From 3c763332adc224d0e325502cb3e5b97d4155bb0c Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Fri, 7 Aug 2015 13:40:41 +0200

Subject: [PATCH] Remove rekey feature

https://bugzilla.redhat.com/show_bug.cgi?id=1250397

---

 src/certmonger-scep-submit.8.in |  8 --------

 src/certmonger.conf.5.in        | 19 -------------------

 src/getcert-add-scep-ca.1.in    |  8 --------

 src/getcert.c                   |  3 ---

 src/prefs.c                     | 27 +--------------------------

 src/scep.c                      |  5 -----

 src/submit-e.c                  |  6 ------

 src/tdbush.c                    | 10 +---------

 tests/010-iterate/expected.out  | 14 +++++---------

 tests/028-dbus/expected.out     |  6 ------

 tests/036-getcert/expected.out  | 26 ++++++++++++++------------

 tests/037-rekey2/expected.out   |  4 ++--

 12 files changed, 23 insertions(+), 113 deletions(-)

diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in

index 7319c6a..31203c3 100644

--- a/src/certmonger-scep-submit.8.in

+++ b/src/certmonger-scep-submit.8.in

@@ -80,14 +80,6 @@ When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to

 specify the CA identifier which is passed to the server as part of the client's

 request.  The default is "0".

 .TP

-\fB\-n\fR

-The SCEP Renewal feature allows a client with a previously-issued certificate

-to use that certificate and the associated private key to request a new

-certificate for a different key pair, and can be used to support

-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for

-it.  This option forces the \fIscep-submit\fR helper to prefer to issue

-requests which do not make use of this feature.

-.TP

 \fB-v\fR

 Increases the logging level.  Use twice for more logging.  This option

 is mainly useful for troubleshooting.

diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in

index 241f48b..e1220f1 100644

--- a/src/certmonger.conf.5.in

+++ b/src/certmonger.conf.5.in

@@ -72,25 +72,6 @@ These are the trust attributes which are applied to certificates which are not

 necessarily to be trusted, when they are saved to NSS databases.  The default

 is \fI,,\fP.

-.IP max_key_use_count

-When attempting to replace a certificate, if \fIcertmonger\fR has previously

-obtained at least this number of certificates using the current key pair, it

-will generate a new key pair to use before proceeding.  There is effectively no

-default for this setting.

-

-.IP max_key_lifetime

-The amount of time after a key was first generated when \fIcertmonger\fR will

-attempt to generate a new key pair to replace it, as part of the process of

-replacing a certificate.

-The value is specified as a combination of years (y), months (M), weeks (w),

-days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is

-specified, seconds are assumed.

-The date when a key was generated is not recorded if the key was not generated

-by \fIcertmonger\fR, or if the key was generated with a version of

-\fIcertmonger\fR older than 0.78, and for those cases, this option has no

-effect.

-There is effectively no default for this setting.

-

 .SH SELFSIGN

 Within the \fIselfsign\fR section, these variables and values are recognized:

diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in

index f07b900..64f0f5e 100644

--- a/src/getcert-add-scep-ca.1.in

+++ b/src/getcert-add-scep-ca.1.in

@@ -46,14 +46,6 @@ A CA identifier value which will passed to the server when the

 \fIscep-submit\fR helper is used to retrieve copies of the server's

 certificates.

 .TP

-\fB\-n\fR

-The SCEP Renewal feature allows a client with a previously-issued certificate

-to use that certificate and the associated private key to request a new

-certificate for a different key pair, and can be used to support

-\fIcertmonger\fR's rekeying feature if the SCEP server advertises support for

-it.  This option forces the \fIscep-submit\fR helper to issue requests without

-making use of this feature.

-.TP

 \fB\-v\fR

 Be verbose about errors.  Normally, the details of an error received from

 the daemon will be suppressed if the client can make a diagnostic suggestion.

diff --git a/src/getcert.c b/src/getcert.c

index 26a88f3..966ff41 100644

--- a/src/getcert.c

+++ b/src/getcert.c

@@ -4663,7 +4663,6 @@ static struct {

 	{"start-tracking", start_tracking},

 	{"stop-tracking", stop_tracking},

 	{"resubmit", resubmit},

-	{"rekey", rekey},

 	{"refresh", refresh},

 	{"list", list},

 	{"status", status},

@@ -5087,8 +5086,6 @@ help(const char *twopartcmd, const char *category)

 		 N_("stop monitoring a certificate\n")},

 		{"resubmit", resubmit_help,

 		 N_("resubmit an in-progress enrollment request, or start a new one\n")},

-		{"rekey", rekey_help,

-		 N_("generate a new private key and replace a certificate\n")},

 		{"refresh", refresh_help,

 		 N_("check on the status of an in-progress enrollment request\n")},

 		{"list", list_help,

diff --git a/src/prefs.c b/src/prefs.c

index ab363bb..0a8e166 100644

--- a/src/prefs.c

+++ b/src/prefs.c

@@ -545,36 +545,11 @@ cm_prefs_nss_other_trust(void)

 long long

 prefs_key_end_of_life(time_t ref)

