/9+mlNn8x0uHMhbGlLC4EifeiijOyOLwH 6gwPXRPij+95RLxpRA6lXKVEUc5Iu2iZOn25b3xrYL7hFilzLA05vM/Z67UkJbBn a01OM5RZIURKD5IGIuD6BTD/u0qzNq4EEF2HedELdVUxAA==134073842023ca1340738217
c diff --git a/tests/019-dparse/good.checkRequest.complete.json b/tests/019-dparse/good.checkRequest.complete.json new file mode 100644 index 0000000..6045bfc --- /dev/null +++ b/tests/019-dparse/good.checkRequest.complete.json @@ -0,0 +1,15 @@ + { + "error": null, + "id": 0, + "principal": "admin@EXAMPLE.TEST", + "result": { + "result": { + "cert_request_status": "complete", + "request_id": "158675329147181044743206792112358494526", + "serial_number": "270317855924125321275412697561729983788" + }, + "summary": null, + "value": "158675329147181044743206792112358494526" + }, + "version": "4.13.0.dev202409181703+git4bfbf0ba9" +} diff --git a/tests/019-dparse/good.checkRequest.complete.xml b/tests/019-dparse/good.checkRequest.complete.xml new file mode 100644 index 0000000..17388ef --- /dev/null +++ b/tests/019-dparse/good.checkRequest.complete.xml @@ -0,0 +1 @@ +
completeMIIG3gYJKoZIhvcNAQcCoIIGzzCCBssCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIG rzCCAxAwggH4oAMCAQICAQwwDQYJKoZIhvcNAQELBQAwOTEXMBUGA1UEChMOQk9T LlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x MjA2MjYxOTE3NTdaFw0xNjA2MjYxOTE3NTdaMDcxFzAVBgNVBAoTDkJPUy5SRURI QVQuQ09NMRwwGgYDVQQDExNPYmplY3QgU2lnbmluZyBDZXJ0MIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEApmaKlG/IR0uhPzJq5YpkJYSx5T3cZSWZ93Xt CvLx1grsgajPbZiErKEmBznQpv3Or61cMEjJJ+RzI41rCRijXWaLgZpQNVrojA41 ha+1nsRlHd+JVJZYhulUHSHZEDJ/a4xvlvMExDjwsZVAVMFAcyMmd1w3tHgiDezQ S8Ie3n2WY0YJZ/Jh+2hBmlLoNrTqo9p4rnV2WSyzLYVP3++KXQUw/hF4gJBIzfI9 dm2tmb+Zg8g6mp+VgzH/WvRGw8DJxSlO/0hAwr62to60DTyrv3UbAbxnc6oBCQ7j Wlq5/5Es9sKK21tnO1fYy4LGEo0y3mCALpQonyMwRvW4rAE/AwIDAQABoyUwIzAO BgNVHQ8BAf8EBAMCAoQwEQYJYIZIAYb4QgEBBAQDAgQQMA0GCSqGSIb3DQEBCwUA A4IBAQBW9rkKwDOoIxtzQ+x4HYJsmwf1nTRcm8oAtLCINkFQvMvpMOvEgQ0w5RQb 8/hb7nBmQMxkht8imYh0nw3ztpDmYLmeSYjWY0moD8AU8QdH5VJTHCLrVTwToJVp +Ol8CrjhCk9vIEHWR56w50ZHIsl3uA4NJZu5cdrZvbo3K/Ng2uucwyruInjN13WC UERcopy1I6HxeOWItsKA7VahGNC4xAEWw0/0YCybg5Tt6LaZMG4JpQOpYID2KT9h W8JKQg9YZJt11IK5j9EMy//Va3CPdYCXLntUYBCF2g2Zx/zgwdyCxz4g5dtiyavH XNm4C7eQeMg+ZXm5D39cktk1mIFHMIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0B AQsFADA5MRcwFQYDVQQKEw5CT1MuUkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlm aWNhdGUgQXV0aG9yaXR5MB4XDTEyMDYyNTIxMDQxNFoXDTIwMDYyNTIxMDQxNFow OTEXMBUGA1UEChMOQk9TLlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRl IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQDgery 1wgDVSs2yLo1vM0QCPOFi12T5ree2J/ian0dfHbSS9T2GC2TQwjgJLFUnQGkKZ9P TnASJSbPrILl19W/k+QwW3fPqvt+ryvXtK2Ezd3nFVUt6oKxj2bqxC0vS04k0Bab qBfAiRILI4VKUgPWu3YI3k8Nret4+dUmA8EkfBe/FiCdAXdlxWRfkXiiKX6JRfVx 0xweVfw0IDJopNFqAeznvre6fHpzROqw3JKXgagBGYLRgLlontbHnY8teJjlrbBe HQDKn3iOpjkWwHihYkODVSNr3lK8NnfeRjX2+qMOKzX6nkEpz1wigS+/BTtkrRDa AB+oRKKR5D9Zy2sCAwEAAaOBqTCBpjAfBgNVHSMEGDAWgBT5QugkOI4hLnyQxmRS gyB6JXCJmDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4E FgQU+ULoJDiOIS58kMZkUoMgeiVwiZgwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUF BzABhidodHRwOi8vcmFwaWVyLmJvcy5yZWRoYXQuY29tOjgwL2NhL29jc3AwDQYJ KoZIhvcNAQELBQADggEBAC/7xtbqCLTNX/ctz3NW+TDRQcSBftVWMDK8G+4TAjKa vsZdVnEKJAxo9UAcQL7A8/NFhxDwFGc3gF4agkGuZAMyZzUwynpY26yLyM4mBviv KhJBvbNOykB5BdAags04/Zlb1Bgg9PZqc5ErjcICKTmBAmVxQ0Nzlv49Ts9kNTa+ RZfNvne05dxNdJdPOWX7SHlh0GA/E6d/9+mlNn8x0uHMhbGlLC4EifeiijOyOLwH 6gwPXRPij+95RLxpRA6lXKVEUc5Iu2iZOn25b3xrYL7hFilzLA05vM/Z67UkJbBn a01OM5RZIURKD5IGIuD6BTD/u0qzNq4EEF2HedELdVUxAA==134073842023ca1340738217
c diff --git a/tests/019-dparse/good.checkRequest.pending b/tests/019-dparse/good.checkRequest.pending deleted file mode 100644 index 0b0cfbb..0000000 --- a/tests/019-dparse/good.checkRequest.pending +++ /dev/null @@ -1 +0,0 @@ -
pending134073817122ca1340738171
 diff --git a/tests/019-dparse/good.checkRequest.pending.json b/tests/019-dparse/good.checkRequest.pending.json new file mode 100644 index 0000000..9489706 --- /dev/null +++ b/tests/019-dparse/good.checkRequest.pending.json @@ -0,0 +1,15 @@ +{ + "error": null, + "id": null, + "principal": "admin@EXAMPLE.TEST", + "result": { + "result": { + "cert_request_status": "pending", + "request_id": "73577173089892679894729695106669289136" + }, + "summary": null, + "value": "73577173089892679894729695106669289136" + }, + "version": "4.13.0.dev202409181703+git4bfbf0ba9" +} + diff --git a/tests/019-dparse/good.checkRequest.pending.xml b/tests/019-dparse/good.checkRequest.pending.xml new file mode 100644 index 0000000..0b0cfbb --- /dev/null +++ b/tests/019-dparse/good.checkRequest.pending.xml @@ -0,0 +1 @@ +
pending134073817122ca1340738171
 diff --git a/tests/019-dparse/good.displayCertFromRequest b/tests/019-dparse/good.displayCertFromRequest deleted file mode 100644 index 9fdd1b9..0000000 --- a/tests/019-dparse/good.displayCertFromRequest +++ /dev/null @@ -1,144 +0,0 @@ -
true11
http9180rapier.bos.redhat.comrapier.bos.redhat.com11Certificate Manager9180MD2: - 2B:E7:39:53:38:28:68:11:65:8A:E3:7B:36:4E:A9:44 -MD5: - 68:3F:AF:2C:38:37:E8:3E:5A:B5:4E:AE:40:54:2F:12 -SHA1: - D2:E1:1C:C4:CD:53:03:2C:62:CC:4F:68:60:52:A3:DC: - 2F:2B:64:89 -SHA256: - B8:DA:7A:D4:79:75:63:2B:59:D4:C5:B9:61:3C:59:60: - E6:A3:7C:38:EE:55:48:45:CB:B8:91:D0:CB:C7:E6:5F -SHA512: - 8F:E1:12:D0:A5:D7:C0:B0:77:D6:56:22:B7:4C:96:D3: - 8F:F0:8E:0B:25:8D:48:E5:8F:15:44:44:B0:51:B4:96: - AE:DC:01:B1:EF:34:E5:48:20:CB:31:6B:00:20:3B:F4: - 30:1D:86:74:B1:CA:4F:4F:DD:6C:20:2B:75:DB:89:51MIIG3gYJKoZIhvcNAQcCoIIGzzCCBssCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIG -rzCCAxAwggH4oAMCAQICAQswDQYJKoZIhvcNAQELBQAwOTEXMBUGA1UEChMOQk9T -LlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x -MjA2MjUyMTA3MTJaFw0xNjA2MjUyMTA3MTJaMDcxFzAVBgNVBAoTDkJPUy5SRURI -QVQuQ09NMRwwGgYDVQQDExNPYmplY3QgU2lnbmluZyBDZXJ0MIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEApmaKlG/IR0uhPzJq5YpkJYSx5T3cZSWZ93Xt -CvLx1grsgajPbZiErKEmBznQpv3Or61cMEjJJ+RzI41rCRijXWaLgZpQNVrojA41 -ha+1nsRlHd+JVJZYhulUHSHZEDJ/a4xvlvMExDjwsZVAVMFAcyMmd1w3tHgiDezQ -S8Ie3n2WY0YJZ/Jh+2hBmlLoNrTqo9p4rnV2WSyzLYVP3++KXQUw/hF4gJBIzfI9 -dm2tmb+Zg8g6mp+VgzH/WvRGw8DJxSlO/0hAwr62to60DTyrv3UbAbxnc6oBCQ7j -Wlq5/5Es9sKK21tnO1fYy4LGEo0y3mCALpQonyMwRvW4rAE/AwIDAQABoyUwIzAO -BgNVHQ8BAf8EBAMCAoQwEQYJYIZIAYb4QgEBBAQDAgQQMA0GCSqGSIb3DQEBCwUA -A4IBAQCcxEcVFXZGuVBffCrPS4+GOvcqIiBUWLMC7AmGaD/K8GZVuGqa7RP3Gs95 -25hSkhtaEvOA2f3d8J70gYXW3wS4efWB/XiZ0WT0vEPoyEZIPVUp5XkEyYPpCJ4F -GXlgUlFEnwCOga4HWhQeLrO4tMliU6K0Yf03uvTN1CjVX8fCybD7f5xtp0Fv19Mn -SSwk+5uTed+aQ3+LRC3F0UAFL/8U6exeTvOKafAXs9eIlU7Sms6rHquSuxCgrEV3 -1uM49RXsEmGhGkx8ga3MMAKxMgW3ZAuXHcHyVFbzRVl632IgsusgZkwkG67nJqgt -DBcX0eKh88KQ/UO6708xT9vyfwq/MIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0B -AQsFADA5MRcwFQYDVQQKEw5CT1MuUkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlm -aWNhdGUgQXV0aG9yaXR5MB4XDTEyMDYyNTIxMDQxNFoXDTIwMDYyNTIxMDQxNFow -OTEXMBUGA1UEChMOQk9TLlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRl -IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQDgery -1wgDVSs2yLo1vM0QCPOFi12T5ree2J/ian0dfHbSS9T2GC2TQwjgJLFUnQGkKZ9P -TnASJSbPrILl19W/k+QwW3fPqvt+ryvXtK2Ezd3nFVUt6oKxj2bqxC0vS04k0Bab -qBfAiRILI4VKUgPWu3YI3k8Nret4+dUmA8EkfBe/FiCdAXdlxWRfkXiiKX6JRfVx -0xweVfw0IDJopNFqAeznvre6fHpzROqw3JKXgagBGYLRgLlontbHnY8teJjlrbBe -HQDKn3iOpjkWwHihYkODVSNr3lK8NnfeRjX2+qMOKzX6nkEpz1wigS+/BTtkrRDa -AB+oRKKR5D9Zy2sCAwEAAaOBqTCBpjAfBgNVHSMEGDAWgBT5QugkOI4hLnyQxmRS -gyB6JXCJmDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4E -FgQU+ULoJDiOIS58kMZkUoMgeiVwiZgwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUF -BzABhidodHRwOi8vcmFwaWVyLmJvcy5yZWRoYXQuY29tOjgwL2NhL29jc3AwDQYJ -KoZIhvcNAQELBQADggEBAC/7xtbqCLTNX/ctz3NW+TDRQcSBftVWMDK8G+4TAjKa -vsZdVnEKJAxo9UAcQL7A8/NFhxDwFGc3gF4agkGuZAMyZzUwynpY26yLyM4mBviv -KhJBvbNOykB5BdAags04/Zlb1Bgg9PZqc5ErjcICKTmBAmVxQ0Nzlv49Ts9kNTa+ -RZfNvne05dxNdJdPOWX7SHlh0GA/E6d/9+mlNn8x0uHMhbGlLC4EifeiijOyOLwH -6gwPXRPij+95RLxpRA6lXKVEUc5Iu2iZOn25b3xrYL7hFilzLA05vM/Z67UkJbBn -a01OM5RZIURKD5IGIuD6BTD/u0qzNq4EEF2HedELdVUxAA==bCertificate: - Data: - Version: v3 - Serial Number: 0xB - Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 - Issuer: CN=Certificate Authority,O=BOS.REDHAT.COM - Validity: - Not Before: Monday, June 25, 2012 5:07:12 PM EDT America/New_York - Not After: Saturday, June 25, 2016 5:07:12 PM EDT America/New_York - Subject: CN=Object Signing Cert,O=BOS.REDHAT.COM - Subject Public Key Info: - Algorithm: RSA - 1.2.840.113549.1.1.1 - Public Key: - Exponent: 65537 - Public Key Modulus: (2048 bits) : - A6:66:8A:94:6F:C8:47:4B:A1:3F:32:6A:E5:8A:64:25: - 84:B1:E5:3D:DC:65:25:99:F7:75:ED:0A:F2:F1:D6:0A: - EC:81:A8:CF:6D:98:84:AC:A1:26:07:39:D0:A6:FD:CE: - AF:AD:5C:30:48:C9:27:E4:73:23:8D:6B:09:18:A3:5D: - 66:8B:81:9A:50:35:5A:E8:8C:0E:35:85:AF:B5:9E:C4: - 65:1D:DF:89:54:96:58:86:E9:54:1D:21:D9:10:32:7F: - 6B:8C:6F:96:F3:04:C4:38:F0:B1:95:40:54:C1:40:73: - 23:26:77:5C:37:B4:78:22:0D:EC:D0:4B:C2:1E:DE:7D: - 96:63:46:09:67:F2:61:FB:68:41:9A:52:E8:36:B4:EA: - A3:DA:78:AE:75:76:59:2C:B3:2D:85:4F:DF:EF:8A:5D: - 05:30:FE:11:78:80:90:48:CD:F2:3D:76:6D:AD:99:BF: - 99:83:C8:3A:9A:9F:95:83:31:FF:5A:F4:46:C3:C0:C9: - C5:29:4E:FF:48:40:C2:BE:B6:B6:8E:B4:0D:3C:AB:BF: - 75:1B:01:BC:67:73:AA:01:09:0E:E3:5A:5A:B9:FF:91: - 2C:F6:C2:8A:DB:5B:67:3B:57:D8:CB:82:C6:12:8D:32: - DE:60:80:2E:94:28:9F:23:30:46:F5:B8:AC:01:3F:03 - Extensions: - Identifier: Key Usage: - 2.5.29.15 - Critical: yes - Key Usage: - Digital Signature - Key CertSign - Identifier: Netscape Certificate Type - 2.16.840.1.113730.1.1 - Critical: no - Certificate Usage: - Object Signing - Signature: - Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 - Signature: - 9C:C4:47:15:15:76:46:B9:50:5F:7C:2A:CF:4B:8F:86: - 3A:F7:2A:22:20:54:58:B3:02:EC:09:86:68:3F:CA:F0: - 66:55:B8:6A:9A:ED:13:F7:1A:CF:79:DB:98:52:92:1B: - 5A:12:F3:80:D9:FD:DD:F0:9E:F4:81:85:D6:DF:04:B8: - 79:F5:81:FD:78:99:D1:64:F4:BC:43:E8:C8:46:48:3D: - 55:29:E5:79:04:C9:83:E9:08:9E:05:19:79:60:52:51: - 44:9F:00:8E:81:AE:07:5A:14:1E:2E:B3:B8:B4:C9:62: - 53:A2:B4:61:FD:37:BA:F4:CD:D4:28:D5:5F:C7:C2:C9: - B0:FB:7F:9C:6D:A7:41:6F:D7:D3:27:49:2C:24:FB:9B: - 93:79:DF:9A:43:7F:8B:44:2D:C5:D1:40:05:2F:FF:14: - E9:EC:5E:4E:F3:8A:69:F0:17:B3:D7:88:95:4E:D2:9A: - CE:AB:1E:AB:92:BB:10:A0:AC:45:77:D6:E3:38:F5:15: - EC:12:61:A1:1A:4C:7C:81:AD:CC:30:02:B1:32:05:B7: - 64:0B:97:1D:C1:F2:54:56:F3:45:59:7A:DF:62:20:B2: - EB:20:66:4C:24:1B:AE:E7:26:A8:2D:0C:17:17:D1:E2: - A1:F3:C2:90:FD:43:BA:EF:4F:31:4F:DB:F2:7F:0A:BF - FingerPrint - MD2: - 2B:E7:39:53:38:28:68:11:65:8A:E3:7B:36:4E:A9:44 - MD5: - 68:3F:AF:2C:38:37:E8:3E:5A:B5:4E:AE:40:54:2F:12 - SHA1: - D2:E1:1C:C4:CD:53:03:2C:62:CC:4F:68:60:52:A3:DC: - 2F:2B:64:89 - SHA256: - B8:DA:7A:D4:79:75:63:2B:59:D4:C5:B9:61:3C:59:60: - E6:A3:7C:38:EE:55:48:45:CB:B8:91:D0:CB:C7:E6:5F - SHA512: - 8F:E1:12:D0:A5:D7:C0:B0:77:D6:56:22:B7:4C:96:D3: - 8F:F0:8E:0B:25:8D:48:E5:8F:15:44:44:B0:51:B4:96: - AE:DC:01:B1:EF:34:E5:48:20:CB:31:6B:00:20:3B:F4: - 30:1D:86:74:B1:CA:4F:4F:DD:6C:20:2B:75:DB:89:51-----BEGIN CERTIFICATE----- -MIIDEDCCAfigAwIBAgIBCzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1Mu -UkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEy -MDYyNTIxMDcxMloXDTE2MDYyNTIxMDcxMlowNzEXMBUGA1UEChMOQk9TLlJFREhB -VC5DT00xHDAaBgNVBAMTE09iamVjdCBTaWduaW5nIENlcnQwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQCmZoqUb8hHS6E/MmrlimQlhLHlPdxlJZn3de0K -8vHWCuyBqM9tmISsoSYHOdCm/c6vrVwwSMkn5HMjjWsJGKNdZouBmlA1WuiMDjWF -r7WexGUd34lUlliG6VQdIdkQMn9rjG+W8wTEOPCxlUBUwUBzIyZ3XDe0eCIN7NBL -wh7efZZjRgln8mH7aEGaUug2tOqj2niudXZZLLMthU/f74pdBTD+EXiAkEjN8j12 -ba2Zv5mDyDqan5WDMf9a9EbDwMnFKU7/SEDCvra2jrQNPKu/dRsBvGdzqgEJDuNa -Wrn/kSz2worbW2c7V9jLgsYSjTLeYIAulCifIzBG9bisAT8DAgMBAAGjJTAjMA4G -A1UdDwEB/wQEAwIChDARBglghkgBhvhCAQEEBAMCBBAwDQYJKoZIhvcNAQELBQAD -ggEBAJzERxUVdka5UF98Ks9Lj4Y69yoiIFRYswLsCYZoP8rwZlW4aprtE/caz3nb -mFKSG1oS84DZ/d3wnvSBhdbfBLh59YH9eJnRZPS8Q+jIRkg9VSnleQTJg+kIngUZ -eWBSUUSfAI6BrgdaFB4us7i0yWJTorRh/Te69M3UKNVfx8LJsPt/nG2nQW/X0ydJ -LCT7m5N535pDf4tELcXRQAUv/xTp7F5O84pp8Bez14iVTtKazqseq5K7EKCsRXfW -4zj1FewSYaEaTHyBrcwwArEyBbdkC5cdwfJUVvNFWXrfYiCy6yBmTCQbrucmqC0M -FxfR4qHzwpD9Q7rvTzFP2/J/Cr8= ------END CERTIFICATE----- diff --git a/tests/019-dparse/good.displayCertFromRequest-extra-line b/tests/019-dparse/good.displayCertFromRequest-extra-line deleted file mode 100644 index ef5a8e6..0000000 --- a/tests/019-dparse/good.displayCertFromRequest-extra-line +++ /dev/null @@ -1,145 +0,0 @@ -
true11
http9180rapier.bos.redhat.comrapier.bos.redhat.com11Certificate Manager9180MD2: - 2B:E7:39:53:38:28:68:11:65:8A:E3:7B:36:4E:A9:44 -MD5: - 68:3F:AF:2C:38:37:E8:3E:5A:B5:4E:AE:40:54:2F:12 -SHA1: - D2:E1:1C:C4:CD:53:03:2C:62:CC:4F:68:60:52:A3:DC: - 2F:2B:64:89 -SHA256: - B8:DA:7A:D4:79:75:63:2B:59:D4:C5:B9:61:3C:59:60: - E6:A3:7C:38:EE:55:48:45:CB:B8:91:D0:CB:C7:E6:5F -SHA512: - 8F:E1:12:D0:A5:D7:C0:B0:77:D6:56:22:B7:4C:96:D3: - 8F:F0:8E:0B:25:8D:48:E5:8F:15:44:44:B0:51:B4:96: - AE:DC:01:B1:EF:34:E5:48:20:CB:31:6B:00:20:3B:F4: - 30:1D:86:74:B1:CA:4F:4F:DD:6C:20:2B:75:DB:89:51MIIG3gYJKoZIhvcNAQcCoIIGzzCCBssCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIG -rzCCAxAwggH4oAMCAQICAQswDQYJKoZIhvcNAQELBQAwOTEXMBUGA1UEChMOQk9T -LlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x -MjA2MjUyMTA3MTJaFw0xNjA2MjUyMTA3MTJaMDcxFzAVBgNVBAoTDkJPUy5SRURI -QVQuQ09NMRwwGgYDVQQDExNPYmplY3QgU2lnbmluZyBDZXJ0MIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEApmaKlG/IR0uhPzJq5YpkJYSx5T3cZSWZ93Xt -CvLx1grsgajPbZiErKEmBznQpv3Or61cMEjJJ+RzI41rCRijXWaLgZpQNVrojA41 -ha+1nsRlHd+JVJZYhulUHSHZEDJ/a4xvlvMExDjwsZVAVMFAcyMmd1w3tHgiDezQ -S8Ie3n2WY0YJZ/Jh+2hBmlLoNrTqo9p4rnV2WSyzLYVP3++KXQUw/hF4gJBIzfI9 -dm2tmb+Zg8g6mp+VgzH/WvRGw8DJxSlO/0hAwr62to60DTyrv3UbAbxnc6oBCQ7j -Wlq5/5Es9sKK21tnO1fYy4LGEo0y3mCALpQonyMwRvW4rAE/AwIDAQABoyUwIzAO -BgNVHQ8BAf8EBAMCAoQwEQYJYIZIAYb4QgEBBAQDAgQQMA0GCSqGSIb3DQEBCwUA -A4IBAQCcxEcVFXZGuVBffCrPS4+GOvcqIiBUWLMC7AmGaD/K8GZVuGqa7RP3Gs95 -25hSkhtaEvOA2f3d8J70gYXW3wS4efWB/XiZ0WT0vEPoyEZIPVUp5XkEyYPpCJ4F -GXlgUlFEnwCOga4HWhQeLrO4tMliU6K0Yf03uvTN1CjVX8fCybD7f5xtp0Fv19Mn -SSwk+5uTed+aQ3+LRC3F0UAFL/8U6exeTvOKafAXs9eIlU7Sms6rHquSuxCgrEV3 -1uM49RXsEmGhGkx8ga3MMAKxMgW3ZAuXHcHyVFbzRVl632IgsusgZkwkG67nJqgt -DBcX0eKh88KQ/UO6708xT9vyfwq/MIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0B -AQsFADA5MRcwFQYDVQQKEw5CT1MuUkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlm -aWNhdGUgQXV0aG9yaXR5MB4XDTEyMDYyNTIxMDQxNFoXDTIwMDYyNTIxMDQxNFow -OTEXMBUGA1UEChMOQk9TLlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRl -IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQDgery -1wgDVSs2yLo1vM0QCPOFi12T5ree2J/ian0dfHbSS9T2GC2TQwjgJLFUnQGkKZ9P -TnASJSbPrILl19W/k+QwW3fPqvt+ryvXtK2Ezd3nFVUt6oKxj2bqxC0vS04k0Bab -qBfAiRILI4VKUgPWu3YI3k8Nret4+dUmA8EkfBe/FiCdAXdlxWRfkXiiKX6JRfVx -0xweVfw0IDJopNFqAeznvre6fHpzROqw3JKXgagBGYLRgLlontbHnY8teJjlrbBe -HQDKn3iOpjkWwHihYkODVSNr3lK8NnfeRjX2+qMOKzX6nkEpz1wigS+/BTtkrRDa -AB+oRKKR5D9Zy2sCAwEAAaOBqTCBpjAfBgNVHSMEGDAWgBT5QugkOI4hLnyQxmRS -gyB6JXCJmDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4E -FgQU+ULoJDiOIS58kMZkUoMgeiVwiZgwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUF -BzABhidodHRwOi8vcmFwaWVyLmJvcy5yZWRoYXQuY29tOjgwL2NhL29jc3AwDQYJ -KoZIhvcNAQELBQADggEBAC/7xtbqCLTNX/ctz3NW+TDRQcSBftVWMDK8G+4TAjKa -vsZdVnEKJAxo9UAcQL7A8/NFhxDwFGc3gF4agkGuZAMyZzUwynpY26yLyM4mBviv -KhJBvbNOykB5BdAags04/Zlb1Bgg9PZqc5ErjcICKTmBAmVxQ0Nzlv49Ts9kNTa+ -RZfNvne05dxNdJdPOWX7SHlh0GA/E6d/9+mlNn8x0uHMhbGlLC4EifeiijOyOLwH -6gwPXRPij+95RLxpRA6lXKVEUc5Iu2iZOn25b3xrYL7hFilzLA05vM/Z67UkJbBn -a01OM5RZIURKD5IGIuD6BTD/u0qzNq4EEF2HedELdVUxAA==bCertificate: - Data: - Version: v3 - Serial Number: 0xB - Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 - Issuer: CN=Certificate Authority,O=BOS.REDHAT.COM - Validity: - Not Before: Monday, June 25, 2012 5:07:12 PM EDT America/New_York - Not After: Saturday, June 25, 2016 5:07:12 PM EDT America/New_York - Subject: CN=Object Signing Cert,O=BOS.REDHAT.COM - Subject Public Key Info: - Algorithm: RSA - 1.2.840.113549.1.1.1 - Public Key: - Exponent: 65537 - Public Key Modulus: (2048 bits) : - A6:66:8A:94:6F:C8:47:4B:A1:3F:32:6A:E5:8A:64:25: - 84:B1:E5:3D:DC:65:25:99:F7:75:ED:0A:F2:F1:D6:0A: - EC:81:A8:CF:6D:98:84:AC:A1:26:07:39:D0:A6:FD:CE: - AF:AD:5C:30:48:C9:27:E4:73:23:8D:6B:09:18:A3:5D: - 66:8B:81:9A:50:35:5A:E8:8C:0E:35:85:AF:B5:9E:C4: - 65:1D:DF:89:54:96:58:86:E9:54:1D:21:D9:10:32:7F: - 6B:8C:6F:96:F3:04:C4:38:F0:B1:95:40:54:C1:40:73: - 23:26:77:5C:37:B4:78:22:0D:EC:D0:4B:C2:1E:DE:7D: - 96:63:46:09:67:F2:61:FB:68:41:9A:52:E8:36:B4:EA: - A3:DA:78:AE:75:76:59:2C:B3:2D:85:4F:DF:EF:8A:5D: - 05:30:FE:11:78:80:90:48:CD:F2:3D:76:6D:AD:99:BF: - 99:83:C8:3A:9A:9F:95:83:31:FF:5A:F4:46:C3:C0:C9: - C5:29:4E:FF:48:40:C2:BE:B6:B6:8E:B4:0D:3C:AB:BF: - 75:1B:01:BC:67:73:AA:01:09:0E:E3:5A:5A:B9:FF:91: - 2C:F6:C2:8A:DB:5B:67:3B:57:D8:CB:82:C6:12:8D:32: - DE:60:80:2E:94:28:9F:23:30:46:F5:B8:AC:01:3F:03 - Extensions: - Identifier: Key Usage: - 2.5.29.15 - Critical: yes - Key Usage: - Digital Signature - Key CertSign - Identifier: Netscape Certificate Type - 2.16.840.1.113730.1.1 - Critical: no - Certificate Usage: - Object Signing - Signature: - Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 - Signature: - 9C:C4:47:15:15:76:46:B9:50:5F:7C:2A:CF:4B:8F:86: - 3A:F7:2A:22:20:54:58:B3:02:EC:09:86:68:3F:CA:F0: - 66:55:B8:6A:9A:ED:13:F7:1A:CF:79:DB:98:52:92:1B: - 5A:12:F3:80:D9:FD:DD:F0:9E:F4:81:85:D6:DF:04:B8: - 79:F5:81:FD:78:99:D1:64:F4:BC:43:E8:C8:46:48:3D: - 55:29:E5:79:04:C9:83:E9:08:9E:05:19:79:60:52:51: - 44:9F:00:8E:81:AE:07:5A:14:1E:2E:B3:B8:B4:C9:62: - 53:A2:B4:61:FD:37:BA:F4:CD:D4:28:D5:5F:C7:C2:C9: - B0:FB:7F:9C:6D:A7:41:6F:D7:D3:27:49:2C:24:FB:9B: - 93:79:DF:9A:43:7F:8B:44:2D:C5:D1:40:05:2F:FF:14: - E9:EC:5E:4E:F3:8A:69:F0:17:B3:D7:88:95:4E:D2:9A: - CE:AB:1E:AB:92:BB:10:A0:AC:45:77:D6:E3:38:F5:15: - EC:12:61:A1:1A:4C:7C:81:AD:CC:30:02:B1:32:05:B7: - 64:0B:97:1D:C1:F2:54:56:F3:45:59:7A:DF:62:20:B2: - EB:20:66:4C:24:1B:AE:E7:26:A8:2D:0C:17:17:D1:E2: - A1:F3:C2:90:FD:43:BA:EF:4F:31:4F:DB:F2:7F:0A:BF - FingerPrint - MD2: - 2B:E7:39:53:38:28:68:11:65:8A:E3:7B:36:4E:A9:44 - MD5: - 68:3F:AF:2C:38:37:E8:3E:5A:B5:4E:AE:40:54:2F:12 - SHA1: - D2:E1:1C:C4:CD:53:03:2C:62:CC:4F:68:60:52:A3:DC: - 2F:2B:64:89 - SHA256: - B8:DA:7A:D4:79:75:63:2B:59:D4:C5:B9:61:3C:59:60: - E6:A3:7C:38:EE:55:48:45:CB:B8:91:D0:CB:C7:E6:5F - SHA512: - 8F:E1:12:D0:A5:D7:C0:B0:77:D6:56:22:B7:4C:96:D3: - 8F:F0:8E:0B:25:8D:48:E5:8F:15:44:44:B0:51:B4:96: - AE:DC:01:B1:EF:34:E5:48:20:CB:31:6B:00:20:3B:F4: - 30:1D:86:74:B1:CA:4F:4F:DD:6C:20:2B:75:DB:89:51-----BEGIN CERTIFICATE----- -MIIDEDCCAfigAwIBAgIBCzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1Mu -UkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEy -MDYyNTIxMDcxMloXDTE2MDYyNTIxMDcxMlowNzEXMBUGA1UEChMOQk9TLlJFREhB -VC5DT00xHDAaBgNVBAMTE09iamVjdCBTaWduaW5nIENlcnQwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQCmZoqUb8hHS6E/MmrlimQlhLHlPdxlJZn3de0K -8vHWCuyBqM9tmISsoSYHOdCm/c6vrVwwSMkn5HMjjWsJGKNdZouBmlA1WuiMDjWF -r7WexGUd34lUlliG6VQdIdkQMn9rjG+W8wTEOPCxlUBUwUBzIyZ3XDe0eCIN7NBL -wh7efZZjRgln8mH7aEGaUug2tOqj2niudXZZLLMthU/f74pdBTD+EXiAkEjN8j12 -ba2Zv5mDyDqan5WDMf9a9EbDwMnFKU7/SEDCvra2jrQNPKu/dRsBvGdzqgEJDuNa -Wrn/kSz2worbW2c7V9jLgsYSjTLeYIAulCifIzBG9bisAT8DAgMBAAGjJTAjMA4G -A1UdDwEB/wQEAwIChDARBglghkgBhvhCAQEEBAMCBBAwDQYJKoZIhvcNAQELBQAD -ggEBAJzERxUVdka5UF98Ks9Lj4Y69yoiIFRYswLsCYZoP8rwZlW4aprtE/caz3nb -mFKSG1oS84DZ/d3wnvSBhdbfBLh59YH9eJnRZPS8Q+jIRkg9VSnleQTJg+kIngUZ -eWBSUUSfAI6BrgdaFB4us7i0yWJTorRh/Te69M3UKNVfx8LJsPt/nG2nQW/X0ydJ -LCT7m5N535pDf4tELcXRQAUv/xTp7F5O84pp8Bez14iVTtKazqseq5K7EKCsRXfW -4zj1FewSYaEaTHyBrcwwArEyBbdkC5cdwfJUVvNFWXrfYiCy6yBmTCQbrucmqC0M -FxfR4qHzwpD9Q7rvTzFP2/J/Cr8= - ------END CERTIFICATE----- diff --git a/tests/019-dparse/good.displayCertFromRequest-extra-line.xml b/tests/019-dparse/good.displayCertFromRequest-extra-line.xml new file mode 100644 index 0000000..ef5a8e6 --- /dev/null +++ b/tests/019-dparse/good.displayCertFromRequest-extra-line.xml @@ -0,0 +1,145 @@ +
true11
http9180rapier.bos.redhat.comrapier.bos.redhat.com11Certificate Manager9180MD2: + 2B:E7:39:53:38:28:68:11:65:8A:E3:7B:36:4E:A9:44 +MD5: + 68:3F:AF:2C:38:37:E8:3E:5A:B5:4E:AE:40:54:2F:12 +SHA1: + D2:E1:1C:C4:CD:53:03:2C:62:CC:4F:68:60:52:A3:DC: + 2F:2B:64:89 +SHA256: + B8:DA:7A:D4:79:75:63:2B:59:D4:C5:B9:61:3C:59:60: + E6:A3:7C:38:EE:55:48:45:CB:B8:91:D0:CB:C7:E6:5F +SHA512: + 8F:E1:12:D0:A5:D7:C0:B0:77:D6:56:22:B7:4C:96:D3: + 8F:F0:8E:0B:25:8D:48:E5:8F:15:44:44:B0:51:B4:96: + AE:DC:01:B1:EF:34:E5:48:20:CB:31:6B:00:20:3B:F4: + 30:1D:86:74:B1:CA:4F:4F:DD:6C:20:2B:75:DB:89:51MIIG3gYJKoZIhvcNAQcCoIIGzzCCBssCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIG +rzCCAxAwggH4oAMCAQICAQswDQYJKoZIhvcNAQELBQAwOTEXMBUGA1UEChMOQk9T +LlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x +MjA2MjUyMTA3MTJaFw0xNjA2MjUyMTA3MTJaMDcxFzAVBgNVBAoTDkJPUy5SRURI +QVQuQ09NMRwwGgYDVQQDExNPYmplY3QgU2lnbmluZyBDZXJ0MIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEApmaKlG/IR0uhPzJq5YpkJYSx5T3cZSWZ93Xt +CvLx1grsgajPbZiErKEmBznQpv3Or61cMEjJJ+RzI41rCRijXWaLgZpQNVrojA41 +ha+1nsRlHd+JVJZYhulUHSHZEDJ/a4xvlvMExDjwsZVAVMFAcyMmd1w3tHgiDezQ +S8Ie3n2WY0YJZ/Jh+2hBmlLoNrTqo9p4rnV2WSyzLYVP3++KXQUw/hF4gJBIzfI9 +dm2tmb+Zg8g6mp+VgzH/WvRGw8DJxSlO/0hAwr62to60DTyrv3UbAbxnc6oBCQ7j +Wlq5/5Es9sKK21tnO1fYy4LGEo0y3mCALpQonyMwRvW4rAE/AwIDAQABoyUwIzAO +BgNVHQ8BAf8EBAMCAoQwEQYJYIZIAYb4QgEBBAQDAgQQMA0GCSqGSIb3DQEBCwUA +A4IBAQCcxEcVFXZGuVBffCrPS4+GOvcqIiBUWLMC7AmGaD/K8GZVuGqa7RP3Gs95 +25hSkhtaEvOA2f3d8J70gYXW3wS4efWB/XiZ0WT0vEPoyEZIPVUp5XkEyYPpCJ4F +GXlgUlFEnwCOga4HWhQeLrO4tMliU6K0Yf03uvTN1CjVX8fCybD7f5xtp0Fv19Mn +SSwk+5uTed+aQ3+LRC3F0UAFL/8U6exeTvOKafAXs9eIlU7Sms6rHquSuxCgrEV3 +1uM49RXsEmGhGkx8ga3MMAKxMgW3ZAuXHcHyVFbzRVl632IgsusgZkwkG67nJqgt +DBcX0eKh88KQ/UO6708xT9vyfwq/MIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0B +AQsFADA5MRcwFQYDVQQKEw5CT1MuUkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlm +aWNhdGUgQXV0aG9yaXR5MB4XDTEyMDYyNTIxMDQxNFoXDTIwMDYyNTIxMDQxNFow +OTEXMBUGA1UEChMOQk9TLlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRl +IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQDgery +1wgDVSs2yLo1vM0QCPOFi12T5ree2J/ian0dfHbSS9T2GC2TQwjgJLFUnQGkKZ9P +TnASJSbPrILl19W/k+QwW3fPqvt+ryvXtK2Ezd3nFVUt6oKxj2bqxC0vS04k0Bab +qBfAiRILI4VKUgPWu3YI3k8Nret4+dUmA8EkfBe/FiCdAXdlxWRfkXiiKX6JRfVx +0xweVfw0IDJopNFqAeznvre6fHpzROqw3JKXgagBGYLRgLlontbHnY8teJjlrbBe +HQDKn3iOpjkWwHihYkODVSNr3lK8NnfeRjX2+qMOKzX6nkEpz1wigS+/BTtkrRDa +AB+oRKKR5D9Zy2sCAwEAAaOBqTCBpjAfBgNVHSMEGDAWgBT5QugkOI4hLnyQxmRS +gyB6JXCJmDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4E +FgQU+ULoJDiOIS58kMZkUoMgeiVwiZgwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUF +BzABhidodHRwOi8vcmFwaWVyLmJvcy5yZWRoYXQuY29tOjgwL2NhL29jc3AwDQYJ +KoZIhvcNAQELBQADggEBAC/7xtbqCLTNX/ctz3NW+TDRQcSBftVWMDK8G+4TAjKa +vsZdVnEKJAxo9UAcQL7A8/NFhxDwFGc3gF4agkGuZAMyZzUwynpY26yLyM4mBviv +KhJBvbNOykB5BdAags04/Zlb1Bgg9PZqc5ErjcICKTmBAmVxQ0Nzlv49Ts9kNTa+ +RZfNvne05dxNdJdPOWX7SHlh0GA/E6d/9+mlNn8x0uHMhbGlLC4EifeiijOyOLwH +6gwPXRPij+95RLxpRA6lXKVEUc5Iu2iZOn25b3xrYL7hFilzLA05vM/Z67UkJbBn +a01OM5RZIURKD5IGIuD6BTD/u0qzNq4EEF2HedELdVUxAA==bCertificate: + Data: + Version: v3 + Serial Number: 0xB + Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 + Issuer: CN=Certificate Authority,O=BOS.REDHAT.COM + Validity: + Not Before: Monday, June 25, 2012 5:07:12 PM EDT America/New_York + Not After: Saturday, June 25, 2016 5:07:12 PM EDT America/New_York + Subject: CN=Object Signing Cert,O=BOS.REDHAT.COM + Subject Public Key Info: + Algorithm: RSA - 1.2.840.113549.1.1.1 + Public Key: + Exponent: 65537 + Public Key Modulus: (2048 bits) : + A6:66:8A:94:6F:C8:47:4B:A1:3F:32:6A:E5:8A:64:25: + 84:B1:E5:3D:DC:65:25:99:F7:75:ED:0A:F2:F1:D6:0A: + EC:81:A8:CF:6D:98:84:AC:A1:26:07:39:D0:A6:FD:CE: + AF:AD:5C:30:48:C9:27:E4:73:23:8D:6B:09:18:A3:5D: + 66:8B:81:9A:50:35:5A:E8:8C:0E:35:85:AF:B5:9E:C4: + 65:1D:DF:89:54:96:58:86:E9:54:1D:21:D9:10:32:7F: + 6B:8C:6F:96:F3:04:C4:38:F0:B1:95:40:54:C1:40:73: + 23:26:77:5C:37:B4:78:22:0D:EC:D0:4B:C2:1E:DE:7D: + 96:63:46:09:67:F2:61:FB:68:41:9A:52:E8:36:B4:EA: + A3:DA:78:AE:75:76:59:2C:B3:2D:85:4F:DF:EF:8A:5D: + 05:30:FE:11:78:80:90:48:CD:F2:3D:76:6D:AD:99:BF: + 99:83:C8:3A:9A:9F:95:83:31:FF:5A:F4:46:C3:C0:C9: + C5:29:4E:FF:48:40:C2:BE:B6:B6:8E:B4:0D:3C:AB:BF: + 75:1B:01:BC:67:73:AA:01:09:0E:E3:5A:5A:B9:FF:91: + 2C:F6:C2:8A:DB:5B:67:3B:57:D8:CB:82:C6:12:8D:32: + DE:60:80:2E:94:28:9F:23:30:46:F5:B8:AC:01:3F:03 + Extensions: + Identifier: Key Usage: - 2.5.29.15 + Critical: yes + Key Usage: + Digital Signature + Key CertSign + Identifier: Netscape Certificate Type - 2.16.840.1.113730.1.1 + Critical: no + Certificate Usage: + Object Signing + Signature: + Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 + Signature: + 9C:C4:47:15:15:76:46:B9:50:5F:7C:2A:CF:4B:8F:86: + 3A:F7:2A:22:20:54:58:B3:02:EC:09:86:68:3F:CA:F0: + 66:55:B8:6A:9A:ED:13:F7:1A:CF:79:DB:98:52:92:1B: + 5A:12:F3:80:D9:FD:DD:F0:9E:F4:81:85:D6:DF:04:B8: + 79:F5:81:FD:78:99:D1:64:F4:BC:43:E8:C8:46:48:3D: + 55:29:E5:79:04:C9:83:E9:08:9E:05:19:79:60:52:51: + 44:9F:00:8E:81:AE:07:5A:14:1E:2E:B3:B8:B4:C9:62: + 53:A2:B4:61:FD:37:BA:F4:CD:D4:28:D5:5F:C7:C2:C9: + B0:FB:7F:9C:6D:A7:41:6F:D7:D3:27:49:2C:24:FB:9B: + 93:79:DF:9A:43:7F:8B:44:2D:C5:D1:40:05:2F:FF:14: + E9:EC:5E:4E:F3:8A:69:F0:17:B3:D7:88:95:4E:D2:9A: + CE:AB:1E:AB:92:BB:10:A0:AC:45:77:D6:E3:38:F5:15: + EC:12:61:A1:1A:4C:7C:81:AD:CC:30:02:B1:32:05:B7: + 64:0B:97:1D:C1:F2:54:56:F3:45:59:7A:DF:62:20:B2: + EB:20:66:4C:24:1B:AE:E7:26:A8:2D:0C:17:17:D1:E2: + A1:F3:C2:90:FD:43:BA:EF:4F:31:4F:DB:F2:7F:0A:BF + FingerPrint + MD2: + 2B:E7:39:53:38:28:68:11:65:8A:E3:7B:36:4E:A9:44 + MD5: + 68:3F:AF:2C:38:37:E8:3E:5A:B5:4E:AE:40:54:2F:12 + SHA1: + D2:E1:1C:C4:CD:53:03:2C:62:CC:4F:68:60:52:A3:DC: + 2F:2B:64:89 + SHA256: + B8:DA:7A:D4:79:75:63:2B:59:D4:C5:B9:61:3C:59:60: + E6:A3:7C:38:EE:55:48:45:CB:B8:91:D0:CB:C7:E6:5F + SHA512: + 8F:E1:12:D0:A5:D7:C0:B0:77:D6:56:22:B7:4C:96:D3: + 8F:F0:8E:0B:25:8D:48:E5:8F:15:44:44:B0:51:B4:96: + AE:DC:01:B1:EF:34:E5:48:20:CB:31:6B:00:20:3B:F4: + 30:1D:86:74:B1:CA:4F:4F:DD:6C:20:2B:75:DB:89:51-----BEGIN CERTIFICATE----- +MIIDEDCCAfigAwIBAgIBCzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1Mu +UkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEy +MDYyNTIxMDcxMloXDTE2MDYyNTIxMDcxMlowNzEXMBUGA1UEChMOQk9TLlJFREhB +VC5DT00xHDAaBgNVBAMTE09iamVjdCBTaWduaW5nIENlcnQwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCmZoqUb8hHS6E/MmrlimQlhLHlPdxlJZn3de0K +8vHWCuyBqM9tmISsoSYHOdCm/c6vrVwwSMkn5HMjjWsJGKNdZouBmlA1WuiMDjWF +r7WexGUd34lUlliG6VQdIdkQMn9rjG+W8wTEOPCxlUBUwUBzIyZ3XDe0eCIN7NBL +wh7efZZjRgln8mH7aEGaUug2tOqj2niudXZZLLMthU/f74pdBTD+EXiAkEjN8j12 +ba2Zv5mDyDqan5WDMf9a9EbDwMnFKU7/SEDCvra2jrQNPKu/dRsBvGdzqgEJDuNa +Wrn/kSz2worbW2c7V9jLgsYSjTLeYIAulCifIzBG9bisAT8DAgMBAAGjJTAjMA4G +A1UdDwEB/wQEAwIChDARBglghkgBhvhCAQEEBAMCBBAwDQYJKoZIhvcNAQELBQAD +ggEBAJzERxUVdka5UF98Ks9Lj4Y69yoiIFRYswLsCYZoP8rwZlW4aprtE/caz3nb +mFKSG1oS84DZ/d3wnvSBhdbfBLh59YH9eJnRZPS8Q+jIRkg9VSnleQTJg+kIngUZ +eWBSUUSfAI6BrgdaFB4us7i0yWJTorRh/Te69M3UKNVfx8LJsPt/nG2nQW/X0ydJ +LCT7m5N535pDf4tELcXRQAUv/xTp7F5O84pp8Bez14iVTtKazqseq5K7EKCsRXfW +4zj1FewSYaEaTHyBrcwwArEyBbdkC5cdwfJUVvNFWXrfYiCy6yBmTCQbrucmqC0M +FxfR4qHzwpD9Q7rvTzFP2/J/Cr8= + +-----END CERTIFICATE----- diff --git a/tests/019-dparse/good.displayCertFromRequest.json b/tests/019-dparse/good.displayCertFromRequest.json new file mode 100644 index 0000000..ea6456f --- /dev/null +++ b/tests/019-dparse/good.displayCertFromRequest.json @@ -0,0 +1,26 @@ +{ + "error": null, + "id": 0, + "principal": "admin@EXAMPLE.TEST", + "result": { + "result": { + "cacn": "ipa", + "certificate": "MIIEGzCCAoOgAwIBAgIRANnvcOIqsXHMhcZSZiOYmeAwDQYJKoZIhvcNAQELBQAwNzEVMBMGA1UECgwMRVhBTVBMRS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQxMTEyMTUzNTE3WhcNMjYxMTAyMTUzNTE3WjAyMRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxGTAXBgNVBAMMEGlwYS5leGFtcGxlLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD6uMp+bGs72KACvmpnSBoGWchLBFxfZiuWXJr9TeYM3h1DGXdW7JwRgADJwgdg6UVjCuDYb5zCQBtCUbAmM7USqH5hAeu48qjVzQcewUR24TchnX/VgpuYShb50WxxSWAV6upQ78WgOQvCP5BjjhnLkOrohHdkkXvnNTxKZ7EeSwa79ajSuGCf30qhISvkxErGJUL7td7bLnxGF9cbEsUNop5wkRpgRhNpu7Kkubj8/yYkMhY6Ju0BhvHTYmyhKmAv98uaDWaOjcNwJpoeuhaAZCSGnvusKzb/W2I5wAGxcQNY4GHJSB8KAzeTSF9Ujx0zprGZh3NK7vpI90nt0j41AgMBAAGjgaYwgaMwHwYDVR0jBBgwFoAUqISFSEhwNU7qYCdQpo222U8WIaEwPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vaXBhLWNhLmV4YW1wbGUudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASghBpcGEuZXhhbXBsZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBgQC2s/38mrzgWBCSPXFQp6chRjN2H1KxJj/FPyd/iKSapv8yboSMdIy5pstiLQE+NLzvFv8OwrpmNKs0BBaB9m6/zCFk5ZI/j1iS9wfeJMZHTJfPS7ZA113iqGmfBZXjNsj85wuPo77mcm/EIEru2IxD6/5qmDIEZiT3PwDKS7rH2w0r4z2DlumOjv6e8+qIq6+zvux1rdVFrsKVSBicVDfUKITlz4AayRJ4lUqBxgKWnG0n06z8eYQxPxyi+2z1ZFg5f2G6M7ZnPv+F/S/vqnTJcYFZqSVyRBGY0p+hL8t0aTxn0hQTXK/yiPnU8UzMky5bsA86qdFzqUtBkSzV63L6YoSbsMJxCIWiv16NjbIBzgVSDbpPTXGkeDhTAfJDioTp63lDFCobRMXuyL6Ohb1+UGx/HMhrJa0w6+tkNJunVCUCy16GK7w6l3dp1GFe+tTRVvmyCX0MCPJa2OHEanSDn711OG4TLnHHzZefp2hlgWUaZ2PlKIgnZ82UK96gTR8=", + "issuer": "CN=Certificate Authority,O=EXAMPLE.TEST", + "revoked": false, + "san_dnsname": [ + { + "__dns_name__": "ipa.example.test" + } + ], + "serial_number": "289685723583169793116928819144687131104", + "serial_number_hex": "0xD9EF70E22AB171CC85C65266239899E0", + "subject": "CN=ipa.example.test,O=EXAMPLE.TEST", + "valid_not_after": "Mon Nov 02 15:35:17 2026 UTC", + "valid_not_before": "Tue Nov 12 15:35:17 2024 UTC" + }, + "summary": null, + "value": "289685723583169793116928819144687131104" + }, + "version": "4.13.0.dev202409181703+git4bfbf0ba9" +} diff --git a/tests/019-dparse/good.displayCertFromRequest.xml b/tests/019-dparse/good.displayCertFromRequest.xml new file mode 100644 index 0000000..9fdd1b9 --- /dev/null +++ b/tests/019-dparse/good.displayCertFromRequest.xml @@ -0,0 +1,144 @@ +
true11
