From 51acb8494af114fcf5ec0407cfb32a61d5300048 Mon Sep 17 00:00:00 2001
From: Trevor Vaughan <tvaughan@onyxpoint.com>
Date: Apr 11 2018 20:28:16 +0000
Subject: [PATCH 1/6] Add additional build deps to RPM spec file


* Add additional required build dependencies to the RPM spec file

Required for testing #89

---

diff --git a/certmonger.spec b/certmonger.spec
index f2cf136..1cc0931 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -38,6 +38,7 @@ BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 BuildRequires:	openldap-devel
 BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel
+BuildRequires:	autoconf, automake, gcc, gettext-devel
 %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
 BuildRequires:  libuuid-devel
 %else

From f68a4b8c73059214b28363bbf3729218a76ea117 Mon Sep 17 00:00:00 2001
From: Trevor Vaughan <tvaughan@onyxpoint.com>
Date: Apr 11 2018 20:28:16 +0000
Subject: [PATCH 2/6] Fix C99 build error on EL7 systems


Needed for testing #89

---

diff --git a/src/certext.c b/src/certext.c
index e5d8065..6b2ecf3 100644
--- a/src/certext.c
+++ b/src/certext.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009,2011,2012,2013,2014,2015,2017 Red Hat, Inc.
- * 
+ *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, either version 3 of the License, or
@@ -1620,9 +1620,9 @@ cm_certext_build_certificate_template(
 		return NULL;
 
 	int i = 0;
-	char *saveptr, *endptr;
+	char *saveptr, *endptr, *part;
 	for (
-		char *part = strtok_r(template_spec_dup, ":", &saveptr);
+		part = strtok_r(template_spec_dup, ":", &saveptr);
 		part != NULL;
 		part = strtok_r(NULL, ":", &saveptr)
 	) {

From d428aed36506fe266b77bec76a7e63274191a2aa Mon Sep 17 00:00:00 2001
From: Trevor Vaughan <tvaughan@onyxpoint.com>
Date: Apr 11 2018 20:28:16 +0000
Subject: [PATCH 3/6] Allow configuration of client SCEP algorithms


* Allow users to set `scep_cipher` and `scep_digest` in their CA
configuration. These settings are authoritative and will override
anything from the server.  This was added to support connections to
systems, such as Dogtag, that do not provide a CA capabilities string
and, therefore, are prone to causing incorrect ciphers to be used on the
client side.

* In accordance with the latest SCEP Draft RFC, the default cipher has
been changed to AES-256 and the default digest has been changed to
SHA-256. These were chosen as reasonable defaults for most users and
systems.

* To ease the determination of which configuration file controls what
CA, the output of `getcert list-cas -v` was updated to print a
`config-path` entry which will list the specific configuration
associated with a given CA.

Closes #89

---

diff --git a/src/getcert.c b/src/getcert.c
index 5ecd712..6417cd4 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4291,6 +4291,12 @@ list_cas(const char *argv0, int argc, const char **argv)
 		if ((s != NULL) && (strlen(s) > 0)) {
 			printf(_("\tpost-save command: %s\n"), s);
 		}
+		if (verbose > 0) {
+			printf(_("\tconfig-path: %s\n"),
+			       query_rep_s(bus, cas[i], CM_DBUS_CA_INTERFACE,
+					   "get_config_file_path",
+					   verbose, globals.tctx));
+		}
 	}
 	return 0;
 }
diff --git a/src/prefs.h b/src/prefs.h
index 231aea7..349ec64 100644
--- a/src/prefs.h
+++ b/src/prefs.h
@@ -20,9 +20,12 @@
 
 enum cm_prefs_cipher {
 	cm_prefs_aes128,
+	cm_prefs_aes192,
 	cm_prefs_aes256,
 	cm_prefs_des3,
 	cm_prefs_des,
+	/* This is for the selection logic */
+	cm_prefs_nocipher,
 };
 
 enum cm_prefs_digest {
@@ -31,6 +34,8 @@ enum cm_prefs_digest {
 	cm_prefs_sha512,
 	cm_prefs_sha1,
 	cm_prefs_md5,
+	/* This is for the selection logic */
+	cm_prefs_nodigest,
 };
 
