From 199a97c11d4fc3a9e0f10e4eebf44f9f3841f8b1 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Fri, 18 Aug 2017 13:03:05 +1000

Subject: [PATCH] MS cert template: add option to command line programs

Add the --ms-template-spec command line argument for specifying the

value of the V2 Certificate Template extension.

Part of: https://pagure.io/certmonger/issue/78

---

 src/getcert-request.1.in        |  6 ++++++

 src/getcert-resubmit.1.in       |  6 ++++++

 src/getcert-start-tracking.1.in |  6 ++++++

 src/getcert.c                   | 46 +++++++++++++++++++++++++++++++++++++++++

 4 files changed, 64 insertions(+)

diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in

index b6578dc..8269b78 100644

--- a/src/getcert-request.1.in

+++ b/src/getcert-request.1.in

@@ -88,6 +88,12 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR.

 Request a certificate using the named profile, template, or certtype,

 from the specified CA.

 .TP

+\fB\-\-ms-template-spec\fR SPEC

+Include a V2 Certificate Template extension in the signing request.

+This datum includes an Object Identifier, a major version number

+(positive integer) and an optional minor version number.  The format

+is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.

+.TP

 \fB\-X\fR NAME

 Request a certificate using the named issuer from the specified CA.

diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in

index 165940e..62d5f28 100644

--- a/src/getcert-resubmit.1.in

+++ b/src/getcert-resubmit.1.in

@@ -48,6 +48,12 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR.

 Request a certificate using the named profile, template, or certtype,

 from the specified CA.

 .TP

+\fB\-\-ms-template-spec\fR SPEC

+Include a V2 Certificate Template extension in the signing request.

+This datum includes an Object Identifier, a major version number

+(positive integer) and an optional minor version number.  The format

+is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.

+.TP

 \fB\-X\fR NAME

 Request a certificate using the named issuer from the specified CA.

 .TP

diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in

index a46f535..9daeed3 100644

--- a/src/getcert-start-tracking.1.in

+++ b/src/getcert-start-tracking.1.in

@@ -86,6 +86,12 @@ useful in combination with \fB\-r\fR.

 Request a certificate using the named profile, template, or certtype,

 from the specified CA.

 .TP

+\fB\-\-ms-template-spec\fR SPEC

+Include a V2 Certificate Template extension in the signing request.

+This datum includes an Object Identifier, a major version number

+(positive integer) and an optional minor version number.  The format

+is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.

+.TP

 \fB\-X\fR NAME

 Request a certificate using the named issuer from the specified CA.

diff --git a/src/getcert.c b/src/getcert.c

index c84273a..5277a15 100644

--- a/src/getcert.c

+++ b/src/getcert.c

@@ -692,6 +692,7 @@ request(const char *argv0, int argc, const char **argv)

 	int keysize = 0, auto_renew = 1, verbose = 0, ku = 0, kubit, c, i, j;

 	char *ca = DEFAULT_CA, *subject = NULL, **eku = NULL, *oid, *id = NULL;

 	char *profile = NULL, *issuer = NULL, kustring[16];

+	char *ms_template_spec = NULL;

 	char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL;

 	char *key_owner = NULL, *key_perms = NULL;

 	char *cert_owner = NULL, *cert_perms = NULL;

@@ -732,6 +733,7 @@ request(const char *argv0, int argc, const char **argv)

 		{"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME},

 #endif

 		{"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME},

+		{"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME},

 		{"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME},

 		{"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=<hostname>)"), HELP_TYPE_SUBJECT},

 		{"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU},

@@ -859,6 +861,9 @@ request(const char *argv0, int argc, const char **argv)

 		case 'T':

 			profile = talloc_strdup(globals.tctx, poptarg);

 			break;

+		case 'Y':

+			ms_template_spec = talloc_strdup(globals.tctx, poptarg);

+			break;

 		case 'X':

 			issuer = talloc_strdup(globals.tctx, poptarg);

 			break;

@@ -1293,6 +1298,13 @@ request(const char *argv0, int argc, const char **argv)

 		params[i] = &param[i];

 		i++;

 	}

+	if (ms_template_spec != NULL) {

+		param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE;

+		param[i].value_type = cm_tdbusm_dict_s;

+		param[i].value.s = ms_template_spec;

+		params[i] = &param[i];

+		i++;

+	}

 	if (issuer != NULL) {

 		param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER;

 		param[i].value_type = cm_tdbusm_dict_s;

@@ -1492,6 +1504,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id,

 		  char *pin, char *pinfile,

 		  char *cpass, char *cpassfile,

 		  char *ca, char *profile, char *issuer,

+		  char *ms_template_spec,

 		  char *precommand, char *postcommand,

 		  char **anchor_dbs, char **anchor_files,

 		  dbus_bool_t auto_renew_stop, int waitreq,

@@ -1655,6 +1668,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id,

 		params[i] = &param[i];

 		i++;

 	}

+	if (ms_template_spec != NULL) {

+		param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE;