http9180rapier.bos.redhat.comrapier.bos.redhat.com11Certificate Manager9180MD2: + 2B:E7:39:53:38:28:68:11:65:8A:E3:7B:36:4E:A9:44 +MD5: + 68:3F:AF:2C:38:37:E8:3E:5A:B5:4E:AE:40:54:2F:12 +SHA1: + D2:E1:1C:C4:CD:53:03:2C:62:CC:4F:68:60:52:A3:DC: + 2F:2B:64:89 +SHA256: + B8:DA:7A:D4:79:75:63:2B:59:D4:C5:B9:61:3C:59:60: + E6:A3:7C:38:EE:55:48:45:CB:B8:91:D0:CB:C7:E6:5F +SHA512: + 8F:E1:12:D0:A5:D7:C0:B0:77:D6:56:22:B7:4C:96:D3: + 8F:F0:8E:0B:25:8D:48:E5:8F:15:44:44:B0:51:B4:96: + AE:DC:01:B1:EF:34:E5:48:20:CB:31:6B:00:20:3B:F4: + 30:1D:86:74:B1:CA:4F:4F:DD:6C:20:2B:75:DB:89:51MIIG3gYJKoZIhvcNAQcCoIIGzzCCBssCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIG +rzCCAxAwggH4oAMCAQICAQswDQYJKoZIhvcNAQELBQAwOTEXMBUGA1UEChMOQk9T +LlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x +MjA2MjUyMTA3MTJaFw0xNjA2MjUyMTA3MTJaMDcxFzAVBgNVBAoTDkJPUy5SRURI +QVQuQ09NMRwwGgYDVQQDExNPYmplY3QgU2lnbmluZyBDZXJ0MIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEApmaKlG/IR0uhPzJq5YpkJYSx5T3cZSWZ93Xt +CvLx1grsgajPbZiErKEmBznQpv3Or61cMEjJJ+RzI41rCRijXWaLgZpQNVrojA41 +ha+1nsRlHd+JVJZYhulUHSHZEDJ/a4xvlvMExDjwsZVAVMFAcyMmd1w3tHgiDezQ +S8Ie3n2WY0YJZ/Jh+2hBmlLoNrTqo9p4rnV2WSyzLYVP3++KXQUw/hF4gJBIzfI9 +dm2tmb+Zg8g6mp+VgzH/WvRGw8DJxSlO/0hAwr62to60DTyrv3UbAbxnc6oBCQ7j +Wlq5/5Es9sKK21tnO1fYy4LGEo0y3mCALpQonyMwRvW4rAE/AwIDAQABoyUwIzAO +BgNVHQ8BAf8EBAMCAoQwEQYJYIZIAYb4QgEBBAQDAgQQMA0GCSqGSIb3DQEBCwUA +A4IBAQCcxEcVFXZGuVBffCrPS4+GOvcqIiBUWLMC7AmGaD/K8GZVuGqa7RP3Gs95 +25hSkhtaEvOA2f3d8J70gYXW3wS4efWB/XiZ0WT0vEPoyEZIPVUp5XkEyYPpCJ4F +GXlgUlFEnwCOga4HWhQeLrO4tMliU6K0Yf03uvTN1CjVX8fCybD7f5xtp0Fv19Mn +SSwk+5uTed+aQ3+LRC3F0UAFL/8U6exeTvOKafAXs9eIlU7Sms6rHquSuxCgrEV3 +1uM49RXsEmGhGkx8ga3MMAKxMgW3ZAuXHcHyVFbzRVl632IgsusgZkwkG67nJqgt +DBcX0eKh88KQ/UO6708xT9vyfwq/MIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0B +AQsFADA5MRcwFQYDVQQKEw5CT1MuUkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlm +aWNhdGUgQXV0aG9yaXR5MB4XDTEyMDYyNTIxMDQxNFoXDTIwMDYyNTIxMDQxNFow +OTEXMBUGA1UEChMOQk9TLlJFREhBVC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRl +IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQDgery +1wgDVSs2yLo1vM0QCPOFi12T5ree2J/ian0dfHbSS9T2GC2TQwjgJLFUnQGkKZ9P +TnASJSbPrILl19W/k+QwW3fPqvt+ryvXtK2Ezd3nFVUt6oKxj2bqxC0vS04k0Bab +qBfAiRILI4VKUgPWu3YI3k8Nret4+dUmA8EkfBe/FiCdAXdlxWRfkXiiKX6JRfVx +0xweVfw0IDJopNFqAeznvre6fHpzROqw3JKXgagBGYLRgLlontbHnY8teJjlrbBe +HQDKn3iOpjkWwHihYkODVSNr3lK8NnfeRjX2+qMOKzX6nkEpz1wigS+/BTtkrRDa +AB+oRKKR5D9Zy2sCAwEAAaOBqTCBpjAfBgNVHSMEGDAWgBT5QugkOI4hLnyQxmRS +gyB6JXCJmDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4E +FgQU+ULoJDiOIS58kMZkUoMgeiVwiZgwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUF +BzABhidodHRwOi8vcmFwaWVyLmJvcy5yZWRoYXQuY29tOjgwL2NhL29jc3AwDQYJ +KoZIhvcNAQELBQADggEBAC/7xtbqCLTNX/ctz3NW+TDRQcSBftVWMDK8G+4TAjKa +vsZdVnEKJAxo9UAcQL7A8/NFhxDwFGc3gF4agkGuZAMyZzUwynpY26yLyM4mBviv +KhJBvbNOykB5BdAags04/Zlb1Bgg9PZqc5ErjcICKTmBAmVxQ0Nzlv49Ts9kNTa+ +RZfNvne05dxNdJdPOWX7SHlh0GA/E6d/9+mlNn8x0uHMhbGlLC4EifeiijOyOLwH +6gwPXRPij+95RLxpRA6lXKVEUc5Iu2iZOn25b3xrYL7hFilzLA05vM/Z67UkJbBn +a01OM5RZIURKD5IGIuD6BTD/u0qzNq4EEF2HedELdVUxAA==bCertificate: + Data: + Version: v3 + Serial Number: 0xB + Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 + Issuer: CN=Certificate Authority,O=BOS.REDHAT.COM + Validity: + Not Before: Monday, June 25, 2012 5:07:12 PM EDT America/New_York + Not After: Saturday, June 25, 2016 5:07:12 PM EDT America/New_York + Subject: CN=Object Signing Cert,O=BOS.REDHAT.COM + Subject Public Key Info: + Algorithm: RSA - 1.2.840.113549.1.1.1 + Public Key: + Exponent: 65537 + Public Key Modulus: (2048 bits) : + A6:66:8A:94:6F:C8:47:4B:A1:3F:32:6A:E5:8A:64:25: + 84:B1:E5:3D:DC:65:25:99:F7:75:ED:0A:F2:F1:D6:0A: + EC:81:A8:CF:6D:98:84:AC:A1:26:07:39:D0:A6:FD:CE: + AF:AD:5C:30:48:C9:27:E4:73:23:8D:6B:09:18:A3:5D: + 66:8B:81:9A:50:35:5A:E8:8C:0E:35:85:AF:B5:9E:C4: + 65:1D:DF:89:54:96:58:86:E9:54:1D:21:D9:10:32:7F: + 6B:8C:6F:96:F3:04:C4:38:F0:B1:95:40:54:C1:40:73: + 23:26:77:5C:37:B4:78:22:0D:EC:D0:4B:C2:1E:DE:7D: + 96:63:46:09:67:F2:61:FB:68:41:9A:52:E8:36:B4:EA: + A3:DA:78:AE:75:76:59:2C:B3:2D:85:4F:DF:EF:8A:5D: + 05:30:FE:11:78:80:90:48:CD:F2:3D:76:6D:AD:99:BF: + 99:83:C8:3A:9A:9F:95:83:31:FF:5A:F4:46:C3:C0:C9: + C5:29:4E:FF:48:40:C2:BE:B6:B6:8E:B4:0D:3C:AB:BF: + 75:1B:01:BC:67:73:AA:01:09:0E:E3:5A:5A:B9:FF:91: + 2C:F6:C2:8A:DB:5B:67:3B:57:D8:CB:82:C6:12:8D:32: + DE:60:80:2E:94:28:9F:23:30:46:F5:B8:AC:01:3F:03 + Extensions: + Identifier: Key Usage: - 2.5.29.15 + Critical: yes + Key Usage: + Digital Signature + Key CertSign + Identifier: Netscape Certificate Type - 2.16.840.1.113730.1.1 + Critical: no + Certificate Usage: + Object Signing + Signature: + Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 + Signature: + 9C:C4:47:15:15:76:46:B9:50:5F:7C:2A:CF:4B:8F:86: + 3A:F7:2A:22:20:54:58:B3:02:EC:09:86:68:3F:CA:F0: + 66:55:B8:6A:9A:ED:13:F7:1A:CF:79:DB:98:52:92:1B: + 5A:12:F3:80:D9:FD:DD:F0:9E:F4:81:85:D6:DF:04:B8: + 79:F5:81:FD:78:99:D1:64:F4:BC:43:E8:C8:46:48:3D: + 55:29:E5:79:04:C9:83:E9:08:9E:05:19:79:60:52:51: + 44:9F:00:8E:81:AE:07:5A:14:1E:2E:B3:B8:B4:C9:62: + 53:A2:B4:61:FD:37:BA:F4:CD:D4:28:D5:5F:C7:C2:C9: + B0:FB:7F:9C:6D:A7:41:6F:D7:D3:27:49:2C:24:FB:9B: + 93:79:DF:9A:43:7F:8B:44:2D:C5:D1:40:05:2F:FF:14: + E9:EC:5E:4E:F3:8A:69:F0:17:B3:D7:88:95:4E:D2:9A: + CE:AB:1E:AB:92:BB:10:A0:AC:45:77:D6:E3:38:F5:15: + EC:12:61:A1:1A:4C:7C:81:AD:CC:30:02:B1:32:05:B7: + 64:0B:97:1D:C1:F2:54:56:F3:45:59:7A:DF:62:20:B2: + EB:20:66:4C:24:1B:AE:E7:26:A8:2D:0C:17:17:D1:E2: + A1:F3:C2:90:FD:43:BA:EF:4F:31:4F:DB:F2:7F:0A:BF + FingerPrint + MD2: + 2B:E7:39:53:38:28:68:11:65:8A:E3:7B:36:4E:A9:44 + MD5: + 68:3F:AF:2C:38:37:E8:3E:5A:B5:4E:AE:40:54:2F:12 + SHA1: + D2:E1:1C:C4:CD:53:03:2C:62:CC:4F:68:60:52:A3:DC: + 2F:2B:64:89 + SHA256: + B8:DA:7A:D4:79:75:63:2B:59:D4:C5:B9:61:3C:59:60: + E6:A3:7C:38:EE:55:48:45:CB:B8:91:D0:CB:C7:E6:5F + SHA512: + 8F:E1:12:D0:A5:D7:C0:B0:77:D6:56:22:B7:4C:96:D3: + 8F:F0:8E:0B:25:8D:48:E5:8F:15:44:44:B0:51:B4:96: + AE:DC:01:B1:EF:34:E5:48:20:CB:31:6B:00:20:3B:F4: + 30:1D:86:74:B1:CA:4F:4F:DD:6C:20:2B:75:DB:89:51-----BEGIN CERTIFICATE----- +MIIDEDCCAfigAwIBAgIBCzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1Mu +UkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEy +MDYyNTIxMDcxMloXDTE2MDYyNTIxMDcxMlowNzEXMBUGA1UEChMOQk9TLlJFREhB +VC5DT00xHDAaBgNVBAMTE09iamVjdCBTaWduaW5nIENlcnQwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCmZoqUb8hHS6E/MmrlimQlhLHlPdxlJZn3de0K +8vHWCuyBqM9tmISsoSYHOdCm/c6vrVwwSMkn5HMjjWsJGKNdZouBmlA1WuiMDjWF +r7WexGUd34lUlliG6VQdIdkQMn9rjG+W8wTEOPCxlUBUwUBzIyZ3XDe0eCIN7NBL +wh7efZZjRgln8mH7aEGaUug2tOqj2niudXZZLLMthU/f74pdBTD+EXiAkEjN8j12 +ba2Zv5mDyDqan5WDMf9a9EbDwMnFKU7/SEDCvra2jrQNPKu/dRsBvGdzqgEJDuNa +Wrn/kSz2worbW2c7V9jLgsYSjTLeYIAulCifIzBG9bisAT8DAgMBAAGjJTAjMA4G +A1UdDwEB/wQEAwIChDARBglghkgBhvhCAQEEBAMCBBAwDQYJKoZIhvcNAQELBQAD +ggEBAJzERxUVdka5UF98Ks9Lj4Y69yoiIFRYswLsCYZoP8rwZlW4aprtE/caz3nb +mFKSG1oS84DZ/d3wnvSBhdbfBLh59YH9eJnRZPS8Q+jIRkg9VSnleQTJg+kIngUZ +eWBSUUSfAI6BrgdaFB4us7i0yWJTorRh/Te69M3UKNVfx8LJsPt/nG2nQW/X0ydJ +LCT7m5N535pDf4tELcXRQAUv/xTp7F5O84pp8Bez14iVTtKazqseq5K7EKCsRXfW +4zj1FewSYaEaTHyBrcwwArEyBbdkC5cdwfJUVvNFWXrfYiCy6yBmTCQbrucmqC0M +FxfR4qHzwpD9Q7rvTzFP2/J/Cr8= +-----END CERTIFICATE----- diff --git a/tests/019-dparse/good.profileList b/tests/019-dparse/good.profileList deleted file mode 100644 index 1597770..0000000 --- a/tests/019-dparse/good.profileList +++ /dev/null @@ -1,1028 +0,0 @@ - - - - - - - - - - - -This certificate profile is for enrolling user certificates. - - -true - - -Manual User Dual-Use Certificate Enrollment - - -admin - - -caUserCert - - -true - - - - - - -This certificate profile is for enrolling user certificates with S/MIME capabilities extension - OID: 1.2.840.113549.1.9.15 - - -true - - -Manual User Dual-Use S/MIME capabilities Certificate Enrollment - - -admin - - -caUserSMIMEcapCert - - -true - - - - - - -This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. - - -true - - -Manual User Signing & Encryption Certificates Enrollment - - -admin - - -caDualCert - - -true - - - - - - -This profile is for enrolling audit log signing certificates - - -true - - -Manual Log Signing Certificate Enrollment - - -admin - - -caSignedLogCert - - -true - - - - - - -This certificate profile is for enrolling TPS server certificates. - - -true - - -Manual TPS Server Certificate Enrollment - - -admin - - -caTPSCert - - -true - - - - - - -This certificate profile is for enrolling router certificates. - - -true - - -RA Agent-Authenticated Router Certificate Enrollment - - -admin - - -caRARouterCert - - -false - - - - - - -This certificate profile is for enrolling router certificates. - - -true - - -One Time Pin Router Certificate Enrollment - - -admin - - -caRouterCert - - -false - - - - - - -This certificate profile is for enrolling server certificates. - - -true - - -Manual Server Certificate Enrollment - - -admin - - -caServerCert - - -true - - - - - - -This certificate profile is for enrolling other certificates. - - -true - - -Other Certificate Enrollment - - -admin - - -caOtherCert - - -true - - - - - - -This certificate profile is for enrolling Certificate Authority certificates. - - -true - - -Manual Certificate Manager Signing Certificate Enrollment - - -admin - - -caCACert - - -true - - - - - - -This certificate profile is for enrolling Security Domain Certificate Authority certificates. - - -true - - -Manual Security Domain Certificate Authority Signing Certificate Enrollment - - -admin - - -caInstallCACert - - -true - - - - - - -This certificate profile is for enrolling Registration Manager certificates. - - -true - - -Manual Registration Manager Signing Certificate Enrollment - - -admin - - -caRACert - - -true - - - - - - -This certificate profile is for enrolling OCSP Manager certificates. - - -true - - -Manual OCSP Manager Signing Certificate Enrollment - - -admin - - -caOCSPCert - - -true - - - - - - -This certificate profile is for enrolling Data Recovery Manager transport certificates. - - -true - - -Manual Data Recovery Manager Transport Certificate Enrollment - - -admin - - -caTransportCert - - -true - - - - - - -This certificate profile is for enrolling user certificates with directory-based authentication. - - -true - - -Directory-Authenticated User Dual-Use Certificate Enrollment - - -admin - - -caDirUserCert - - -true - - - - - - -This certificate profile is for enrolling server certificates with agent authentication. - - -true - - -Agent-Authenticated Server Certificate Enrollment - - -admin - - -caAgentServerCert - - -true - - - - - - -This certificate profile is for getting file signing certificate with agent authentication. - - -true - - -Agent-Authenticated File Signing - - -admin - - -caAgentFileSigning - - -true - - - - - - -This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. - - -true - - -Signed CMC-Authenticated User Certificate Enrollment - - -admin - - -caCMCUserCert - - -true - - - - - - -This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. - - -true - - -Signed CMC-Authenticated User Certificate Enrollment - - -admin - - -caFullCMCUserCert - - -false - - - - - - -This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. - - -true - - -Simple CMC Enrollment Request for User Certificate - - -admin - - -caSimpleCMCUserCert - - -false - - - - - - -This profile is for enrolling token device keys - - -true - - -Token Device Key Enrollment - - -admin - - -caTokenDeviceKeyEnrollment - - -false - - - - - - -This profile is for enrolling Token Encryption key - - -true - - -Token User Encryption Certificate Enrollment - - -admin - - -caTokenUserEncryptionKeyEnrollment - - -false - - - - - - -This profile is for enrolling Token Signing key - - -true - - -Token User Signing Certificate Enrollment - - -admin - - -caTokenUserSigningKeyEnrollment - - -false - - - - - - -This profile is for enrolling token device keys - - -true - - -Temporary Device Certificate Enrollment - - -admin - - -caTempTokenDeviceKeyEnrollment - - -false - - - - - - -This profile is for enrolling Token Encryption key - - -true - - -Temporary Token User Encryption Certificate Enrollment - - -admin - - -caTempTokenUserEncryptionKeyEnrollment - - -false - - - - - - -This profile is for enrolling Token Signing key - - -true - - -Temporary Token User Signing Certificate Enrollment - - -admin - - -caTempTokenUserSigningKeyEnrollment - - -false - - - - - - -This certificate profile is for enrolling Security Domain administrator's certificates with LDAP authentication against the internal LDAP database. - - -true - - -Security Domain Administrator Certificate Enrollment - - -admin - - -caAdminCert - - -false - - - - - - -This certificate profile is for enrolling Security Domain server certificates. - - -true - - -Security Domain Server Certificate Enrollment - - -admin - - -caInternalAuthServerCert - - -false - - - - - - -This certificate profile is for enrolling Security Domain Data Recovery Manager transport certificates. - - -true - - -Security Domain Data Recovery Manager Transport Certificate Enrollment - - -admin - - -caInternalAuthTransportCert - - -false - - - - - - -This certificate profile is for enrolling Security Domain DRM storage certificates - - -true - - -Security Domain DRM storage Certificate Enrollment - - -admin - - -caInternalAuthDRMstorageCert - - -false - - - - - - -This certificate profile is for enrolling Security Domain subsystem certificates. - - -true - - -Security Domain Subsysem Certificate Enrollment - - -admin - - -caInternalAuthSubsystemCert - - -false - - - - - - -This certificate profile is for enrolling Security Domain OCSP Manager certificates. - - -true - - -Security Domain OCSP Manager Signing Certificate Enrollment - - -admin - - -caInternalAuthOCSPCert - - -false - - - - - - -This certificate profile is for enrolling audit signing certificates. - - -true - - -Audit Signing Certificate Enrollment - - -admin - - -caInternalAuthAuditSigningCert - - -false - - - - - - -This profile is for enrolling Domain Controller Certificate - - -true - - -Domain Controller - - -admin - - -DomainController - - -true - - - - - - -This certificate profile is for enrolling user certificates with RA agent authentication. - - -true - - -RA Agent-Authenticated User Certificate Enrollment - - -admin - - -caDualRAuserCert - - -true - - - - - - -This certificate profile is for enrolling RA agent user certificates with RA agent authentication. - - -true - - -RA Agent-Authenticated Agent User Certificate Enrollment - - -admin - - -caRAagentCert - - -true - - - - - - -This certificate profile is for enrolling server certificates with RA agent authentication. - - -true - - -RA Agent-Authenticated Server Certificate Enrollment - - -admin - - -caRAserverCert - - -true - - - - - - -This certificate profile is for enrolling device certificates to contain UUID in the Subject Alternative Name extension - - -false - - -Manual device Dual-Use Certificate Enrollment to contain UUID in SAN - - - - - -caUUIDdeviceCert - - -true - - - - - - -This certificate profile is for renewing SSL client certificates. - - -true - - -Renewal: Self-renew user SSL client certificates - - -admin - - -caSSLClientSelfRenewal - - -true - - - - - - -This certificate profile is for renewing a certificate by serial number by using directory based authentication. - - -true - - -Renewal: Directory-Authenticated User Certificate Self-Renew profile - - -admin - - -caDirUserRenewal - - -true - - - - - - -This certificate profile is for renewing certificates to be approved manually by agents. - - -true - - -Renewal: Renew certificate to be manually approved by agents - - -admin - - -caManualRenewal - - -true - - - - - - -This profile is for enrolling MS Login Certificate - - -true - - -Token User MS Login Certificate Enrollment - - -admin - - -caTokenMSLoginEnrollment - - -false - - - - - - -This certificate profile is for renewing a token certificate - - -true - - -smart card token signing cert renewal profile - - -admin - - -caTokenUserSigningKeyRenewal - - -false - - - - - - -This certificate profile is for renewing a token encryption certificate - - -true - - -smart card token signing cert renewal profile - - -admin - - -caTokenUserEncryptionKeyRenewal - - -false - - - - - - -This is an IPA profile for enrolling Jar Signing certificates. - - -true - - -Manual Jar Signing Certificate Enrollment - - -admin - - -caJarSigningCert - - -false - - - - - - -This certificate profile is for enrolling server certificates with IPA-RA agent authentication. - - -true - - -IPA-RA Agent-Authenticated Server Certificate Enrollment - - -admin - - -caIPAserviceCert - - -false - - - - - - -0 - - - - diff --git a/tests/019-dparse/good.profileList.json b/tests/019-dparse/good.profileList.json new file mode 100644 index 0000000..74d3ef6 --- /dev/null +++ b/tests/019-dparse/good.profileList.json @@ -0,0 +1,1140 @@ +{ + "error": null, + "id": null, + "principal": "host/ipa.example.test@EXAMPLE.TEST", + "result": { + "count": 93, + "messages": [ + { + "code": 13001, + "data": { + "server_version": "2.254" + }, + "message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.254", + "name": "VersionMissing", + "type": "warning" + } + ], + "result": [ + { + "cn": [ + "acmeIPAServerCert" + ], + "description": [ + "ACME IPA service certificate profile" + ], + "dn": "cn=acmeIPAServerCert,cn=certprofiles,cn=ca,dc=example,dc=test", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caIPAserviceCert" + ], + "description": [ + "Standard profile for network services" + ], + "dn": "cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=example,dc=test", + "ipacertprofilestoreissued": [ + true + ] + }, + { + "cn": [ + "IECUserRoles" + ], + "description": [ + "User profile that includes IECUserRoles extension from request" + ], + "dn": "cn=IECUserRoles,cn=certprofiles,cn=ca,dc=example,dc=test", + "ipacertprofilestoreissued": [ + true + ] + }, + { + "cn": [ + "KDCs_PKINIT_Certs" + ], + "description": [ + "Profile for PKINIT support by KDCs" + ], + "dn": "cn=KDCs_PKINIT_Certs,cn=certprofiles,cn=ca,dc=example,dc=test", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "acmeServerCert" + ], + "description": [ + "ACME Server Certificate Enrollment" + ], + "dn": "cn=acmeServerCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCserverCert" + ], + "description": [ + "Server Certificate Enrollment using CMC" + ], + "dn": "cn=caCMCserverCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCECserverCert" + ], + "description": [ + "Server Certificate wth ECC keys Enrollment using CMC" + ], + "dn": "cn=caCMCECserverCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCECsubsystemCert" + ], + "description": [ + "Subsystem Certificate Enrollment with ECC keys using CMC" + ], + "dn": "cn=caCMCECsubsystemCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCsubsystemCert" + ], + "description": [ + "Subsystem Certificate Enrollment using CMC" + ], + "dn": "cn=caCMCsubsystemCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCauditSigningCert" + ], + "description": [ + "Audit Signing Certificate Enrollment using CMC" + ], + "dn": "cn=caCMCauditSigningCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCcaCert" + ], + "description": [ + "Certificate Manager Signing Certificate Enrollment using CMC" + ], + "dn": "cn=caCMCcaCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCocspCert" + ], + "description": [ + "OCSP Responder Signing Certificate Enrollment using CMC" + ], + "dn": "cn=caCMCocspCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCkraTransportCert" + ], + "description": [ + "Key Archival Authority Transport Certificate Enrollment using CMC" + ], + "dn": "cn=caCMCkraTransportCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCkraStorageCert" + ], + "description": [ + "KRA storage Certificate Enrollment using CMC" + ], + "dn": "cn=caCMCkraStorageCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caServerKeygen_UserCert" + ], + "description": [ + "Manual User Dual-Use Certificate Enrollment using server-side Key generation" + ], + "dn": "cn=caServerKeygen_UserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caServerKeygen_DirUserCert" + ], + "description": [ + "Directory-authenticated User Dual-Use Certificate Enrollment using server-side Key generation" + ], + "dn": "cn=caServerKeygen_DirUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caUserCert" + ], + "description": [ + "Manual User Dual-Use Certificate Enrollment" + ], + "dn": "cn=caUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECUserCert" + ], + "description": [ + "Manual User Dual-Use ECC Certificate Enrollment" + ], + "dn": "cn=caECUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caUserSMIMEcapCert" + ], + "description": [ + "Manual User Dual-Use S/MIME capabilities Certificate Enrollment" + ], + "dn": "cn=caUserSMIMEcapCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caDualCert" + ], + "description": [ + "Manual User Signing & Encryption Certificates Enrollment" + ], + "dn": "cn=caDualCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caDirBasedDualCert" + ], + "description": [ + "Directory-authenticated User Signing & Encryption Certificates Enrollment" + ], + "dn": "cn=caDirBasedDualCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "AdminCert" + ], + "description": [ + "Manual Administrator Certificate Enrollment" + ], + "dn": "cn=AdminCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "ECAdminCert" + ], + "description": [ + "Manual Administrator Certificate Enrollment with ECC keys" + ], + "dn": "cn=ECAdminCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caSignedLogCert" + ], + "description": [ + "(deprecated; use caAuditSigningCert) Manual Log Signing Certificate Enrollment" + ], + "dn": "cn=caSignedLogCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTPSCert" + ], + "description": [ + "Manual TPS Server Certificate Enrollment" + ], + "dn": "cn=caTPSCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caRARouterCert" + ], + "description": [ + "RA Agent-Authenticated Router Certificate Enrollment" + ], + "dn": "cn=caRARouterCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caRouterCert" + ], + "description": [ + "One Time Pin Router Certificate Enrollment" + ], + "dn": "cn=caRouterCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caServerCert" + ], + "description": [ + "Manual Server Certificate Enrollment" + ], + "dn": "cn=caServerCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECServerCert" + ], + "description": [ + "Manual Server Certificate Enrollment with ECC keys" + ], + "dn": "cn=caECServerCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caServerCertWithSCT" + ], + "description": [ + "Manual Server SCT Certificate Enrollment" + ], + "dn": "cn=caServerCertWithSCT", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECServerCertWithSCT" + ], + "description": [ + "Manual Server SCT Certificate Enrollment with ECC keys" + ], + "dn": "cn=caECServerCertWithSCT", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caSubsystemCert" + ], + "description": [ + "Manual Subsystem Certificate Enrollment" + ], + "dn": "cn=caSubsystemCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECSubsystemCert" + ], + "description": [ + "Manual Subsystem Certificate Enrollment with ECC keys" + ], + "dn": "cn=caECSubsystemCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caOtherCert" + ], + "description": [ + "Other Certificate Enrollment" + ], + "dn": "cn=caOtherCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCACert" + ], + "description": [ + "Manual Certificate Manager Signing Certificate Enrollment" + ], + "dn": "cn=caCACert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCrossSignedCACert" + ], + "description": [ + "Manual Cross Signed Certificate Manager Signing Certificate Enrollment" + ], + "dn": "cn=caCrossSignedCACert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caInstallCACert" + ], + "description": [ + "Manual Security Domain Certificate Authority Signing Certificate Enrollment" + ], + "dn": "cn=caInstallCACert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caRACert" + ], + "description": [ + "Manual Registration Manager Signing Certificate Enrollment" + ], + "dn": "cn=caRACert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caOCSPCert" + ], + "description": [ + "Manual OCSP Manager Signing Certificate Enrollment" + ], + "dn": "cn=caOCSPCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caStorageCert" + ], + "description": [ + "Manual Data Recovery Manager Storage Certificate Enrollment" + ], + "dn": "cn=caStorageCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTransportCert" + ], + "description": [ + "Manual Data Recovery Manager Transport Certificate Enrollment" + ], + "dn": "cn=caTransportCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caDirPinUserCert" + ], + "description": [ + "Directory-Pin-Authenticated User Dual-Use Certificate Enrollment" + ], + "dn": "cn=caDirPinUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECDirPinUserCert" + ], + "description": [ + "Directory-Pin-Authenticated User Dual-Use ECC Certificate Enrollment" + ], + "dn": "cn=caECDirPinUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caDirUserCert" + ], + "description": [ + "Directory-Authenticated User Dual-Use Certificate Enrollment" + ], + "dn": "cn=caDirUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECDirUserCert" + ], + "description": [ + "Directory-Authenticated User ECC Certificate Enrollment" + ], + "dn": "cn=caECDirUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caAgentServerCert" + ], + "description": [ + "Agent-Authenticated Server Certificate Enrollment" + ], + "dn": "cn=caAgentServerCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECAgentServerCert" + ], + "description": [ + "Agent-Authenticated Server Certificate Enrollment with ECC keys" + ], + "dn": "cn=caECAgentServerCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caAgentFileSigning" + ], + "description": [ + "Agent-Authenticated File Signing" + ], + "dn": "cn=caAgentFileSigning", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCUserCert" + ], + "description": [ + "Signed CMC-Authenticated User Certificate Enrollment" + ], + "dn": "cn=caCMCUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCECUserCert" + ], + "description": [ + "Signed CMC-Authenticated User Certificate wth ECC keys Enrollment" + ], + "dn": "cn=caCMCECUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caCMCcaIssuanceProtectionCert" + ], + "description": [ + "CA Issuance Protection Certificate Enrollment using CMC" + ], + "dn": "cn=caCMCcaIssuanceProtectionCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caFullCMCUserCert" + ], + "description": [ + "Agent-Signed CMC-Authenticated User Certificate Enrollment" + ], + "dn": "cn=caFullCMCUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECFullCMCUserCert" + ], + "description": [ + "Agent-Signed CMC-Authenticated User Certificate Enrollment" + ], + "dn": "cn=caECFullCMCUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caFullCMCUserSignedCert" + ], + "description": [ + "User-Signed CMC-Authenticated User Certificate Enrollment" + ], + "dn": "cn=caFullCMCUserSignedCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECFullCMCUserSignedCert" + ], + "description": [ + "User-Signed CMC-Authenticated User Certificate Enrollment" + ], + "dn": "cn=caECFullCMCUserSignedCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caFullCMCSharedTokenCert" + ], + "description": [ + "CMC Shared Token User Certificate Enrollment" + ], + "dn": "cn=caFullCMCSharedTokenCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECFullCMCSharedTokenCert" + ], + "description": [ + "CMC Shared Token User Certificate Enrollment" + ], + "dn": "cn=caECFullCMCSharedTokenCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caSimpleCMCUserCert" + ], + "description": [ + "Simple CMC Enrollment Request for User Certificate" + ], + "dn": "cn=caSimpleCMCUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECSimpleCMCUserCert" + ], + "description": [ + "Simple CMC Enrollment Request for User Certificate" + ], + "dn": "cn=caECSimpleCMCUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTokenDeviceKeyEnrollment" + ], + "description": [ + "Token Device Key Enrollment" + ], + "dn": "cn=caTokenDeviceKeyEnrollment", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTokenUserEncryptionKeyEnrollment" + ], + "description": [ + "Token User Encryption Certificate Enrollment" + ], + "dn": "cn=caTokenUserEncryptionKeyEnrollment", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTokenUserSigningKeyEnrollment" + ], + "description": [ + "Token User Signing Certificate Enrollment" + ], + "dn": "cn=caTokenUserSigningKeyEnrollment", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTempTokenDeviceKeyEnrollment" + ], + "description": [ + "Temporary Device Certificate Enrollment" + ], + "dn": "cn=caTempTokenDeviceKeyEnrollment", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTempTokenUserEncryptionKeyEnrollment" + ], + "description": [ + "Temporary Token User Encryption Certificate Enrollment" + ], + "dn": "cn=caTempTokenUserEncryptionKeyEnrollment", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTempTokenUserSigningKeyEnrollment" + ], + "description": [ + "Temporary Token User Signing Certificate Enrollment" + ], + "dn": "cn=caTempTokenUserSigningKeyEnrollment", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caAdminCert" + ], + "description": [ + "Security Domain Administrator Certificate Enrollment" + ], + "dn": "cn=caAdminCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECAdminCert" + ], + "description": [ + "Security Domain Administrator Certificate Enrollment with ECC keys" + ], + "dn": "cn=caECAdminCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caInternalAuthServerCert" + ], + "description": [ + "Security Domain Server Certificate Enrollment" + ], + "dn": "cn=caInternalAuthServerCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECInternalAuthServerCert" + ], + "description": [ + "Security Domain Server Certificate Enrollment" + ], + "dn": "cn=caECInternalAuthServerCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caInternalAuthTransportCert" + ], + "description": [ + "Security Domain Data Recovery Manager Transport Certificate Enrollment" + ], + "dn": "cn=caInternalAuthTransportCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caInternalAuthDRMstorageCert" + ], + "description": [ + "Security Domain DRM storage Certificate Enrollment" + ], + "dn": "cn=caInternalAuthDRMstorageCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caInternalAuthSubsystemCert" + ], + "description": [ + "Security Domain Subsystem Certificate Enrollment" + ], + "dn": "cn=caInternalAuthSubsystemCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caECInternalAuthSubsystemCert" + ], + "description": [ + "Security Domain Subsystem Certificate Enrollment" + ], + "dn": "cn=caECInternalAuthSubsystemCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caInternalAuthOCSPCert" + ], + "description": [ + "Security Domain OCSP Manager Signing Certificate Enrollment" + ], + "dn": "cn=caInternalAuthOCSPCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caInternalAuthAuditSigningCert" + ], + "description": [ + "Audit Signing