 enum cm_notification_method;
diff --git a/src/scepgen-o.c b/src/scepgen-o.c
index 56efc2c..8b1c4ca 100644
--- a/src/scepgen-o.c
+++ b/src/scepgen-o.c
@@ -422,49 +422,155 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
 		free(pem);
 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
 	}
-	cipher = cm_prefs_des;
-	for (i = 0;
-	     (ca->cm_ca_capabilities != NULL) &&
-	     (ca->cm_ca_capabilities[i] != NULL);
-	     i++) {
-		capability = ca->cm_ca_capabilities[i];
-		if (strcmp(capability, "DES3") == 0) {
-			cm_log(1, "Server supports DES3, using that.\n");
+
+	char* scep_cipher = ca->cm_ca_scep_cipher;
+	if (scep_cipher != NULL) {
+		/* Force the cipher to whatever is in the configuration */
+		if (strcmp(scep_cipher, "AES256") == 0) {
+			cipher = cm_prefs_aes256;
+		}
+		else if (strcmp(scep_cipher, "AES192") == 0) {
+			cipher = cm_prefs_aes192;
+		}
+		else if (strcmp(scep_cipher, "AES128") == 0) {
+			cipher = cm_prefs_aes128;
+		}
+		else if (strcmp(scep_cipher, "DES3") == 0) {
 			cipher = cm_prefs_des3;
-			break;
-		}
-	}
-	if (cipher == cm_prefs_des) {
-		cm_log(1, "Server does not support DES3, using DES.\n");
-	}
-	pref_digest = cm_prefs_preferred_digest();
-	digest = cm_prefs_md5;
-	for (i = 0;
-	     (ca->cm_ca_capabilities != NULL) &&
-	     (ca->cm_ca_capabilities[i] != NULL);
-	     i++) {
-		capability = ca->cm_ca_capabilities[i];
-		if ((pref_digest == cm_prefs_sha1) &&
-		    (strcmp(capability, "SHA-1") == 0)) {
-			cm_log(1, "Server supports SHA-1, using that.\n");
-			digest = cm_prefs_sha1;
-			break;
 		}
-		if ((pref_digest == cm_prefs_sha256) &&
-		    (strcmp(capability, "SHA-256") == 0)) {
-			cm_log(1, "Server supports SHA-256, using that.\n");
-			digest = cm_prefs_sha256;
-			break;
+		else if (strcmp(scep_cipher, "DES") == 0) {
+			cipher = cm_prefs_des;
 		}
-		if ((pref_digest == cm_prefs_sha512) &&
-		    (strcmp(capability, "SHA-512") == 0)) {
-			cm_log(1, "Server supports SHA-512, using that.\n");
-			digest = cm_prefs_sha512;
-			break;
+		else {
+			cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
+			_exit(1);
+		}
+
+		cm_log(1, "SCEP cipher authoritatively set to: '%s'\n", scep_cipher);
+	}
+	else {
+		cipher = cm_prefs_nocipher;
+		for (i = 0;
+		     (ca->cm_ca_capabilities != NULL) &&
+		     (ca->cm_ca_capabilities[i] != NULL);
+		     i++) {
+			capability = ca->cm_ca_capabilities[i];
+			if ((strcmp(capability, "AES-256") == 0) ||
+				(strcmp(capability, "AES256") == 0)) {
+					cm_log(1, "Server supports AES256, using that.\n");
+					cipher = cm_prefs_aes256;
+					break;
+			}
+			if ((strcmp(capability, "AES-192") == 0) ||
+				(strcmp(capability, "AES192") == 0)) {
+					cm_log(1, "Server supports AES192, using that.\n");
+					cipher = cm_prefs_aes192;
+					break;
+			}
+			if ((strcmp(capability, "AES-128") == 0) ||
+				(strcmp(capability, "AES128") == 0)) {
+					cm_log(1, "Server supports AES128, using that.\n");
+					cipher = cm_prefs_aes128;
+					break;
+			}
+			if (strcmp(capability, "AES") == 0) {
+				cm_log(1, "Server supports AES, using AES256.\n");
+				cipher = cm_prefs_aes256;
+				break;
+			}
+			if (strcmp(capability, "DES3") == 0) {
+				cm_log(1, "Server supports DES3, using that.\n");