+		param[i].value_type = cm_tdbusm_dict_s;

+		param[i].value.s = ms_template_spec;

+		params[i] = &param[i];

+		i++;

+	}

 	if (issuer != NULL) {

 		param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER;

 		param[i].value_type = cm_tdbusm_dict_s;

@@ -1745,6 +1765,7 @@ set_tracking(const char *argv0, const char *category,

 	char *id = NULL, *new_id = NULL, *new_request;

 	char *keyfile = NULL, *certfile = NULL, *ca = DEFAULT_CA;

 	char *profile = NULL, *issuer = NULL;

+	char *ms_template_spec = NULL;

 	char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL;

 	char *key_owner = NULL, *key_perms = NULL;

 	char *cert_owner = NULL, *cert_perms = NULL;

@@ -1785,6 +1806,7 @@ set_tracking(const char *argv0, const char *category,

 		{"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME},

 #endif

 		{"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME},

+		{"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME},

 		{"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME},

 		{"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("override requested key usage value"), HELP_TYPE_KU},

 		{"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("override requested extended key usage OID"), HELP_TYPE_EKU},

@@ -1887,6 +1909,9 @@ set_tracking(const char *argv0, const char *category,

 		case 'T':

 			profile = talloc_strdup(globals.tctx, poptarg);

 			break;

+		case 'Y':

+			ms_template_spec = talloc_strdup(globals.tctx, poptarg);

+			break;

 		case 'i':

 			id = talloc_strdup(globals.tctx, poptarg);

 			break;

@@ -2311,6 +2336,7 @@ set_tracking(const char *argv0, const char *category,

 						 pin, pinfile,

 						 cpass, cpassfile,

 						 ca, profile, issuer,

+						 ms_template_spec,

 						 precommand, postcommand,

 						 anchor_dbs, anchor_files,

 						 (auto_renew_stop > 0),

@@ -2386,6 +2412,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,

 	char *subject = NULL, **eku = NULL, *oid = NULL;

 	char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL;

 	char *profile = NULL, *issuer = NULL, kustring[16];

+	char *ms_template_spec = NULL;

 	char *key_owner = NULL, *key_perms = NULL;

 	char *cert_owner = NULL, *cert_perms = NULL;

 	char *keytype = NULL;

@@ -2422,6 +2449,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,

 		{"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the current one"), HELP_TYPE_NAME},

 #endif

 		{"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME},

+		{"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME},

 		{"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME},

 		{"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=<hostname>)"), HELP_TYPE_SUBJECT},

 		{"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU},

@@ -2497,6 +2525,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,

 		case 'T':

 			profile = talloc_strdup(globals.tctx, poptarg);

 			break;

+		case 'Y':

+			ms_template_spec = talloc_strdup(globals.tctx, poptarg);

+			break;

 		case 'X':

 			issuer = talloc_strdup(globals.tctx, poptarg);

 			break;

@@ -2861,6 +2892,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,

 		params[i] = &param[i];

 		i++;

 	}

+	if (ms_template_spec != NULL) {

+		param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE;

+		param[i].value_type = cm_tdbusm_dict_s;

+		param[i].value.s = ms_template_spec;

+		params[i] = &param[i];

+		i++;

+	}

 	if (issuer != NULL) {

 		param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER;

 		param[i].value_type = cm_tdbusm_dict_s;

@@ -4677,6 +4715,8 @@ help(const char *twopartcmd, const char *category)

 		N_("  -c CA		use the specified CA rather than the default\n"),

 #endif

 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),

+		N_("  --ms-template-spec SPEC\n"),

+		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

 		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),

 		N_("* Parameters for the signing request:\n"),

 		N_("  -N NAME	set requested subject name (default: CN=<hostname>)\n"),

@@ -4726,6 +4766,8 @@ help(const char *twopartcmd, const char *category)

 		N_("  -c CA		use the specified CA rather than the default\n"),

 #endif

 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),

+		N_("  --ms-template-spec SPEC\n"),

+		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

 		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),

 		N_("* Parameters for the signing request at renewal time:\n"),

 		N_("  -U EXTUSAGE	override requested extended key usage OID\n"),

@@ -4805,6 +4847,8 @@ help(const char *twopartcmd, const char *category)

 		N_("  -c CA		use the specified CA rather than the current one\n"),

 #endif

 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),

+		N_("  --ms-template-spec SPEC\n"),

+		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

 		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),

 		N_("* Bus options:\n"),

 		N_("  -S		connect to the certmonger service on the system bus\n"),

@@ -4853,6 +4897,8 @@ help(const char *twopartcmd, const char *category)

 		N_("  -c CA		use the specified CA rather than the current one\n"),

 #endif

 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),

+		N_("  --ms-template-spec SPEC\n"),

+		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

 		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),

 		N_("  -G TYPE	type of new key to be generated\n"),

 		N_("  -g SIZE	size of new key to be generated\n"),

-- 

1.8.3.1