Certificate Enrollment" + ], + "dn": "cn=caInternalAuthAuditSigningCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "DomainController" + ], + "description": [ + "Domain Controller" + ], + "dn": "cn=DomainController", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caDualRAuserCert" + ], + "description": [ + "RA Agent-Authenticated User Certificate Enrollment" + ], + "dn": "cn=caDualRAuserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caRAagentCert" + ], + "description": [ + "RA Agent-Authenticated Agent User Certificate Enrollment" + ], + "dn": "cn=caRAagentCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caRAserverCert" + ], + "description": [ + "RA Agent-Authenticated Server Certificate Enrollment" + ], + "dn": "cn=caRAserverCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caUUIDdeviceCert" + ], + "description": [ + "Manual device Dual-Use Certificate Enrollment to contain UUID in SAN" + ], + "dn": "cn=caUUIDdeviceCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caSSLClientSelfRenewal" + ], + "description": [ + "Renewal: Self-renew user SSL client certificates" + ], + "dn": "cn=caSSLClientSelfRenewal", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caDirUserRenewal" + ], + "description": [ + "Renewal: Directory-Authenticated User Certificate Self-Renew profile" + ], + "dn": "cn=caDirUserRenewal", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caManualRenewal" + ], + "description": [ + "Renewal: Renew certificate to be manually approved by agents" + ], + "dn": "cn=caManualRenewal", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTokenMSLoginEnrollment" + ], + "description": [ + "Token User MS Login Certificate Enrollment" + ], + "dn": "cn=caTokenMSLoginEnrollment", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTokenUserSigningKeyRenewal" + ], + "description": [ + "smart card token signing cert renewal profile" + ], + "dn": "cn=caTokenUserSigningKeyRenewal", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTokenUserEncryptionKeyRenewal" + ], + "description": [ + "smart card token encryption cert renewal profile" + ], + "dn": "cn=caTokenUserEncryptionKeyRenewal", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTokenUserAuthKeyRenewal" + ], + "description": [ + "smart card token authentication cert renewal profile" + ], + "dn": "cn=caTokenUserAuthKeyRenewal", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caJarSigningCert" + ], + "description": [ + "Manual Jar Signing Certificate Enrollment" + ], + "dn": "cn=caJarSigningCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caAuditSigningCert" + ], + "description": [ + "Manual Audit Signing Certificate Enrollment" + ], + "dn": "cn=caAuditSigningCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caEncUserCert" + ], + "description": [ + "Manual User Encryption Certificates Enrollment" + ], + "dn": "cn=caEncUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caSigningUserCert" + ], + "description": [ + "Manual User Signing Certificate Enrollment" + ], + "dn": "cn=caSigningUserCert", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTokenUserDelegateAuthKeyEnrollment" + ], + "description": [ + "Token User Delegate Authentication Certificate Enrollment" + ], + "dn": "cn=caTokenUserDelegateAuthKeyEnrollment", + "ipacertprofilestoreissued": [ + false + ] + }, + { + "cn": [ + "caTokenUserDelegateSigningKeyEnrollment" + ], + "description": [ + "Token User Delegate Signing Certificate Enrollment" + ], + "dn": "cn=caTokenUserDelegateSigningKeyEnrollment", + "ipacertprofilestoreissued": [ + false + ] + } + ], + "summary": "93 profiles matched", + "truncated": false + }, + "version": "4.13.0.dev202409181703+git4bfbf0ba9" +} diff --git a/tests/019-dparse/good.profileList.xml b/tests/019-dparse/good.profileList.xml new file mode 100644 index 0000000..1597770 --- /dev/null +++ b/tests/019-dparse/good.profileList.xml @@ -0,0 +1,1028 @@ + + + + + + + + + + + +This certificate profile is for enrolling user certificates. + + +true + + +Manual User Dual-Use Certificate Enrollment + + +admin + + +caUserCert + + +true + + + + + + +This certificate profile is for enrolling user certificates with S/MIME capabilities extension - OID: 1.2.840.113549.1.9.15 + + +true + + +Manual User Dual-Use S/MIME capabilities Certificate Enrollment + + +admin + + +caUserSMIMEcapCert + + +true + + + + + + +This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. + + +true + + +Manual User Signing & Encryption Certificates Enrollment + + +admin + + +caDualCert + + +true + + + + + + +This profile is for enrolling audit log signing certificates + + +true + + +Manual Log Signing Certificate Enrollment + + +admin + + +caSignedLogCert + + +true + + + + + + +This certificate profile is for enrolling TPS server certificates. + + +true + + +Manual TPS Server Certificate Enrollment + + +admin + + +caTPSCert + + +true + + + + + + +This certificate profile is for enrolling router certificates. + + +true + + +RA Agent-Authenticated Router Certificate Enrollment + + +admin + + +caRARouterCert + + +false + + + + + + +This certificate profile is for enrolling router certificates. + + +true + + +One Time Pin Router Certificate Enrollment + + +admin + + +caRouterCert + + +false + + + + + + +This certificate profile is for enrolling server certificates. + + +true + + +Manual Server Certificate Enrollment + + +admin + + +caServerCert + + +true + + + + + + +This certificate profile is for enrolling other certificates. + + +true + + +Other Certificate Enrollment + + +admin + + +caOtherCert + + +true + + + + + + +This certificate profile is for enrolling Certificate Authority certificates. + + +true + + +Manual Certificate Manager Signing Certificate Enrollment + + +admin + + +caCACert + + +true + + + + + + +This certificate profile is for enrolling Security Domain Certificate Authority certificates. + + +true + + +Manual Security Domain Certificate Authority Signing Certificate Enrollment + + +admin + + +caInstallCACert + + +true + + + + + + +This certificate profile is for enrolling Registration Manager certificates. + + +true + + +Manual Registration Manager Signing Certificate Enrollment + + +admin + + +caRACert + + +true + + + + + + +This certificate profile is for enrolling OCSP Manager certificates. + + +true + + +Manual OCSP Manager Signing Certificate Enrollment + + +admin + + +caOCSPCert + + +true + + + + + + +This certificate profile is for enrolling Data Recovery Manager transport certificates. + + +true + + +Manual Data Recovery Manager Transport Certificate Enrollment + + +admin + + +caTransportCert + + +true + + + + + + +This certificate profile is for enrolling user certificates with directory-based authentication. + + +true + + +Directory-Authenticated User Dual-Use Certificate Enrollment + + +admin + + +caDirUserCert + + +true + + + + + + +This certificate profile is for enrolling server certificates with agent authentication. + + +true + + +Agent-Authenticated Server Certificate Enrollment + + +admin + + +caAgentServerCert + + +true + + + + + + +This certificate profile is for getting file signing certificate with agent authentication. + + +true + + +Agent-Authenticated File Signing + + +admin + + +caAgentFileSigning + + +true + + + + + + +This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. + + +true + + +Signed CMC-Authenticated User Certificate Enrollment + + +admin + + +caCMCUserCert + + +true + + + + + + +This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. + + +true + + +Signed CMC-Authenticated User Certificate Enrollment + + +admin + + +caFullCMCUserCert + + +false + + + + + + +This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. + + +true + + +Simple CMC Enrollment Request for User Certificate + + +admin + + +caSimpleCMCUserCert + + +false + + + + + + +This profile is for enrolling token device keys + + +true + + +Token Device Key Enrollment + + +admin + + +caTokenDeviceKeyEnrollment + + +false + + + + + + +This profile is for enrolling Token Encryption key + + +true + + +Token User Encryption Certificate Enrollment + + +admin + + +caTokenUserEncryptionKeyEnrollment + + +false + + + + + + +This profile is for enrolling Token Signing key + + +true + + +Token User Signing Certificate Enrollment + + +admin + + +caTokenUserSigningKeyEnrollment + + +false + + + + + + +This profile is for enrolling token device keys + + +true + + +Temporary Device Certificate Enrollment + + +admin + + +caTempTokenDeviceKeyEnrollment + + +false + + + + + + +This profile is for enrolling Token Encryption key + + +true + + +Temporary Token User Encryption Certificate Enrollment + + +admin + + +caTempTokenUserEncryptionKeyEnrollment + + +false + + + + + + +This profile is for enrolling Token Signing key + + +true + + +Temporary Token User Signing Certificate Enrollment + + +admin + + +caTempTokenUserSigningKeyEnrollment + + +false + + + + + + +This certificate profile is for enrolling Security Domain administrator's certificates with LDAP authentication against the internal LDAP database. + + +true + + +Security Domain Administrator Certificate Enrollment + + +admin + + +caAdminCert + + +false + + + + + + +This certificate profile is for enrolling Security Domain server certificates. + + +true + + +Security Domain Server Certificate Enrollment + + +admin + + +caInternalAuthServerCert + + +false + + + + + + +This certificate profile is for enrolling Security Domain Data Recovery Manager transport certificates. + + +true + + +Security Domain Data Recovery Manager Transport Certificate Enrollment + + +admin + + +caInternalAuthTransportCert + + +false + + + + + + +This certificate profile is for enrolling Security Domain DRM storage certificates + + +true + + +Security Domain DRM storage Certificate Enrollment + + +admin + + +caInternalAuthDRMstorageCert + + +false + + + + + + +This certificate profile is for enrolling Security Domain subsystem certificates. + + +true + + +Security Domain Subsysem Certificate Enrollment + + +admin + + +caInternalAuthSubsystemCert + + +false + + + + + + +This certificate profile is for enrolling Security Domain OCSP Manager certificates. + + +true + + +Security Domain OCSP Manager Signing Certificate Enrollment + + +admin + + +caInternalAuthOCSPCert + + +false + + + + + + +This certificate profile is for enrolling audit signing certificates. + + +true + + +Audit Signing Certificate Enrollment + + +admin + + +caInternalAuthAuditSigningCert + + +false + + + + + + +This profile is for enrolling Domain Controller Certificate + + +true + + +Domain Controller + + +admin + + +DomainController + + +true + + + + + + +This certificate profile is for enrolling user certificates with RA agent authentication. + + +true + + +RA Agent-Authenticated User Certificate Enrollment + + +admin + + +caDualRAuserCert + + +true + + + + + + +This certificate profile is for enrolling RA agent user certificates with RA agent authentication. + + +true + + +RA Agent-Authenticated Agent User Certificate Enrollment + + +admin + + +caRAagentCert + + +true + + + + + + +This certificate profile is for enrolling server certificates with RA agent authentication. + + +true + + +RA Agent-Authenticated Server Certificate Enrollment + + +admin + + +caRAserverCert + + +true + + + + + + +This certificate profile is for enrolling device certificates to contain UUID in the Subject Alternative Name extension + + +false + + +Manual device Dual-Use Certificate Enrollment to contain UUID in SAN + + + + + +caUUIDdeviceCert + + +true + + + + + + +This certificate profile is for renewing SSL client certificates. + + +true + + +Renewal: Self-renew user SSL client certificates + + +admin + + +caSSLClientSelfRenewal + + +true + + + + + + +This certificate profile is for renewing a certificate by serial number by using directory based authentication. + + +true + + +Renewal: Directory-Authenticated User Certificate Self-Renew profile + + +admin + + +caDirUserRenewal + + +true + + + + + + +This certificate profile is for renewing certificates to be approved manually by agents. + + +true + + +Renewal: Renew certificate to be manually approved by agents + + +admin + + +caManualRenewal + + +true + + + + + + +This profile is for enrolling MS Login Certificate + + +true + + +Token User MS Login Certificate Enrollment + + +admin + + +caTokenMSLoginEnrollment + + +false + + + + + + +This certificate profile is for renewing a token certificate + + +true + + +smart card token signing cert renewal profile + + +admin + + +caTokenUserSigningKeyRenewal + + +false + + + + + + +This certificate profile is for renewing a token encryption certificate + + +true + + +smart card token signing cert renewal profile + + +admin + + +caTokenUserEncryptionKeyRenewal + + +false + + + + + + +This is an IPA profile for enrolling Jar Signing certificates. + + +true + + +Manual Jar Signing Certificate Enrollment + + +admin + + +caJarSigningCert + + +false + + + + + + +This certificate profile is for enrolling server certificates with IPA-RA agent authentication. + + +true + + +IPA-RA Agent-Authenticated Server Certificate Enrollment + + +admin + + +caIPAserviceCert + + +false + + + + + + +0 + + + + diff --git a/tests/019-dparse/good.profileReview b/tests/019-dparse/good.profileReview deleted file mode 100644 index 85dcba6..0000000 --- a/tests/019-dparse/good.profileReview +++ /dev/null @@ -1,795 +0,0 @@ - - - - - - - -renewal - - - - - - -This constraint accepts the subject name that matches .*CN=.