+				cipher = cm_prefs_des3;
+				break;
+			}
+			/* This remains for backward compatibility */
+			if (strcmp(capability, "DES") == 0) {
+				cm_log(1, "Server supports DES, using that.\n");
+				cipher = cm_prefs_des;
+				break;
+			}
+		}
+		if (cipher == cm_prefs_nocipher) {
+			/* Per the latest Draft RFC */
+			cm_log(1, "Could not determine supported CA capabilities, using AES256.\n");
+			cipher = cm_prefs_aes256;
 		}
 	}
-	if (digest == cm_prefs_md5) {
-		cm_log(1, "Server does not support better digests, using MD5.\n");
+
+	char* scep_digest = ca->cm_ca_scep_digest;
+	if (scep_digest != NULL) {
+		/* Force the digest to whatever is in the configuration */
+		if (strcmp(scep_digest, "SHA512") == 0) {
+			digest = cm_prefs_sha512;
+		}
+		else if (strcmp(scep_digest, "SHA384") == 0) {
+			digest = cm_prefs_sha384;
+		}
+		else if (strcmp(scep_digest, "SHA256") == 0) {
+			digest = cm_prefs_sha256;
+		}
+		else if (strcmp(scep_digest, "SHA1") == 0) {
+			digest = cm_prefs_sha1;
+		}
+		else if (strcmp(scep_digest, "MD5") == 0) {
+			digest = cm_prefs_md5;
+		}
+		else {
+			cm_log(1, "Option 'scep_digest' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_digest);
+			_exit(1);
+		}
+
+		cm_log(1, "SCEP digest authoritatively set to: '%s'\n", scep_digest);
+	}
+	else {
+		pref_digest = cm_prefs_preferred_digest();
+		digest = cm_prefs_nodigest;
+		for (i = 0;
+		     (ca->cm_ca_capabilities != NULL) &&
+		     (ca->cm_ca_capabilities[i] != NULL);
+		     i++) {
+			capability = ca->cm_ca_capabilities[i];
+			if ((pref_digest == cm_prefs_sha512) &&
+			    ((strcmp(capability, "SHA-512") == 0) ||
+				(strcmp(capability, "SHA512") == 0))) {
+					cm_log(1, "Server supports SHA-512, using that.\n");
+					digest = cm_prefs_sha512;
+					break;
+			}
+			if ((pref_digest == cm_prefs_sha384) &&
+			    ((strcmp(capability, "SHA-384") == 0) ||
+				(strcmp(capability, "SHA384") == 0))) {
+					cm_log(1, "Server supports SHA-384, using that.\n");
+					digest = cm_prefs_sha384;
+					break;
+			}
+			if ((pref_digest == cm_prefs_sha256) &&
+			    ((strcmp(capability, "SHA-256") == 0) ||
+				(strcmp(capability, "SHA256") == 0))) {
+					cm_log(1, "Server supports SHA-256, using that.\n");
+					digest = cm_prefs_sha256;
+					break;
+			}
+			if ((pref_digest == cm_prefs_sha1) &&
+			    ((strcmp(capability, "SHA-1") == 0) ||
+				(strcmp(capability, "SHA1") == 0))) {
+					cm_log(1, "Server supports SHA-1, using that.\n");
+					digest = cm_prefs_sha1;
+					break;
+			}
+			/* This remains for backward compatibility */
+			if ((pref_digest == cm_prefs_sha1) &&
+			    (strcmp(capability, "MD5") == 0)) {
+				cm_log(1, "Server supports MD5, using that.\n");
+				digest = cm_prefs_md5;
+				break;
+			}
+		}
+		if (digest == cm_prefs_nodigest) {
+			/* Per the latest Draft RFC */
+			cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n");
+			digest = cm_prefs_sha256;
+		}
 	}
 	if (old_cert != NULL) {
 		if (cm_pkcs7_envelope_ias(ca->cm_ca_encryption_cert, cipher,
diff --git a/src/store-files.c b/src/store-files.c
index 5ccde77..06a1748 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -221,6 +221,8 @@ enum cm_store_file_field {
 	cm_store_ca_field_other_cert_nssdbs,
 
 	cm_store_ca_field_capabilities,
+	cm_store_ca_field_scep_cipher,
+	cm_store_ca_field_scep_digest,
 	cm_store_ca_field_scep_ca_identifier,
 	cm_store_ca_field_encryption_cert,
 	cm_store_ca_field_encryption_issuer_cert,
@@ -400,6 +402,8 @@ static struct cm_store_file_field_list {
 	{cm_store_ca_field_other_cert_nssdbs, "ca_other_cert_dbs"},
 
 	{cm_store_ca_field_capabilities, "ca_capabilities"},
+	{cm_store_ca_field_scep_cipher, "scep_cipher"},
+	{cm_store_ca_field_scep_digest, "scep_digest"},
 	{cm_store_ca_field_scep_ca_identifier, "scep_ca_identifier"},
 	{cm_store_ca_field_encryption_cert, "ca_encryption_cert"},
 	{cm_store_ca_field_encryption_issuer_cert, "ca_encryption_issuer_cert"},
@@ -804,6 +808,8 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp)
 			case cm_store_ca_field_other_root_cert_nssdbs:
 			case cm_store_ca_field_other_cert_nssdbs:
 			case cm_store_ca_field_capabilities:
+			case cm_store_ca_field_scep_cipher:
+			case cm_store_ca_field_scep_digest:
 			case cm_store_ca_field_scep_ca_identifier:
 			case cm_store_ca_field_encryption_cert:
 			case cm_store_ca_field_encryption_issuer_cert:
@@ -1602,6 +1608,14 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp)
 				ret->cm_ca_capabilities =
 					free_if_empty_multi(ret, p);
 				break;
+			case cm_store_ca_field_scep_cipher:
+				ret->cm_ca_scep_cipher =
+					free_if_empty(p);
+				break;
+			case cm_store_ca_field_scep_digest:
+				ret->cm_ca_scep_digest =
+					free_if_empty(p);
+				break;
 			case cm_store_ca_field_scep_ca_identifier:
 				ret->cm_ca_scep_ca_identifier =
 					free_if_empty(p);
@@ -2418,6 +2432,10 @@ cm_store_ca_write(FILE *fp, struct cm_store_ca *ca)
 				 ca->cm_ca_other_cert_store_nssdbs);
 	cm_store_file_write_strs(fp, cm_store_ca_field_capabilities,
 				 ca->cm_ca_capabilities);
+	cm_store_file_write_str(fp, cm_store_ca_field_scep_cipher,
+				ca->cm_ca_scep_cipher);
+	cm_store_file_write_str(fp, cm_store_ca_field_scep_digest,
+				ca->cm_ca_scep_digest);
 	cm_store_file_write_str(fp, cm_store_ca_field_scep_ca_identifier,
 				ca->cm_ca_scep_ca_identifier);
 	cm_store_file_write_str(fp, cm_store_ca_field_encryption_cert,
@@ -2940,6 +2958,10 @@ cm_store_ca_dup(void *parent, struct cm_store_ca *ca)
 
 	ret->cm_ca_capabilities =
 		cm_store_maybe_strdupv(ret, ca->cm_ca_capabilities);
+	ret->cm_ca_scep_cipher =
+		cm_store_maybe_strdup(ret, ca->cm_ca_scep_cipher);
+	ret->cm_ca_scep_digest =
+		cm_store_maybe_strdup(ret, ca->cm_ca_scep_digest);
 	ret->cm_ca_scep_ca_identifier =
 		cm_store_maybe_strdup(ret, ca->cm_ca_scep_ca_identifier);
 	ret->cm_ca_encryption_cert =
diff --git a/src/store-int.h b/src/store-int.h
index 98b37e6..4a40406 100644
--- a/src/store-int.h
+++ b/src/store-int.h
@@ -349,6 +349,10 @@ struct cm_store_ca {
 	char **cm_ca_other_cert_store_nssdbs;
 	/* CA capabilities.  Currently only ever SCEP capabilities. */
 	char **cm_ca_capabilities;
+	/* SCEP Cipher to use. Overrides CA Capabilities */
+	char *cm_ca_scep_cipher;
+	/* SCEP Digest to use. Overrides CA Capabilities */
+	char *cm_ca_scep_digest;
 	/* An SCEP CA identifier, for use in gathering an RA (and possibly a
 	 * CA) certificate. */
 	char *cm_ca_scep_ca_identifier;
diff --git a/src/tdbus.h b/src/tdbus.h
index 7164f11..e63e783 100644
--- a/src/tdbus.h
+++ b/src/tdbus.h
@@ -119,6 +119,8 @@
 #define CM_DBUS_PROP_ROOT_CERTS "root-certs"
 #define CM_DBUS_PROP_OTHER_ROOT_CERTS "root-other-certs"
 #define CM_DBUS_PROP_OTHER_CERTS "other-certs"
+#define CM_DBUS_PROP_SCEP_CIPHER "scep-cipher"
+#define CM_DBUS_PROP_SCEP_DIGEST "scep-digest"
 #define CM_DBUS_PROP_SCEP_CA_IDENTIFIER "scep-ca-identifier"
 #define CM_DBUS_PROP_SCEP_CA_CAPABILITIES "scep-ca-capabilities"
 #define CM_DBUS_PROP_SCEP_RA_CERT "scep-ra-cert"
diff --git a/src/tdbush.c b/src/tdbush.c
index d5febc8..1d48722 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -2128,6 +2128,27 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg,
 	}
 }
 