* - - -1 - - - - - - -name - - - - - -Subject Name - - -string - - -CN=IPA RA,O=BOS.REDHAT.COM - - - - - - -This default populates a User-Supplied Certificate Subject Name to the request. - - - - - - -This constraint rejects the validity that is not between 720 days. - - -2 - - - - - - -notBefore - - - - - -Not Before - - -string - - -2012-06-25 18:21:04 - - - - - - -notAfter - - - - - -Not After - - -string - - -2014-06-15 18:21:04 - - - - - - -This default populates a Certificate Validity to the request. The default values are Range=720 in days - - - - - - -This constraint accepts the key only if Key Type=RSA, Key Parameters =1024,2048,3072,4096 - - -3 - - - - - - -TYPE - - -readonly - - -Key Type - - -string - - -RSA - 1.2.840.113549.1.1.1 - - - - - - -LEN - - -readonly - - -Key Length - - -string - - -2048 - - - - - - -KEY - - -readonly - - -Key - - -string - - -30:82:01:0A:02:82:01:01:00:DA:3F:78:E3:82:53:1B:\n6F:C1:36:45:70:14:79:78:F7:23:DA:02:BF:46:D3:ED:\n89:A0:A0:8B:6F:50:F7:26:3D:C6:68:E7:BD:61:B9:CE:\nFA:B7:AC:A0:B9:8C:78:68:58:A1:2E:76:87:5A:38:7D:\n23:28:7F:60:F4:0C:C4:06:77:B9:D3:F9:9F:16:00:66:\nAB:99:24:61:90:8E:6E:76:43:1E:D6:E2:70:32:91:B2:\n61:70:54:80:2F:32:71:CE:83:64:DB:C9:49:01:18:1B:\nA5:FC:EF:CC:A9:70:C7:BB:4B:3A:9F:DE:0C:E1:E0:C2:\n59:72:F5:82:73:A9:82:5D:60:65:E0:1A:31:20:3F:22:\nBC:BC:6C:80:71:41:3F:1C:FB:82:24:EE:F1:19:F1:41:\nD0:CD:4B:16:15:F3:C7:61:E8:E8:E7:F3:1D:7A:FB:7F:\nF7:5C:55:02:B6:4F:5F:61:6E:9F:2F:53:D2:DA:80:C4:\n8B:31:1F:9C:57:3E:70:1C:72:70:25:B2:54:CD:55:D3:\n76:EA:8E:4A:FD:C8:07:7F:F5:EC:7F:A0:CC:F3:44:8D:\nAE:69:A6:36:7A:54:7F:36:BD:FA:2F:27:BA:22:55:28:\n4B:89:90:ED:04:36:E5:73:AC:21:1C:E2:AD:B4:18:3C:\n19:6C:84:CE:06:CA:E6:DA:23:02:03:01:00:01\n - - - - - - -This default populates a User-Supplied Certificate Key to the request. - - - - - - -No Constraint - - -4 - - - - - - -critical - - -readonly - - -Criticality - - -string - - -false - - - - - - -keyid - - -readonly - - -Key ID - - -string - - -F9:42:E8:24:38:8E:21:2E:7C:90:C6:64:52:83:20:7A:\n25:70:89:98\n - - - - - - -This default populates an Authority Key Identifier Extension (2.5.29.35) to the request. - - - - - - -No Constraint - - -5 - - - - - - -authInfoAccessCritical - - - - - -Criticality - - -boolean - - -false - - - - - - -authInfoAccessGeneralNames - - - - - -General Names - - -string_list - - -Record #0 -Method:1.3.6.1.5.5.7.48.1 -Location Type:URIName -Location:http://rapier.bos.redhat.com:80/ca/ocsp -Enable:true - - - - - - - - -This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:,Enable:true} - - - - - - -This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false - - -6 - - - - - - -keyUsageCritical - - - - - -Criticality - - -boolean - - -true - - - - - - -keyUsageDigitalSignature - - - - - -Digital Signature - - -boolean - - -true - - - - - - -keyUsageNonRepudiation - - - - - -Non-Repudiation - - -boolean - - -true - - - - - - -keyUsageKeyEncipherment - - - - - -Key Encipherment - - -boolean - - -true - - - - - - -keyUsageDataEncipherment - - - - - -Data Encipherment - - -boolean - - -true - - - - - - -keyUsageKeyAgreement - - - - - -Key Agreement - - -boolean - - -false - - - - - - -keyUsageKeyCertSign - - - - - -Key CertSign - - -boolean - - -false - - - - - - -keyUsageCrlSign - - - - - -CRL Sign - - -boolean - - -false - - - - - - -keyUsageEncipherOnly - - - - - -Encipher Only - - -boolean - - -false - - - - - - -keyUsageDecipherOnly - - - - - -Decipher Only - - -boolean - - -false - - - - - - -This default populates a Key Usage Extension (2.5.29.15) to the request. The default values are Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false - - - - - - -No Constraint - - -7 - - - - - - -exKeyUsageCritical - - - - - -Criticality - - -boolean - - -false - - - - - - -exKeyUsageOIDs - - - - - -Comma-Separated list of Object Identifiers - - -string_list - - -1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 - - - - - - -This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 - - - - - - -This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC - - -8 - - - - - - -signingAlg - - -SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA - - -Signing Algorithm - - -choice - - -SHA256withRSA - - - - - - -This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA256withRSA - - - - - - -This certificate profile is for enrolling server certificates. - - - - - - -cert_request_type - - -Certificate Request Type - - -pkcs10 - - -cert_request_type - - - - - - - - - -cert_request - - -Certificate Request - - -MIICbzCCAVcCAQAwKjEXMBUGA1UEChMOQk9TLlJFREhBVC5DT00xDzANBgNVBAMT -BklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANo/eOOCUxtv -wTZFcBR5ePcj2gK/RtPtiaCgi29Q9yY9xmjnvWG5zvq3rKC5jHhoWKEudodaOH0j -KH9g9AzEBne50/mfFgBmq5kkYZCObnZDHtbicDKRsmFwVIAvMnHOg2TbyUkBGBul -/O/MqXDHu0s6n94M4eDCWXL1gnOpgl1gZeAaMSA/Iry8bIBxQT8c+4Ik7vEZ8UHQ -zUsWFfPHYejo5/Mdevt/91xVArZPX2Funy9T0tqAxIsxH5xXPnAccnAlslTNVdN2 -6o5K/cgHf/Xsf6DM80SNrmmmNnpUfza9+i8nuiJVKEuJkO0ENuVzrCEc4q20GDwZ -bITOBsrm2iMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBsMBkha+NI3Xc921az -GKdxj1RvQzq7sm0HoPmswGBUJYmxBsM60/37XbbtBvp/KF0XUwZPOm4k3I4ZgdgK -odB57ccUBUMI9RRvrZgoZOvOMBsfKcS23CNPrMiIUeHr4dPQPDW6nDuZiw3LxbRs -laeEO60hge9VPUga/KoQ7q+VvRXceABEz7afEGhutvttsUnrBxX4FjYWAvb35WhJ -5pxJkHgSkv1nHTWcBUY4Q/Mpa+55LqluQAHmmw17Ve3OpX5esorEV8wrlk/kHgxQ -8AQaOJbTMI2htR98NcZ/NJjf61QeZe/XZ35ejtBytrbcyJFjlgA4Cz16MlltAtHB -pZmJ - - - -cert_request - - - - - - - - - -requestor_name - - -Requestor Name - - -IPA Installer - - -string - - - - - - - - - -requestor_email - - -Requestor Email - - - - - -string - - - - - - - - - -requestor_phone - - -Requestor Phone - - - - - -string - - - - - - - - - -0 - - -Mon Jun 25 18:21:04 EDT 2012 - - -10.11.8.156 - - -Manual Server Certificate Enrollment - - -admin - - - - - -caServerCert - - -10.11.8.156 - - -true - - -17 - - - - - -pending - - -Mon Jun 25 18:21:04 EDT 2012 - - - - - - -pretty_cert - - -pretty_print - - - - - -Certificate Pretty Print - - - - - - - - - -b64_cert - - -pretty_print - - - - - -Certificate Base-64 Encoded - - - - - - - - - -serverCertSet - - - - diff --git a/tests/019-dparse/good.profileReview.xml b/tests/019-dparse/good.profileReview.xml new file mode 100644 index 0000000..85dcba6 --- /dev/null +++ b/tests/019-dparse/good.profileReview.xml @@ -0,0 +1,795 @@ + + + + + + + +renewal + + + + + + +This constraint accepts the subject name that matches .*CN=.* + + +1 + + + + + + +name + + + + + +Subject Name + + +string + + +CN=IPA RA,O=BOS.REDHAT.COM + + + + + + +This default populates a User-Supplied Certificate Subject Name to the request. + + + + + + +This constraint rejects the validity that is not between 720 days. + + +2 + + + + + + +notBefore + + + + + +Not Before + + +string + + +2012-06-25 18:21:04 + + + + + + +notAfter + + + + + +Not After + + +string + + +2014-06-15 18:21:04 + + + + + + +This default populates a Certificate Validity to the request. The default values are Range=720 in days + + + + + + +This constraint accepts the key only if Key Type=RSA, Key Parameters =1024,2048,3072,4096 + + +3 + + + + + + +TYPE + + +readonly + + +Key Type + + +string + + +RSA - 1.2.840.113549.1.1.1 + + + + + + +LEN + + +readonly + + +Key Length + + +string + + +2048 + + + + + + +KEY + + +readonly + + +Key + + +string + + +30:82:01:0A:02:82:01:01:00:DA:3F:78:E3:82:53:1B:\n6F:C1:36:45:70:14:79:78:F7:23:DA:02:BF:46:D3:ED:\n89:A0:A0:8B:6F:50:F7:26:3D:C6:68:E7:BD:61:B9:CE:\nFA:B7:AC:A0:B9:8C:78:68:58:A1:2E:76:87:5A:38:7D:\n23:28:7F:60:F4:0C:C4:06:77:B9:D3:F9:9F:16:00:66:\nAB:99:24:61:90:8E:6E:76:43:1E:D6:E2:70:32:91:B2:\n61:70:54:80:2F:32:71:CE:83:64:DB:C9:49:01:18:1B:\nA5:FC:EF:CC:A9:70:C7:BB:4B:3A:9F:DE:0C:E1:E0:C2:\n59:72:F5:82:73:A9:82:5D:60:65:E0:1A:31:20:3F:22:\nBC:BC:6C:80:71:41:3F:1C:FB:82:24:EE:F1:19:F1:41:\nD0:CD:4B:16:15:F3:C7:61:E8:E8:E7:F3:1D:7A:FB:7F:\nF7:5C:55:02:B6:4F:5F:61:6E:9F:2F:53:D2:DA:80:C4:\n8B:31:1F:9C:57:3E:70:1C:72:70:25:B2:54:CD:55:D3:\n76:EA:8E:4A:FD:C8:07:7F:F5:EC:7F:A0:CC:F3:44:8D:\nAE:69:A6:36:7A:54:7F:36:BD:FA:2F:27:BA:22:55:28:\n4B:89:90:ED:04:36:E5:73:AC:21:1C:E2:AD:B4:18:3C:\n19:6C:84:CE:06:CA:E6:DA:23:02:03:01:00:01\n + + + + + + +This default populates a User-Supplied Certificate Key to the request. + + + + + + +No Constraint + + +4 + + + + + + +critical + + +readonly + + +Criticality + + +string + + +false + + + + + + +keyid + + +readonly + + +Key ID + + +string + + +F9:42:E8:24:38:8E:21:2E:7C:90:C6:64:52:83:20:7A:\n25:70:89:98\n + + + + + + +This default populates an Authority Key Identifier Extension (2.5.29.35) to the request. + + + + + + +No Constraint + + +5 + + + + + + +authInfoAccessCritical + + + + + +Criticality + + +boolean + + +false + + + + + + +authInfoAccessGeneralNames + + + + + +General Names + + +string_list + + +Record #0 +Method:1.3.6.1.5.5.7.48.1 +Location Type:URIName +Location:http://rapier.bos.redhat.com:80/ca/ocsp +Enable:true + + + + + + + + +This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:,Enable:true} + + + + + + +This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false + + +6 + + + + + + +keyUsageCritical + + + + + +Criticality + + +boolean + + +true + + + + + + +keyUsageDigitalSignature + + + + + +Digital Signature + + +boolean + + +true + + + + + + +keyUsageNonRepudiation + + + + + +Non-Repudiation + + +boolean + + +true + + + + + + +keyUsageKeyEncipherment + + + + + +Key Encipherment + + +boolean + + +true + + + + + + +keyUsageDataEncipherment + + + + + +Data Encipherment + + +boolean + + +true + + + + + + +keyUsageKeyAgreement + + + + + +Key Agreement + + +boolean + + +false + + + + + + +keyUsageKeyCertSign + + + + + +Key CertSign + + +boolean + + +false + + + + + + +keyUsageCrlSign + + + + + +CRL Sign + + +boolean + + +false + + + + + + +keyUsageEncipherOnly + + + + + +Encipher Only + + +boolean + + +false + + + + + + +keyUsageDecipherOnly + + + + + +Decipher Only + + +boolean + + +false + + + + + + +This default populates a Key Usage Extension (2.5.29.15) to the request. The default values are Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false + + + + + + +No Constraint + + +7 + + + + + + +exKeyUsageCritical + + + + + +Criticality + + +boolean + + +false + + + + + + +exKeyUsageOIDs + + + + + +Comma-Separated list of Object Identifiers + + +string_list + + +1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + + + + + + +This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + + + + + + +This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC + + +8 + + + + + + +signingAlg + + +SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA + + +Signing Algorithm + + +choice + + +SHA256withRSA + + + + + + +This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA256withRSA + + + + + + +This certificate profile is for enrolling server certificates. + + + + + + +cert_request_type + + +Certificate Request Type + + +pkcs10 + + +cert_request_type + + + + + + + + + +cert_request + + +Certificate Request + + +MIICbzCCAVcCAQAwKjEXMBUGA1UEChMOQk9TLlJFREhBVC5DT00xDzANBgNVBAMT +BklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANo/eOOCUxtv +wTZFcBR5ePcj2gK/RtPtiaCgi29Q9yY9xmjnvWG5zvq3rKC5jHhoWKEudodaOH0j +KH9g9AzEBne50/mfFgBmq5kkYZCObnZDHtbicDKRsmFwVIAvMnHOg2TbyUkBGBul +/O/MqXDHu0s6n94M4eDCWXL1gnOpgl1gZeAaMSA/Iry8bIBxQT8c+4Ik7vEZ8UHQ +zUsWFfPHYejo5/Mdevt/91xVArZPX2Funy9T0tqAxIsxH5xXPnAccnAlslTNVdN2 +6o5K/cgHf/Xsf6DM80SNrmmmNnpUfza9+i8nuiJVKEuJkO0ENuVzrCEc4q20GDwZ +bITOBsrm2iMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBsMBkha+NI3Xc921az +GKdxj1RvQzq7sm0HoPmswGBUJYmxBsM60/37XbbtBvp/KF0XUwZPOm4k3I4ZgdgK +odB57ccUBUMI9RRvrZgoZOvOMBsfKcS23CNPrMiIUeHr4dPQPDW6nDuZiw3LxbRs +laeEO60hge9VPUga/KoQ7q+VvRXceABEz7afEGhutvttsUnrBxX4FjYWAvb35WhJ +5pxJkHgSkv1nHTWcBUY4Q/Mpa+55LqluQAHmmw17Ve3OpX5esorEV8wrlk/kHgxQ +8AQaOJbTMI2htR98NcZ/NJjf61QeZe/XZ35ejtBytrbcyJFjlgA4Cz16MlltAtHB +pZmJ + + + +cert_request + + + + + + + + + +requestor_name + + +Requestor Name + + +IPA Installer + + +string + + + + + + + + + +requestor_email + + +Requestor Email + + + + + +string + + + + + + + + + +requestor_phone + + +Requestor Phone + + + + + +string + + + + + + + + + +0 + + +Mon Jun 25 18:21:04 EDT 2012 + + +10.11.8.156 + + +Manual Server Certificate Enrollment + + +admin + + + + + +caServerCert + + +10.11.8.156 + + +true + + +17 + + + + + +pending + + +Mon Jun 25 18:21:04 EDT 2012 + + + + + + +pretty_cert + + +pretty_print + + + + + +Certificate Pretty Print + + + + + + + + + +b64_cert + + +pretty_print + + + + + +Certificate Base-64 Encoded + + + + + + + + + +serverCertSet + + + + diff --git a/tests/019-dparse/good.profileSubmit.issued b/tests/019-dparse/good.profileSubmit.issued deleted file mode 100644 index f2399b9..0000000 --- a/tests/019-dparse/good.profileSubmit.issued +++ /dev/null @@ -1 +0,0 @@ -072CN=pillbox.bos.redhat.com,OU=Engineering,O=Red Hat,L=Somerville,ST=Massachusetts,C=US2aMIIDyDCCArCgAwIBAgIBKjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1MuUkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDQxMzIwMDMxMVoXDTE1MTAxMDIwMDMxMVowgYMxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRMwEQYDVQQHDApTb21lcnZpbGxlMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEfMB0GA1UEAwwWcGlsbGJveC5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMM9VrTiHmA1bFavmJMj1rY7UjhDPeGTILN5NpyiVb1ZVUwUG4SKNi0L8SSssIBZS14KhSHMlTopKV6uDVtWg5fV/Rq6LwtBrGDoO3lVSW9D7zbgqXkWkviJuuQHS+h8Dz8x9IbV2fXM9FjyXuKB62K47PDu5q+zGtMFMdoy+kOWItrAvRuowjMKfoNaLLJ04Fb9P3NmVW9fvjZ/46pUOCpAik+nRJr/D2PA1d3s8CI34sbJZb04GNSzA+BHLJBE7PC1LDppo//g1IgDWNcp6IHSd6zwasTGzlhyMLVSfKze5qXJKS6JzX0DbbSJaZC/UN0wfzcmXya8Pd6nmvoOT0sCAwEAAaOBjzCBjDAfBgNVHSMEGDAWgBTaNCP4eABBwBT/3pQoWQ+cxEo9vTBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9tYWNoZXRlLmJvcy5yZWRoYXQuY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBdriiDzQIkPqzRY1nUR9jI5oTygHKqNYIj8+1oKHweyKi98L47lv2hZgtREfgUCl7PS7VLLEDAqboUEK4lJH2lstxmz2fHuQ2AOeGv6zr16u4X+woP6ZZLP6Lj/MDaueUAbOEf/qLsaw15i53YzWXOsie3rYvy/sg0Teu4VqO3E10erL8NBJkQeKKonG70f5HuVgcR5sWwIsxJi8YQuRkhW9meftppJIz05VHesguFvdpr2xWSB5vTH4prbfketIZl6g/cRfOVKrVpzilh6++ZIbeFYqd3z4vIMLedjk2hSUwK5A3bPgFlqzYii8j4scn+0mZMAsSesPzyAiutWBAX diff --git a/tests/019-dparse/good.profileSubmit.issued.json b/tests/019-dparse/good.profileSubmit.issued.json new file mode 100644 index 0000000..f6dbeef --- /dev/null +++ b/tests/019-dparse/good.profileSubmit.issued.json @@ -0,0 +1,33 @@ +{ + "error": null, + "id": 0, + "principal": "admin@EXAMPLE.TEST", + "result": { + "result": { + "cacn": "ipa", + "cert_request_status": "complete", + "certificate": "MIIFODCCA6CgAwIBAgIQdlK5QebTx77rrNFpsVOHmTANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yNDExMTgxOTEyMTFaFw0yNjExMTkxOTEyMTFaMDIxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDEZMBcGA1UEAwwQaXBhLmV4YW1wbGUudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN0G465levl0RkaYb0YmJHLnYnstY35tvODdWcpIoQ8qe57Cid4TDesECpN/xVZ9fUHBPoDNsDb+JzTcCd+JocleuZqj08Ln+Irb5Xhd3DXaCGUUCJ3/+eOVEGnZkp1licZbkkjeRrjiHXYdFia3zzZIokXV+vuJSbasy8o/rWCUCgJBFLqRDBslsQJKqk7rs5w4wcT629Q6Z4jzb+oWbemUS8Puxk2rmubV2EDWlYjgJftkxLLeecPx6h0zEO02hBZngF7x+hKjsJ38f+KL2JqE0yfa+OcSaSkDT94EMVqbhUpuV3I7ilVRC9xv818fUBGjJfRTVCXQizSHYIvfPRcCAwEAAaOCAcMwggG/MB8GA1UdIwQYMBaAFKiEhUhIcDVO6mAnUKaNttlPFiGhMD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHcGA1UdHwRwMG4wbKA0oDKGMGh0dHA6Ly9pcGEtY2EuZXhhbXBsZS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUe/DNhx8ZWM+1WfGJEkcMG99yg7kwgZQGA1UdEQSBjDCBiYIQaXBhLmV4YW1wbGUudGVzdKAyBgorBgEEAYI3FAIDoCQMImxkYXAvaXBhLmV4YW1wbGUudGVzdEBFWEFNUExFLlRFU1SgQQYGKwYBBQICoDcwNaAOGwxFWEFNUExFLlRFU1ShIzAhoAMCAQGhGjAYGwRsZGFwGxBpcGEuZXhhbXBsZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBgQCSd1tuyjcl5R/kdvyWDzIz3FqzxithbNmaGy9t2carSi3Ndvnh5PNSrhQ1gWM0lLCjoU0vP7p64u7/DLRJR+1d27p8QmEZMeCoh1Qe68iD3jjolzF/j8ReTHN1zKAKMcyJpBKlO89N2XsYnxRlJC/keQVXC5TrEzSTWBwr9RckK9wYhKB8U1U+2Y0/t+HWvvpQELAF1TmSpbHM51trZoFN09nO/grB1m28R8E/34WxwnWo1f2+WaUCOa4wNoZYvgF2beBypjX6/tEzaNeXUe6zpGnCpQ/wGfE1YnDaO8nF4y1fYNxEV+c0REOHXVr8qyHhHAN07fPtlV9YqIk/meB8pMYs8iO45uqoGfrxL4JIXUNjZHp4zOfmZqZ8iNoSAXen/BGpI9tBgnVN6PiEMBBp6QrR//2H1ZTgYbCTn/T9F8XeLDHtakSMzTM5vqDYz6QJ2F/RkcXpPVbd+6Cqb3CelMXTzPhMJxW6IKEgIQj4VtdKm32MyUkR5IlRwCOIbU8=", + "issuer": "CN=Certificate Authority,O=EXAMPLE.TEST", + "request_id": "332621425870192170580644617633640391310", + "san_dnsname": [ + { + "__dns_name__": "ipa.example.test" + } + ], + "san_other_kpn": [ + "ldap/ipa.example.test@EXAMPLE.TEST" + ], + "san_other_upn": [ + "ldap/ipa.example.test@EXAMPLE.TEST" + ], + "serial_number": "157278429312064746734040803807480481689", + "serial_number_hex": "0x7652B941E6D3C7BEEBACD169B1538799", + "subject": "CN=ipa.example.test,O=EXAMPLE.TEST", + "valid_not_after": "Thu Nov 19 19:12:11 2026 UTC", + "valid_not_before": "Mon Nov 18 19:12:11 2024 UTC" + }, + "summary": null, + "value": "332621425870192170580644617633640391310" + }, + "version": "4.13.0.dev202409181703+git4bfbf0ba9" +} diff --git a/tests/019-dparse/good.profileSubmit.issued.xml b/tests/019-dparse/good.profileSubmit.issued.xml new file mode 100644 index 0000000..f2399b9 --- /dev/null +++ b/tests/019-dparse/good.profileSubmit.issued.xml @@ -0,0 +1 @@ +072CN=pillbox.bos.redhat.com,OU=Engineering,O=Red Hat,L=Somerville,ST=Massachusetts,C=US2aMIIDyDCCArCgAwIBAgIBKjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5CT1MuUkVESEFULkNPTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDQxMzIwMDMxMVoXDTE1MTAxMDIwMDMxMVowgYMxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRMwEQYDVQQHDApTb21lcnZpbGxlMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEfMB0GA1UEAwwWcGlsbGJveC5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMM9VrTiHmA1bFavmJMj1rY7UjhDPeGTILN5NpyiVb1ZVUwUG4SKNi0L8SSssIBZS14KhSHMlTopKV6uDVtWg5fV/Rq6LwtBrGDoO3lVSW9D7zbgqXkWkviJuuQHS+h8Dz8x9IbV2fXM9FjyXuKB62K47PDu5q+zGtMFMdoy+kOWItrAvRuowjMKfoNaLLJ04Fb9P3NmVW9fvjZ/46pUOCpAik+nRJr/D2PA1d3s8CI34sbJZb04GNSzA+BHLJBE7PC1LDppo//g1IgDWNcp6IHSd6zwasTGzlhyMLVSfKze5qXJKS6JzX0DbbSJaZC/UN0wfzcmXya8Pd6nmvoOT0sCAwEAAaOBjzCBjDAfBgNVHSMEGDAWgBTaNCP4eABBwBT/3pQoWQ+cxEo9vTBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9tYWNoZXRlLmJvcy5yZWRoYXQuY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBdriiDzQIkPqzRY1nUR9jI5oTygHKqNYIj8+1oKHweyKi98L47lv2hZgtREfgUCl7PS7VLLEDAqboUEK4lJH2lstxmz2fHuQ2AOeGv6zr16u4X+woP6ZZLP6Lj/MDaueUAbOEf/qLsaw15i53YzWXOsie3rYvy/sg0Teu4VqO3E10erL8NBJkQeKKonG70f5HuVgcR5sWwIsxJi8YQuRkhW9meftppJIz05VHesguFvdpr2xWSB5vTH4prbfketIZl6g/cRfOVKrVpzilh6++ZIbeFYqd3z4vIMLedjk2hSUwK5A3bPgFlqzYii8j4scn+0mZMAsSesPzyAiutWBAX diff --git a/tests/019-dparse/good.profileSubmit.serial.in-range b/tests/019-dparse/good.profileSubmit.serial.in-range deleted file mode 100644 index 1365c50..0000000 --- a/tests/019-dparse/good.profileSubmit.serial.in-range +++ /dev/null @@ -1 +0,0 @@ -2Request Deferred - defer request 12 diff --git a/tests/019-dparse/good.profileSubmit.serial.in-range.xml b/tests/019-dparse/good.profileSubmit.serial.in-range.xml new file mode 100644 index 0000000..1365c50 --- /dev/null +++ b/tests/019-dparse/good.profileSubmit.serial.in-range.xml @@ -0,0 +1 @@ +2Request Deferred - defer request 12 diff --git a/tests/019-dparse/run.sh b/tests/019-dparse/run.sh index 3fc0f95..2e4e72d 100755 --- a/tests/019-dparse/run.sh +++ b/tests/019-dparse/run.sh @@ -1,7 +1,7 @@ #!