+/* org.fedorahosted.certonger.ca.get_config_file_path */
+ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg,
+		struct cm_client_info *ci, struct cm_context *ctx)
+{
+	DBusMessage *rep;
+	struct cm_store_ca *ca;
+	ca = get_ca_for_request_message(msg, ctx);
+	if (ca == NULL) {
+		return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+	}
+	rep = dbus_message_new_method_return(msg);
+	if (rep != NULL) {
+		cm_tdbusm_set_s(rep, ca->cm_store_private);
+		dbus_connection_send(conn, rep, NULL);
+		dbus_message_unref(rep);
+		return DBUS_HANDLER_RESULT_HANDLED;
+	} else {
+		return send_internal_ca_error(conn, msg);
+	}
+}
+
 /* org.fedorahosted.certonger.ca.refresh */
 static DBusHandlerResult
 ca_refresh(DBusConnection *conn, DBusMessage *msg,
@@ -2262,6 +2283,106 @@ ca_prop_set_external_helper(struct cm_context *ctx, void *parent,
 }
 
 static const char *
+ca_prop_get_scep_cipher(struct cm_context *ctx, void *parent,
+			       void *record, const char *name)
+{
+	struct cm_store_ca *ca = record;
+
+	if (strcmp(name, CM_DBUS_PROP_SCEP_CIPHER) == 0) {
+		if (ca->cm_ca_type != cm_ca_external) {
+			return "";
+		}
+		if (ca->cm_ca_scep_cipher != NULL) {
+			return ca->cm_ca_scep_cipher;
+		} else {
+			return "";
+		}
+	}
+	return NULL;
+}
+
+static void
+ca_prop_set_scep_cipher(struct cm_context *ctx, void *parent,
+			       void *record, const char *name,
+			       const char *new_value)
+{
+	const char *propname[2], *path;
+	struct cm_store_ca *ca = record;
+	enum cm_ca_phase phase;
+
+	if (strcmp(name, CM_DBUS_PROP_SCEP_CIPHER) == 0) {
+		if (ca->cm_ca_type != cm_ca_external) {
+			return;
+		}
+		talloc_free(ca->cm_ca_scep_cipher);
+		ca->cm_ca_scep_cipher = new_value ?
+					       talloc_strdup(ca, new_value) :
+					       NULL;
+		for (phase = 0; phase < cm_ca_phase_invalid; phase++) {
+			cm_restart_ca(ctx, ca->cm_nickname, phase);
+		}
+		propname[0] = CM_DBUS_PROP_SCEP_CIPHER;
+		propname[1] = NULL;
+		path = talloc_asprintf(parent, "%s/%s",
+				       CM_DBUS_CA_PATH,
+				       ca->cm_busname);
+		cm_tdbush_property_emit_changed(ctx, path,
+						CM_DBUS_CA_INTERFACE,
+						propname);
+	}
+}
+
+static const char *
+ca_prop_get_scep_digest(struct cm_context *ctx, void *parent,
+			       void *record, const char *name)
+{
+	struct cm_store_ca *ca = record;
+
+	if (strcmp(name, CM_DBUS_PROP_SCEP_DIGEST) == 0) {
+		if (ca->cm_ca_type != cm_ca_external) {
+			return "";
+		}
+		if (ca->cm_ca_scep_digest != NULL) {
+			return ca->cm_ca_scep_digest;
+		} else {
+			return "";
+		}
+	}
+	return NULL;
+}
+
+static void
+ca_prop_set_scep_digest(struct cm_context *ctx, void *parent,
+			       void *record, const char *name,
+			       const char *new_value)
+{
+	const char *propname[2], *path;
+	struct cm_store_ca *ca = record;
+	enum cm_ca_phase phase;
+
+	if (strcmp(name, CM_DBUS_PROP_SCEP_DIGEST) == 0) {
+		if (ca->cm_ca_type != cm_ca_external) {
+			return;
+		}
+		talloc_free(ca->cm_ca_scep_digest);
+		ca->cm_ca_scep_digest = new_value ?
+					       talloc_strdup(ca, new_value) :
+					       NULL;
+		for (phase = 0; phase < cm_ca_phase_invalid; phase++) {
+			cm_restart_ca(ctx, ca->cm_nickname, phase);
+		}
+		propname[0] = CM_DBUS_PROP_SCEP_DIGEST;
+		propname[1] = NULL;
+		path = talloc_asprintf(parent, "%s/%s",
+				       CM_DBUS_CA_PATH,
+				       ca->cm_busname);
+		cm_tdbush_property_emit_changed(ctx, path,
+						CM_DBUS_CA_INTERFACE,
+						propname);
+	}
+}
+
+static const char *
 ca_prop_get_scep_ca_identifier(struct cm_context *ctx, void *parent,
 			       void *record, const char *name)
 {
@@ -7278,6 +7399,14 @@ cm_tdbush_iface_ca(void)
 	if (ret == NULL) {
 		ret = make_interface(CM_DBUS_CA_INTERFACE,
 				     make_interface_item(cm_tdbush_interface_method,
+							 make_method("get_config_file_path",
+								     ca_get_config_file_path,
+								     make_method_arg("path",
+										     DBUS_TYPE_STRING_AS_STRING,
+										     cm_tdbush_method_arg_out,
+										     NULL),
+								     NULL),
+				     make_interface_item(cm_tdbush_interface_method,
 							 make_method("get_nickname",
 								     ca_get_nickname,
 								     make_method_arg("nickname",
@@ -7529,6 +7658,24 @@ cm_tdbush_iface_ca(void)
 								       NULL, NULL, NULL, NULL, NULL,
 								       NULL),
 				     make_interface_item(cm_tdbush_interface_property,
+							 make_property(CM_DBUS_PROP_SCEP_CIPHER,
+								       cm_tdbush_property_string,
+								       cm_tdbush_property_readwrite,
+								       cm_tdbush_property_special,
+								       0,
+								       ca_prop_get_scep_cipher, NULL, NULL, NULL, NULL,
+								       ca_prop_set_scep_cipher, NULL, NULL, NULL, NULL,
+								       NULL),
+				     make_interface_item(cm_tdbush_interface_property,
+							 make_property(CM_DBUS_PROP_SCEP_DIGEST,
+								       cm_tdbush_property_string,
+								       cm_tdbush_property_readwrite,
+								       cm_tdbush_property_special,
+								       0,
+								       ca_prop_get_scep_digest, NULL, NULL, NULL, NULL,
+								       ca_prop_set_scep_digest, NULL, NULL, NULL, NULL,
+								       NULL),
+				     make_interface_item(cm_tdbush_interface_property,
 							 make_property(CM_DBUS_PROP_SCEP_CA_IDENTIFIER,
 								       cm_tdbush_property_string,
 								       cm_tdbush_property_readwrite,
@@ -7573,7 +7720,7 @@ cm_tdbush_iface_ca(void)
 								       NULL, NULL, NULL, NULL, NULL,
 								       NULL, NULL, NULL, NULL, NULL,
 								       NULL),
-				     NULL))))))))))))))))))))))))))))))))))));
+				     NULL)))))))))))))))))))))))))))))))))))))));
 	}
 	return ret;
 }

From 6e4f0f1dd97f71cd04d7049db55358f0a09226af Mon Sep 17 00:00:00 2001
From: Trevor Vaughan <tvaughan@onyxpoint.com>
Date: Apr 11 2018 20:28:17 +0000
Subject: [PATCH 4/6] Updates per Feedback


Ref: #89

---

diff --git a/src/scepgen-o.c b/src/scepgen-o.c
index 8b1c4ca..6073c81 100644
--- a/src/scepgen-o.c
+++ b/src/scepgen-o.c
@@ -446,7 +446,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
 			_exit(1);
 		}
 
-		cm_log(1, "SCEP cipher authoritatively set to: '%s'\n", scep_cipher);
+		cm_log(1, "SCEP cipher set from configuration to: '%s'\n", scep_cipher);
 	}
 	else {
 		cipher = cm_prefs_nocipher;
@@ -516,11 +516,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
 			digest = cm_prefs_md5;
 		}
 		else {
-			cm_log(1, "Option 'scep_digest' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_digest);
+			cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
 			_exit(1);
 		}
 
-		cm_log(1, "SCEP digest authoritatively set to: '%s'\n", scep_digest);
+		cm_log(1, "SCEP digest set from configuration to: '%s'\n", scep_digest);
 	}
 	else {
 		pref_digest = cm_prefs_preferred_digest();
@@ -567,7 +567,8 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
 			}
 		}
 		if (digest == cm_prefs_nodigest) {
-			/* Per the latest Draft RFC */
+			/* Per SCEP RFC draft-gutmann-scep-10 - March 1, 2018 */
+			/* https://www.ietf.org/id/draft-gutmann-scep-10.txt  */
 			cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n");
 			digest = cm_prefs_sha256;
 		}

From a1194ad04ec79091695fd4ea1533347936c22262 Mon Sep 17 00:00:00 2001
From: Trevor Vaughan <tvaughan@onyxpoint.com>
Date: Apr 11 2018 20:28:17 +0000
Subject: [PATCH 5/6] Updated tests


Worked around the fact that data under the 'cas' directory is
dynamically provisioned by moving from `cmp` to `diff -q -I` in
run-tests.sh and excluding everything in the dynamically generated
space.