/bin/bash -e count=0 -for role in agent end-user ; do -for good in good.profileSubmit* ; do +for role in agent end-entity ; do +for good in good.profileSubmit*.xml ; do $toolsdir/dparse submit $role $good count=`expr $count + 1` done @@ -9,19 +9,19 @@ for good in good.profileReview* ; do $toolsdir/dparse review $role $good count=`expr $count + 1` done -for good in good.checkRequest* ; do +for good in good.checkRequest*.xml ; do $toolsdir/dparse check $role $good count=`expr $count + 1` done -for good in good.displayCertFromRequest* ; do +for good in good.displayCertFromRequest*.xml ; do $toolsdir/dparse fetch $role $good count=`expr $count + 1` done -for good in good.profileList* ; do +for good in good.profileList*.xml ; do $toolsdir/dparse profiles $role $good count=`expr $count + 1` done -for bad in bad.profileSubmit* ; do +for bad in bad.profileSubmit*.xml ; do $toolsdir/dparse submit $role $bad count=`expr $count + 1` done @@ -33,7 +33,7 @@ for bad in bad.profileProcess* ; do $toolsdir/dparse approve $role $bad count=`expr $count + 1` done -for bad in bad.checkRequest* ; do +for bad in bad.checkRequest*.xml ; do $toolsdir/dparse check $role $bad count=`expr $count + 1` done @@ -42,4 +42,35 @@ for bad in bad.displayCertFromRequest* ; do count=`expr $count + 1` done done + +for role in json ; do +for good in good.profileSubmit*.json ; do + $toolsdir/dparse submit $role $good + count=`expr $count + 1` +done +for good in good.checkRequest*.json ; do + $toolsdir/dparse check $role $good + count=`expr $count + 1` +done +for good in good.displayCertFromRequest*.json ; do + $toolsdir/dparse fetch $role $good + count=`expr $count + 1` +done +for good in good.profileList*.json ; do + $toolsdir/dparse profiles $role $good + count=`expr $count + 1` +done +for bad in bad.profileSubmit*.json ; do + $toolsdir/dparse submit $role $bad + count=`expr $count + 1` +done +for bad in bad.checkRequest*.json ; do + $toolsdir/dparse check $role $bad + count=`expr $count + 1` +done +for bad in bad.displayCertFromRequest*.json ; do + $toolsdir/dparse fetch $role $bad + count=`expr $count + 1` +done +done echo $count samples. diff --git a/tests/Makefile.am b/tests/Makefile.am index e78a83d..9977aed 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -233,31 +233,40 @@ EXTRA_DIST = \ 018-pembase/run.sh \ 019-dparse/expected.out \ 019-dparse/run.sh \ - 019-dparse/bad.checkRequest.nosuch \ - 019-dparse/bad.displayCertFromRequest.incomplete \ - 019-dparse/bad.displayCertFromRequest.no-such-request \ - 019-dparse/bad.displayCertFromRequest.rejected \ - 019-dparse/bad.profileProcess.bad-property \ - 019-dparse/bad.profileProcess.no-agent-cert \ - 019-dparse/bad.profileProcess.no-ca-cert \ - 019-dparse/bad.profileProcess.no-property \ - 019-dparse/bad.profileProcess.not-pending \ - 019-dparse/bad.profileReview.no-such-request \ - 019-dparse/bad.profileReview.unauthorized-cert \ - 019-dparse/bad.profileReview.wrong-nssdb \ - 019-dparse/bad.profileSubmit.csr.empty \ - 019-dparse/bad.profileSubmit.csr.subject-mismatch \ - 019-dparse/bad.profileSubmit.serial.empty \ - 019-dparse/bad.profileSubmit.serial.invalid \ - 019-dparse/bad.profileSubmit.serial.out-of-range \ - 019-dparse/good.checkRequest.complete \ - 019-dparse/good.checkRequest.pending \ - 019-dparse/good.displayCertFromRequest \ - 019-dparse/good.displayCertFromRequest-extra-line \ - 019-dparse/good.profileList \ - 019-dparse/good.profileReview \ - 019-dparse/good.profileSubmit.issued \ - 019-dparse/good.profileSubmit.serial.in-range \ + 019-dparse/bad.checkRequest.nosuch.json \ + 019-dparse/bad.checkRequest.nosuch.xml \ + 019-dparse/bad.displayCertFromRequest.incomplete.xml \ + 019-dparse/bad.displayCertFromRequest.no-such-request.json \ + 019-dparse/bad.displayCertFromRequest.no-such-request.xml \ + 019-dparse/bad.displayCertFromRequest.rejected.xml \ + 019-dparse/bad.profileProcess.bad-property.xml \ + 019-dparse/bad.profileProcess.no-agent-cert.xml \ + 019-dparse/bad.profileProcess.no-ca-cert.xml \ + 019-dparse/bad.profileProcess.no-property.xml \ + 019-dparse/bad.profileProcess.not-pending.xml \ + 019-dparse/bad.profileReview.no-such-request.xml \ + 019-dparse/bad.profileReview.unauthorized-cert.xml \ + 019-dparse/bad.profileReview.wrong-nssdb.xml \ + 019-dparse/bad.profileSubmit.csr.empty.json \ + 019-dparse/bad.profileSubmit.csr.empty.xml \ + 019-dparse/bad.profileSubmit.csr.invalid.json \ + 019-dparse/bad.profileSubmit.csr.subject-mismatch.xml \ + 019-dparse/bad.profileSubmit.serial.empty.xml \ + 019-dparse/bad.profileSubmit.serial.invalid.xml \ + 019-dparse/bad.profileSubmit.serial.out-of-range.xml \ + 019-dparse/good.checkRequest.complete.json \ + 019-dparse/good.checkRequest.complete.xml \ + 019-dparse/good.checkRequest.pending.json \ + 019-dparse/good.checkRequest.pending.xml \ + 019-dparse/good.displayCertFromRequest-extra-line.xml \ + 019-dparse/good.displayCertFromRequest.json \ + 019-dparse/good.displayCertFromRequest.xml \ + 019-dparse/good.profileList.json \ + 019-dparse/good.profileList.xml \ + 019-dparse/good.profileReview.xml \ + 019-dparse/good.profileSubmit.issued.json \ + 019-dparse/good.profileSubmit.issued.xml \ + 019-dparse/good.profileSubmit.serial.in-range.xml \ 020-xparse/certmaster-fault.xml \ 020-xparse/certmaster-rep1.xml \ 020-xparse/certmaster-rep2.xml \ diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am index 1a01ee6..fffead3 100644 --- a/tests/tools/Makefile.am +++ b/tests/tools/Makefile.am @@ -32,7 +32,7 @@ addcinfo_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) dparse_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) dparse_SOURCES = dparse.c -dparse_LDADD = $(top_srcdir)/src/submit-d.c $(LDADD) $(XML_LIBS) +dparse_LDADD = $(top_srcdir)/src/submit-d.c $(LDADD) $(XML_LIBS) $(JANSSON_LIBS) citerate_SOURCES = citerate.c citerate_LDADD = $(top_srcdir)/src/store-gen.c $(LDADD) diff --git a/tests/tools/dparse.c b/tests/tools/dparse.c index 8f55077..ea1087e 100644 --- a/tests/tools/dparse.c +++ b/tests/tools/dparse.c @@ -27,6 +27,8 @@ #include +#include + #include "../../src/submit.h" #include "../../src/submit-d.h" #include "../../src/submit-e.h" @@ -39,13 +41,14 @@ main(int argc, char **argv) char *error = NULL, *error_code = NULL, *error_reason = NULL; char *status = NULL, *requestId = NULL, *cert = NULL; char *xml, *out = NULL, *err = NULL, **profiles = NULL; - dbus_bool_t can_agent; + dbus_bool_t can_agent, is_xml; int i, vars; + void *ctx; if (argc < 4) { printf("usage: dparse " "{submit|check|review|reject|approve|fetch|profiles} " - "{agent|ee} " + "{agent|end-entity|json} " "reply.xml\n"); return 0; } @@ -53,61 +56,93 @@ main(int argc, char **argv) role = argv[2]; filename = argv[3]; can_agent = (strcasecmp(role, "agent") == 0); + is_xml = ((strcasecmp(role, "agent") == 0) || (strcasecmp(role, "end-entity") == 0)); xml = cm_submit_u_from_file(filename); if (xml == NULL) { fprintf(stderr, "error reading %s\n", filename); return -1; } + ctx = talloc_new(NULL); if (strcmp(mode, "submit") == 0) { - cm_submit_d_submit_result(NULL, xml, - &error_code, &error_reason, &error, - &status, &requestId, &cert); - i = cm_submit_d_submit_eval(NULL, xml, "SUBMIT", - can_agent, &out, &err); + if (is_xml) { + cm_submit_d_submit_result(ctx, xml, + &error_code, &error_reason, &error, + &status, &requestId, &cert); + } else { + cm_submit_d_rest_submit_result(ctx, xml, + &error_code, &error_reason, + &status, &requestId, &cert); + } + i = cm_submit_d_submit_eval(ctx, xml, "SUBMIT", + can_agent, &out, &err, is_xml); } else if (strcmp(mode, "check") == 0) { - cm_submit_d_check_result(NULL, xml, - &error_code, &error_reason, &error, - &status, &requestId); - i = cm_submit_d_check_eval(NULL, xml, "CHECK", - can_agent, &out, &err); + if (is_xml) { + cm_submit_d_check_result(ctx, xml, + &error_code, &error_reason, &error, + &status, &requestId); + } else { + cm_submit_d_rest_check_result(ctx, xml, + &error_code, &error_reason, + &status, &requestId); + } + i = cm_submit_d_check_eval(ctx, xml, "CHECK", + can_agent, &out, &err, is_xml); } else if (strcmp(mode, "reject") == 0) { - cm_submit_d_reject_result(NULL, xml, + cm_submit_d_reject_result(ctx, xml, &error_code, &error_reason, &error, &status, &requestId); - i = cm_submit_d_reject_eval(NULL, xml, "REJECT", + i = cm_submit_d_reject_eval(ctx, xml, "REJECT", can_agent, &out, &err); } else if (strcmp(mode, "review") == 0) { - cm_submit_d_review_result(NULL, xml, + cm_submit_d_review_result(ctx, xml, &error_code, &error_reason, &error, &status, &requestId); - i = cm_submit_d_review_eval(NULL, xml, "REVIEW", + i = cm_submit_d_review_eval(ctx, xml, "REVIEW", can_agent, &out, &err); } else if (strcmp(mode, "approve") == 0) { - cm_submit_d_approve_result(NULL, xml, - &error_code, &error_reason, &error, - &status, &requestId); - i = cm_submit_d_approve_eval(NULL, xml, "APPROVE", - can_agent, &out, &err); + if (is_xml) { + cm_submit_d_approve_result(ctx, xml, + &error_code, &error_reason, &error, + &status, &requestId); + } else { + cm_submit_d_rest_approve_result(ctx, xml, + &error_code, &error_reason, &error, + &requestId); + } + i = cm_submit_d_approve_eval(ctx, xml, "APPROVE", + can_agent, &out, &err, is_xml); } else if (strcmp(mode, "fetch") == 0) { - cm_submit_d_fetch_result(NULL, xml, - &error_code, &error_reason, &error, - &status, &requestId, &cert); - i = cm_submit_d_fetch_eval(NULL, xml, "FETCH", - can_agent, &out, &err); + if (is_xml) { + cm_submit_d_fetch_result(ctx, xml, + &error_code, &error_reason, &error, + &status, &requestId, &cert); + } else { + cm_submit_d_rest_fetch_result(ctx, xml, + &error_code, &error_reason, + &status, &cert); + } + i = cm_submit_d_fetch_eval(ctx, xml, "FETCH", + can_agent, &out, &err, is_xml); } else if (strcmp(mode, "profiles") == 0) { - cm_submit_d_profiles_result(NULL, xml, - &error_code, &error_reason, &error, - &status, &profiles); - i = cm_submit_d_profiles_eval(NULL, xml, "PROFILES", - can_agent, &out, &err); + if (is_xml) { + cm_submit_d_profiles_result(ctx, xml, + &error_code, &error_reason, &error, + &status, &profiles); + } else { + cm_submit_d_rest_profiles_result(ctx, xml, + &error_code, &error_reason, + &profiles); + } + i = cm_submit_d_profiles_eval(ctx, xml, "PROFILES", + can_agent, &out, &err, is_xml); } else { fprintf(stderr, "unknown mode \"%s\"\n", mode); return -1; @@ -115,7 +150,7 @@ main(int argc, char **argv) printf("[%s-as-%s(%s) = %s]\n", mode, - can_agent ? "agent" : "end-entity", + role, filename, cm_submit_e_status_text(i)); vars = 0; @@ -175,5 +210,8 @@ main(int argc, char **argv) } printf("\n"); + free(xml); + talloc_free(ctx); + return 0; } From 66a523ff470469746e51a4aa0627473ba12ef549 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Sep 05 2025 12:44:22 +0000 Subject: [PATCH 3/7] Drop unused cm_submit_d parameters I think these were probably initially added in case they might be useful and they've just remained. We don't need them so drop them. Related: https://pagure.io/certmonger/issue/284 Signed-off-by: Rob Crittenden --- diff --git a/src/dogtag.c b/src/dogtag.c index 853cd2c..8894be7 100644 --- a/src/dogtag.c +++ b/src/dogtag.c @@ -512,7 +512,7 @@ xml_workflow( case op_approve: if (url2 == NULL) { ret = cm_submit_d_approve_eval(ctx, results, lasturl, - can_agent, &p, &q, 1); + &p, &q, 1); if (p != NULL) { fprintf(stdout, "%s", p); } @@ -522,7 +522,7 @@ xml_workflow( return ret; } else { ret = cm_submit_d_review_eval(ctx, results, lasturl, - can_agent, &p, &q); + &p, &q); if (p != NULL) { fprintf(stdout, "%s", p); } @@ -534,7 +534,7 @@ xml_workflow( break; case op_retrieve: ret = cm_submit_d_fetch_eval(ctx, results, lasturl, - can_agent, &p, &q, 1); + &p, &q, 1); if (p != NULL) { fprintf(stdout, "%s", p); } @@ -858,7 +858,7 @@ ipa_workflow( break; case op_retrieve: rval = cm_submit_d_fetch_eval(ctx, results, NULL, - can_agent, &p, &q, 0); + &p, &q, 0); if (p != NULL) { fprintf(stdout, "%s", p); } @@ -868,7 +868,7 @@ ipa_workflow( break; case op_approve: rval = cm_submit_d_approve_eval(ctx, results, NULL, - can_agent, &p, &q, 0); + &p, &q, 0); if (p != NULL) { fprintf(stdout, "%s", p); } @@ -877,8 +877,8 @@ ipa_workflow( } break; case op_profiles: - rval = cm_submit_d_profiles_eval(ctx, results, NULL, - can_agent, &p, &q, 0); + rval = cm_submit_d_profiles_eval(ctx, results, + &p, &q, 0); if (p != NULL) { fprintf(stdout, "%s", p); diff --git a/src/submit-d.c b/src/submit-d.c index ce7acf7..a56b55e 100644 --- a/src/submit-d.c +++ b/src/submit-d.c @@ -487,7 +487,6 @@ cm_submit_d_submit_result(void *parent, const char *xml, int cm_submit_d_check_result(void *parent, const char *xml, - char **error_code, char **error_reason, char **error, char **status, char **requestId) { /* RequestStatus.java: @@ -507,7 +506,6 @@ cm_submit_d_check_result(void *parent, const char *xml, int cm_submit_d_reject_result(void *parent, const char *xml, - char **error_code, char **error_reason, char **error, char **status, char **requestId) { *error = cm_submit_d_xml_value(parent, xml, @@ -524,7 +522,7 @@ cm_submit_d_reject_result(void *parent, const char *xml, int cm_submit_d_review_result(void *parent, const char *xml, char **error_code, char **error_reason, - char **error, char **status, char **requestId) + char **status, char **requestId) { *error_code = trim(parent, cm_submit_d_xml_value(parent, xml, @@ -547,7 +545,7 @@ cm_submit_d_review_result(void *parent, const char *xml, int cm_submit_d_approve_result(void *parent, const char *xml, char **error_code, char **error_reason, - char **error, char **status, char **requestId) + char **status, char **requestId) { *error_code = trim(parent, cm_submit_d_xml_value(parent, xml, @@ -569,7 +567,6 @@ cm_submit_d_approve_result(void *parent, const char *xml, int cm_submit_d_fetch_result(void *parent, const char *xml, - char **error_code, char **error_reason, char **error, char **status, char **requestId, char **cert) { @@ -603,7 +600,6 @@ cm_submit_d_fetch_result(void *parent, const char *xml, int cm_submit_d_profiles_result(void *parent, const char *xml, char **error_code, char **error_reason, - char **error, char **status, char ***profiles) { *error_code = cm_submit_d_xml_value(parent, xml, @@ -677,8 +673,7 @@ cm_submit_d_check_eval(void *parent, const char *xml, const char *url, *err = NULL; if (is_xml) { cm_submit_d_check_result(parent, xml, - &error_code, &error_reason, &error, - &status, &requestId); + &error, &status, &requestId); } else { cm_submit_d_rest_check_result(parent, xml, &error_code, &error_reason, @@ -728,15 +723,14 @@ cm_submit_d_check_eval(void *parent, const char *xml, const char *url, enum cm_external_status cm_submit_d_reject_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err) + char **out, char **err) { char *error = NULL, *error_code = NULL, *error_reason = NULL; char *status = NULL, *requestId = NULL; *out = NULL; *err = NULL; cm_submit_d_reject_result(parent, xml, - &error_code, &error_reason, &error, - &status, &requestId); + &error, &status, &requestId); if ((error != NULL) || (error_code != NULL) || (error_reason != NULL)) { *out = talloc_asprintf(parent, "Server at \"%s\" replied", url); if (error != NULL) { @@ -756,14 +750,14 @@ cm_submit_d_reject_eval(void *parent, const char *xml, const char *url, enum cm_external_status cm_submit_d_review_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err) + char **out, char **err) { char *error = NULL, *error_code = NULL, *error_reason = NULL; char *status = NULL, *requestId = NULL; *out = NULL; *err = NULL; cm_submit_d_review_result(parent, xml, - &error_code, &error_reason, &error, + &error_code, &error_reason, &status, &requestId); if ((status != NULL) && (strcmp(status, "pending") == 0) && @@ -800,7 +794,7 @@ cm_submit_d_review_eval(void *parent, const char *xml, const char *url, enum cm_external_status cm_submit_d_approve_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err, int is_xml) + char **out, char **err, int is_xml) { char *error = NULL, *error_code = NULL, *error_reason = NULL; char *status = NULL, *requestId = NULL; @@ -808,7 +802,7 @@ cm_submit_d_approve_eval(void *parent, const char *xml, const char *url, *err = NULL; if (is_xml) { cm_submit_d_approve_result(parent, xml, - &error_code, &error_reason, &error, + &error_code, &error_reason, &status, &requestId); } else { cm_submit_d_rest_approve_result(parent, xml, @@ -841,7 +835,7 @@ cm_submit_d_approve_eval(void *parent, const char *xml, const char *url, enum cm_external_status cm_submit_d_fetch_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err, int is_xml) + char **out, char **err, int is_xml) { char *error = NULL, *error_code = NULL, *error_reason = NULL; char *status = NULL, *requestId = NULL, *cert = NULL; @@ -849,7 +843,7 @@ cm_submit_d_fetch_eval(void *parent, const char *xml, const char *url, *err = NULL; if (is_xml) { cm_submit_d_fetch_result(parent, xml, - &error_code, &error_reason, &error, + &error, &status, &requestId, &cert); } else { cm_submit_d_rest_fetch_result(parent, xml, @@ -878,11 +872,11 @@ cm_submit_d_fetch_eval(void *parent, const char *xml, const char *url, } enum cm_external_status -cm_submit_d_profiles_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err, +cm_submit_d_profiles_eval(void *parent, const char *xml, + char **out, char **err, int is_xml) { - char *error_code = NULL, *error_reason = NULL, *status = NULL; + char *error_code = NULL, *error_reason = NULL; char **profiles = NULL; int i; @@ -890,7 +884,7 @@ cm_submit_d_profiles_eval(void *parent, const char *xml, const char *url, *err = NULL; if (is_xml) { cm_submit_d_profiles_result(parent, xml, &error_code, &error_reason, - err, &status, &profiles); + &profiles); } else { cm_submit_d_rest_profiles_result(parent, xml, &error_code, &error_reason, &profiles); @@ -1625,7 +1619,6 @@ restart: break; case op_reject: cm_submit_d_reject_result(hctx, result, - &error_code, &error_reason, &error, &status, &requestId); if (error_code != NULL) { printf("error code: %s\n", error_code); @@ -1660,7 +1653,7 @@ restart: free(defaults); cm_submit_d_approve_result(hctx, result, &error_code, &error_reason, - &error, &status, &requestId); + &status, &requestId); if (error_code != NULL) { printf("error code: %s\n", error_code); } @@ -1688,7 +1681,7 @@ restart: } else { cm_submit_d_approve_result(hctx, result, &error_code, &error_reason, - &error, &status, &requestId); + &status, &requestId); if (error_code != NULL) { printf("error code: %s\n", error_code); } @@ -1708,7 +1701,6 @@ restart: break; case op_check: cm_submit_d_check_result(hctx, result, - &error_code, &error_reason, &error, &status, &requestId); if (error_code != NULL) { printf("error code: %s\n", error_code); @@ -1728,7 +1720,6 @@ restart: break; case op_fetch: cm_submit_d_fetch_result(hctx, result, - &error_code, &error_reason, &error, &status, &requestId, &cert); if (error_code != NULL) { printf("error code: %s\n", error_code); diff --git a/src/submit-d.h b/src/submit-d.h index 3084739..9486bf0 100644 --- a/src/submit-d.h +++ b/src/submit-d.h @@ -40,28 +40,25 @@ int cm_submit_d_submit_result(void *parent, const char *xml, char **error, char **status, char **requestId, char **cert); int cm_submit_d_check_result(void *parent, const char *xml, - char **error_code, char **error_reason, - char **error, char **status, + char **error, + char **status, char **requestId); int cm_submit_d_reject_result(void *parent, const char *xml, - char **error_code, char **error_reason, char **error, char **status, char **requestId); int cm_submit_d_review_result(void *parent, const char *xml, char **error_code, char **error_reason, - char **error, char **status, + char **status, char **requestId); int cm_submit_d_approve_result(void *parent, const char *xml, char **error_code, char **error_reason, - char **error, char **status, + char **status, char **requestId); int cm_submit_d_fetch_result(void *parent, const char *xml, - char **error_code, char **error_reason, char **error, char **status, char **requestId, char **cert); int cm_submit_d_profiles_result(void *parent, const char *xml, char **error_code, char **error_reason, - char **error, char **status, char ***profiles); enum cm_external_status cm_submit_d_submit_eval(void *parent, const char *xml, const char *url, @@ -73,23 +70,16 @@ enum cm_external_status cm_submit_d_check_eval(void *parent, const char *xml, char **out, char **err, int is_xml); enum cm_external_status cm_submit_d_reject_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err); enum cm_external_status cm_submit_d_review_eval(void *parent, const char *xml, - const char *url, - dbus_bool_t can_agent, - char **out, char **err); + const char *url, char **out, char **err); enum cm_external_status cm_submit_d_approve_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err, int is_xml); enum cm_external_status cm_submit_d_fetch_eval(void *parent, const char *xml, const char *url, - dbus_bool_t can_agent, char **out, char **err, int is_xml); enum cm_external_status cm_submit_d_profiles_eval(void *parent, const char *xml, - const char *url, - dbus_bool_t can_agent, char **out, char **err, int is_xml); int cm_submit_d_rest_profiles_result(void *parent, const char *result, diff --git a/tests/tools/dparse.c b/tests/tools/dparse.c index ea1087e..9495732 100644 --- a/tests/tools/dparse.c +++ b/tests/tools/dparse.c @@ -81,8 +81,7 @@ main(int argc, char **argv) if (strcmp(mode, "check") == 0) { if (is_xml) { cm_submit_d_check_result(ctx, xml, - &error_code, &error_reason, &error, - &status, &requestId); + &error, &status, &requestId); } else { cm_submit_d_rest_check_result(ctx, xml, &error_code, &error_reason, @@ -93,22 +92,21 @@ main(int argc, char **argv) } else if (strcmp(mode, "reject") == 0) { cm_submit_d_reject_result(ctx, xml, - &error_code, &error_reason, &error, - &status, &requestId); + &error, &status, &requestId); i = cm_submit_d_reject_eval(ctx, xml, "REJECT", - can_agent, &out, &err); + &out, &err); } else if (strcmp(mode, "review") == 0) { cm_submit_d_review_result(ctx, xml, - &error_code, &error_reason, &error, + &error_code, &error_reason, &status, &requestId); i = cm_submit_d_review_eval(ctx, xml, "REVIEW", - can_agent, &out, &err); + &out, &err); } else if (strcmp(mode, "approve") == 0) { if (is_xml) { cm_submit_d_approve_result(ctx, xml, - &error_code, &error_reason, &error, + &error_code, &error_reason, &status, &requestId); } else { cm_submit_d_rest_approve_result(ctx, xml, @@ -116,33 +114,31 @@ main(int argc, char **argv) &requestId); } i = cm_submit_d_approve_eval(ctx, xml, "APPROVE", - can_agent, &out, &err, is_xml); + &out, &err, is_xml); } else if (strcmp(mode, "fetch") == 0) { if (is_xml) { cm_submit_d_fetch_result(ctx, xml, - &error_code, &error_reason, &error, - &status, &requestId, &cert); + &error, &status, &requestId, &cert); } else { cm_submit_d_rest_fetch_result(ctx, xml, &error_code, &error_reason, &status, &cert); } i = cm_submit_d_fetch_eval(ctx, xml, "FETCH", - can_agent, &out, &err, is_xml); + &out, &err, is_xml); } else if (strcmp(mode, "profiles") == 0) { if (is_xml) { cm_submit_d_profiles_result(ctx, xml, - &error_code, &error_reason, &error, - &status, &profiles); + &error_code, &error_reason, + &profiles); } else { cm_submit_d_rest_profiles_result(ctx, xml, &error_code, &error_reason, &profiles); } - i = cm_submit_d_profiles_eval(ctx, xml, "PROFILES", - can_agent, &out, &err, is_xml); + i = cm_submit_d_profiles_eval(ctx, xml, &out, &err, is_xml); } else { fprintf(stderr, "unknown mode \"%s\"\n", mode); return -1; From b16536382f9ccb7cc1bafdf3e64a2ba63e279a4e Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Sep 05 2025 12:44:22 +0000 Subject: [PATCH 4/7] Fix format-overflow warning when converting time This removes warnings like: note: ‘sprintf’ output between 15 and 67 bytes into a destination of size 15 by converting to an unsigned short instead of a decimal. Signed-off-by: Rob Crittenden --- diff --git a/src/store-gen.c b/src/store-gen.c index 653767a..efcd8b5 100644 --- a/src/store-gen.c +++ b/src/store-gen.c @@ -374,7 +374,7 @@ cm_store_timestamp_from_time(time_t when, char timestamp[15]) { struct tm tm; if ((when != 0) && (gmtime_r(&when, &tm) == &tm)) { - sprintf(timestamp, "%04d%02d%02d%02d%02d%02d", + sprintf(timestamp, "%04hu%02hu%02hu%02hu%02hu%02hu", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, tm.tm_hour, tm.tm_min, tm.tm_sec); } else { @@ -392,7 +392,7 @@ cm_store_local_timestamp_from_time_for_display(time_t when) if ((when != 0) && (localtime_r(&when, &tm) == &tm)) { timestamp = malloc(24 + strlen(tm.tm_zone)); if (timestamp != NULL) { - sprintf(timestamp, "%04d-%02d-%02d %02d:%02d:%02d %s", + sprintf(timestamp, "%04hu-%02hu-%02hu %02hu:%02hu:%02hu %s", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, tm.tm_hour, tm.tm_min, tm.tm_sec, tm.tm_zone); } @@ -410,7 +410,7 @@ cm_store_timestamp_from_time_for_display(time_t when, char timestamp[25]) { struct tm tm; if ((when != 0) && (gmtime_r(&when, &tm) == &tm)) { - sprintf(timestamp, "%04d-%02d-%02d %02d:%02d:%02d UTC", + sprintf(timestamp, "%04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, tm.tm_hour, tm.tm_min, tm.tm_sec); } else { diff --git a/src/store.h b/src/store.h index 404673b..2c2b326 100644 --- a/src/store.h +++ b/src/store.h @@ -44,7 +44,7 @@ time_t cm_store_time_from_timestamp(const char *timestamp); char *cm_store_timestamp_from_time(time_t when, char timestamp[15]); int cm_store_make_uuid_string(char out[37]); int cm_store_make_uuid_string_underscore(char out[37]); -char *cm_store_timestamp_from_time_for_display(time_t when, char timestamp[24]); +char *cm_store_timestamp_from_time_for_display(time_t when, char timestamp[25]); char *cm_store_local_timestamp_from_time_for_display(time_t when); char *cm_store_increment_serial(void *parent, const char *old_serial); char *cm_store_serial_to_binary(void *parent, From 712a1570a1c52cd2519cb85c08231165f203011f Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Sep 05 2025 12:44:22 +0000 Subject: [PATCH 5/7] Fix directive argument is NULL errors (-Wformat-overflow) Don't knowingly pass in a NULL value to an output statement. Fixes: https://pagure.io/certmonger/issue/283 Signed-off-by: Rob Crittenden --- diff --git a/src/scep.c b/src/scep.c index 35d6688..120bd3a 100644 --- a/src/scep.c +++ b/src/scep.c @@ -814,12 +814,12 @@ main(int argc, const char **argv) content_type2 = cm_submit_h_result_type(hctx); response_code2 = cm_submit_h_response_code(hctx); if (verbose > 0) { - fprintf(stderr, "%s \"%s?%s\"\n", "GET", url, params2); + fprintf(stderr, "%s \"%s?%s\"\n", "GET", url, params2 ? params2 : ""); fprintf(stderr, "response_code = %d\n", response_code2); fprintf(stderr, "content-type = \"%s\"\n", content_type2); fprintf(stderr, "code = %d\n", cm_submit_h_result_code(hctx)); fprintf(stderr, "code_text = \"%s\"\n", cm_submit_h_result_code_text(hctx)); - syslog(LOG_DEBUG, "%s %s?%s\n", "GET", url, params2); + syslog(LOG_DEBUG, "%s %s?%s\n", "GET", url, params2 ? params2 : ""); } if ((content_type2 != NULL) && (strcasecmp(content_type2, "application/x-x509-ca-cert") != 0)) { From fc590194d85be8325338a38d43c29ee2bd13fc7b Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Sep 05 2025 12:44:22 +0000 Subject: [PATCH 6/7] Suppress unused arguments to the LDAP SASL interactive callback Signed-off-by: Rob Crittenden --- diff --git a/src/ipa.c b/src/ipa.c index 59d44a1..830c445 100644 --- a/src/ipa.c +++ b/src/ipa.c @@ -58,7 +58,10 @@ static int -interact(LDAP *ld, unsigned flags, void *defaults, void *sasl_interact) +interact(__attribute__ ((unused)) LDAP *ld, + __attribute__ ((unused)) unsigned flags, + __attribute__ ((unused)) void *defaults, + __attribute__ ((unused)) void *sasl_interact) { return 0; } From 64e95065511dd5ee710b51633b66821209b90ac0 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Sep 05 2025 12:44:22 +0000 Subject: [PATCH 7/7] Pass all=True to certprofile-find to retrieve all profiles Otherwise certprofile-find will only return the "local" profiles stored in IPA LDAP. The user must both have permission to read the CA profiles and pass all=True. Signed-off-by: Rob Crittenden --- diff --git a/src/dogtag.c b/src/dogtag.c index 8894be7..c1e8bbc 100644 --- a/src/dogtag.c +++ b/src/dogtag.c @@ -721,9 +721,10 @@ ipa_workflow( break; case op_profiles: json_req = json_pack_ex(&j_error, 0, - "{s:s, s:[[],{}]}", + "{s:s, s:[[],{s:s}]}", "method", "certprofile_find", - "params"); + "params", + "all", "True"); break; } free(csr);