Ref #89

---

diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index 8a81a7f..ca3179e 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -542,6 +542,9 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
   </signal>
  </interface>
  <interface name="org.fedorahosted.certmonger.ca">
+  <method name="get_config_file_path">
+   <arg name="path" type="s" direction="out"/>
+  </method>
   <method name="get_nickname">
    <arg name="nickname" type="s" direction="out"/>
   </method>
@@ -586,6 +589,8 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
   <property name="ca-presave-uid" type="s" access="read"/>
   <property name="ca-postsave-command" type="s" access="read"/>
   <property name="ca-postsave-uid" type="s" access="read"/>
+  <property name="scep-cipher" type="s" access="readwrite"/>
+  <property name="scep-digest" type="s" access="readwrite"/>
   <property name="scep-ca-identifier" type="s" access="readwrite"/>
   <property name="scep-ca-capabilities" type="as" access="read"/>
   <property name="scep-ra-cert" type="s" access="read"/>
@@ -594,6 +599,9 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
  </interface>
 </node>
 
+[ /org/fedorahosted/certmonger/cas/CA1: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/local
+
 [ /org/fedorahosted/certmonger/cas/CA1: org.fedorahosted.certmonger.ca.get_nickname ]
 local
 
@@ -647,6 +655,9 @@ dbus.Array([], signature=dbus.Signature('s'))
   </signal>
  </interface>
  <interface name="org.fedorahosted.certmonger.ca">
+  <method name="get_config_file_path">
+   <arg name="path" type="s" direction="out"/>
+  </method>
   <method name="get_nickname">
    <arg name="nickname" type="s" direction="out"/>
   </method>
@@ -691,6 +702,8 @@ dbus.Array([], signature=dbus.Signature('s'))
   <property name="ca-presave-uid" type="s" access="read"/>
   <property name="ca-postsave-command" type="s" access="read"/>
   <property name="ca-postsave-uid" type="s" access="read"/>
+  <property name="scep-cipher" type="s" access="readwrite"/>
+  <property name="scep-digest" type="s" access="readwrite"/>
   <property name="scep-ca-identifier" type="s" access="readwrite"/>
   <property name="scep-ca-capabilities" type="as" access="read"/>
   <property name="scep-ra-cert" type="s" access="read"/>
@@ -699,6 +712,9 @@ dbus.Array([], signature=dbus.Signature('s'))
  </interface>
 </node>
 
+[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/20180327134236
+
 [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ]
 SelfSign
 
@@ -721,7 +737,7 @@ dbus.Array([], signature=dbus.Signature('s'))
 [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.refresh ]
 1
 
-/org/fedorahosted/certmonger/cas/CA2: warning: property org.fedorahosted.certmonger.ca.scep-ca-identifier not settable on this object
+/org/fedorahosted/certmonger/cas/CA2: property org.fedorahosted.certmonger.ca.scep-cipher not set: (, x)
 [ /org/fedorahosted/certmonger/cas/CA3: org.freedesktop.DBus.Introspectable.Introspect ]
 <!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
@@ -754,6 +770,9 @@ dbus.Array([], signature=dbus.Signature('s'))
   </signal>
  </interface>
  <interface name="org.fedorahosted.certmonger.ca">
+  <method name="get_config_file_path">
+   <arg name="path" type="s" direction="out"/>
+  </method>
   <method name="get_nickname">
    <arg name="nickname" type="s" direction="out"/>
   </method>
@@ -798,6 +817,8 @@ dbus.Array([], signature=dbus.Signature('s'))
   <property name="ca-presave-uid" type="s" access="read"/>
   <property name="ca-postsave-command" type="s" access="read"/>
   <property name="ca-postsave-uid" type="s" access="read"/>
+  <property name="scep-cipher" type="s" access="readwrite"/>
+  <property name="scep-digest" type="s" access="readwrite"/>
   <property name="scep-ca-identifier" type="s" access="readwrite"/>
   <property name="scep-ca-capabilities" type="as" access="read"/>
   <property name="scep-ra-cert" type="s" access="read"/>
@@ -806,6 +827,9 @@ dbus.Array([], signature=dbus.Signature('s'))
  </interface>
 </node>
 
+[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/20180327134236-1
+
 [ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ]
 IPA
 
@@ -859,6 +883,9 @@ dbus.Array([], signature=dbus.Signature('s'))
   </signal>
  </interface>
  <interface name="org.fedorahosted.certmonger.ca">
+  <method name="get_config_file_path">
+   <arg name="path" type="s" direction="out"/>
+  </method>
   <method name="get_nickname">
    <arg name="nickname" type="s" direction="out"/>
   </method>
@@ -903,6 +930,8 @@ dbus.Array([], signature=dbus.Signature('s'))
   <property name="ca-presave-uid" type="s" access="read"/>
   <property name="ca-postsave-command" type="s" access="read"/>
   <property name="ca-postsave-uid" type="s" access="read"/>
+  <property name="scep-cipher" type="s" access="readwrite"/>
+  <property name="scep-digest" type="s" access="readwrite"/>
   <property name="scep-ca-identifier" type="s" access="readwrite"/>
   <property name="scep-ca-capabilities" type="as" access="read"/>
   <property name="scep-ra-cert" type="s" access="read"/>
@@ -911,6 +940,9 @@ dbus.Array([], signature=dbus.Signature('s'))
  </interface>
 </node>
 
+[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/20180327134236-2
+
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
 certmaster
 
@@ -964,6 +996,9 @@ dbus.Array([], signature=dbus.Signature('s'))
   </signal>
  </interface>
  <interface name="org.fedorahosted.certmonger.ca">
+  <method name="get_config_file_path">
+   <arg name="path" type="s" direction="out"/>
+  </method>
   <method name="get_nickname">
    <arg name="nickname" type="s" direction="out"/>
   </method>
@@ -1008,6 +1043,8 @@ dbus.Array([], signature=dbus.Signature('s'))
   <property name="ca-presave-uid" type="s" access="read"/>
   <property name="ca-postsave-command" type="s" access="read"/>
   <property name="ca-postsave-uid" type="s" access="read"/>
+  <property name="scep-cipher" type="s" access="readwrite"/>
+  <property name="scep-digest" type="s" access="readwrite"/>
   <property name="scep-ca-identifier" type="s" access="readwrite"/>
   <property name="scep-ca-capabilities" type="as" access="read"/>
   <property name="scep-ra-cert" type="s" access="read"/>
@@ -1016,6 +1053,9 @@ dbus.Array([], signature=dbus.Signature('s'))
  </interface>
 </node>
 
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/20180327134236-3
+
 [ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
 dogtag-ipa-renew-agent
 
diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh
index 567e610..a36cd5a 100755
--- a/tests/033-scep/run.sh
+++ b/tests/033-scep/run.sh
@@ -103,7 +103,7 @@ check_nonce() {
 	fi
 }
 
-set_digest md5
+set_digest sha256
 $toolsdir/scepgen ca entry > scepdata
 
 echo "[req, no trust root]"
@@ -135,7 +135,7 @@ grep ^gic: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r mini.
 check_failed
 echo OK
 echo "[req, old root]"
-set_digest md5
+set_digest sha256
 $toolsdir/scepgen ca entry > scepdata
 if test x`grep ^req: scepdata | cut -f2- -d:` = x ; then
 	echo missing req
@@ -145,7 +145,7 @@ check_verified
 check_msgtype $SCEP_MSGTYPE_PKCSREQ
 check_txid
 check_nonce
-check_digest md5
+check_digest sha256
 echo OK
 echo "[gic, old trust root]"
 set_digest sha1
diff --git a/tests/run-tests.sh b/tests/run-tests.sh
index 7490e75..580a965 100755
--- a/tests/run-tests.sh
+++ b/tests/run-tests.sh
@@ -78,7 +78,9 @@ for testid in "$@" $subdirs ; do
 				if ! test -s "$i" ; then
 					break
 				fi
-				if cmp -s "$tmpfile" "$i" 2> /dev/null ; then
+				# This regex needs to be ignored since it is dynamically created at
+				# every CA creation
+				if diff -q -I "tmpdir/cas/[[:digit:]]\+" "$tmpfile" "$i" 2> /dev/null ; then
 					stat=0
 					echo "OK"
 					cp $tmpfile "$builddir"/"$testid"/actual.out

From 6a13fb01badbf90f390c4673a35218f62be4a415 Mon Sep 17 00:00:00 2001
From: Trevor Vaughan <tvaughan@onyxpoint.com>
Date: Apr 11 2018 20:28:17 +0000
Subject: [PATCH 6/6] Add cipher and digest difference messages


Ensure that users know that AES is the cipher and SHA is the digest when
CA capabilities are not supported.

Ref #89

---

diff --git a/src/scepgen-o.c b/src/scepgen-o.c
index 6073c81..010abb7 100644
--- a/src/scepgen-o.c
+++ b/src/scepgen-o.c
@@ -492,7 +492,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
 		}
 		if (cipher == cm_prefs_nocipher) {
 			/* Per the latest Draft RFC */
-			cm_log(1, "Could not determine supported CA capabilities, using AES256.\n");
+			cm_log(1, "Could not determine supported CA capabilities, using cipher AES256.\n");
 			cipher = cm_prefs_aes256;
 		}
 	}
@@ -569,7 +569,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
 		if (digest == cm_prefs_nodigest) {
 			/* Per SCEP RFC draft-gutmann-scep-10 - March 1, 2018 */
 			/* https://www.ietf.org/id/draft-gutmann-scep-10.txt  */
-			cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n");
+			cm_log(1, "Could not determine supported CA capabilities, using digest SHA256.\n");
 			digest = cm_prefs_sha256;
 		}
 	}