 {

-	const char *cfg;

-	time_t tmp;

-

-	tmp = -1;

-	cfg = cm_prefs_config(NULL, "max_key_lifetime");

-	if (cfg != NULL) {

-		if (cm_submit_u_delta_from_string(cfg, ref, &tmp) == 0) {

-			return tmp;

-		}

-	}

 	return -1;

 }

 long

 prefs_max_key_use_count(void)

 {

-	static long count = -2;

-	long tmp;

-	const char *cfg;

-	char *p;

-

-	if (count == -2) {

-		count = -1;

-		cfg = cm_prefs_config(NULL, "max_key_use_count");

-		if (cfg != NULL) {

-			tmp = strtol(cfg, &p, 10);

-			if ((p != NULL) && (*p == '\0')) {

-				count = tmp;

-			}

-		}

-	}

-	return count;

+	return -1;

 }

diff --git a/src/scep.c b/src/scep.c

index d3bbc05..11f9ae3 100644

--- a/src/scep.c

+++ b/src/scep.c

@@ -231,7 +231,6 @@ main(int argc, const char **argv)

 		{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},

 		{"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},

 		{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},

-		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},

 		{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},

 		POPT_AUTOHELP

 		POPT_TABLEEND

@@ -255,8 +254,6 @@ main(int argc, const char **argv)

 			message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV);

 			if (message == NULL) {

 				message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);

-			} else {

-				rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);

 			}

 		} else

 		if (strcasecmp(mode, CM_OP_POLL) == 0) {

@@ -264,8 +261,6 @@ main(int argc, const char **argv)

 			message = getenv(CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV);

 			if (message == NULL) {

 				message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);

-			} else {

-				rekey_message = getenv(CM_SUBMIT_SCEP_PKCSREQ_ENV);

 			}

 		} else

 		if (strcasecmp(mode, CM_OP_FETCH_SCEP_CA_CERTS) == 0) {

diff --git a/src/submit-e.c b/src/submit-e.c

index befd01e..af05efe 100644

--- a/src/submit-e.c

+++ b/src/submit-e.c

@@ -446,12 +446,6 @@ cm_submit_e_need_scep_messages(struct cm_submit_state *state)

 static int

 cm_submit_e_need_rekey(struct cm_submit_state *state)

 {

-	int status;

-	status = cm_subproc_get_exitstatus(state->subproc);

-	if (WIFEXITED(status) &&

-	    (WEXITSTATUS(status) == CM_SUBMIT_STATUS_NEED_REKEY)) {

-		return 0;

-	}

 	return -1;

 }

diff --git a/src/tdbush.c b/src/tdbush.c

index 7fb3d16..04fe57e 100644

--- a/src/tdbush.c

+++ b/src/tdbush.c

@@ -7164,14 +7164,6 @@ cm_tdbush_iface_request(void)

 										     cm_tdbush_method_arg_out,

 										     NULL))),

 								     NULL),

-				     make_interface_item(cm_tdbush_interface_method,

-							 make_method("rekey",

-								     request_rekey,

-								     make_method_arg("working",

-										     DBUS_TYPE_BOOLEAN_AS_STRING,

-										     cm_tdbush_method_arg_out,

-										     NULL),

-								     NULL),

 				     make_interface_item(cm_tdbush_interface_method,

 							 make_method("resubmit",

 								     request_resubmit,

@@ -7227,7 +7219,7 @@ cm_tdbush_iface_request(void)

 				     make_interface_item(cm_tdbush_interface_signal,

 							 make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED,

 								     NULL),

-							 NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));

+							 NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));

 	}

 	return ret;

 }

diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out

index bd57a01..85d07b3 100644

--- a/tests/010-iterate/expected.out

+++ b/tests/010-iterate/expected.out

@@ -398,19 +398,15 @@ HAVE_CSR

 -START-

 NEED_TO_SUBMIT

 SUBMITTING

-NEED_KEY_PAIR

+NEED_GUIDANCE

 -STOP-

-NEED_KEY_PAIR

+NEED_GUIDANCE

 -START-

-GENERATING_KEY_PAIR

-HAVE_KEY_PAIR

-NEED_KEYINFO

+NEED_GUIDANCE

 -STOP-

-NEED_KEYINFO

+NEED_GUIDANCE

 -START-

-READING_KEYINFO

-HAVE_KEYINFO

-NEED_CSR

+NEED_GUIDANCE

 -STOP-

 [Enroll until we notice we have no specified CA.]

diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out

index 8a81a7f..4c33e9a 100644

--- a/tests/028-dbus/expected.out

+++ b/tests/028-dbus/expected.out

@@ -404,9 +404,6 @@ OK

    <arg name="status" type="b" direction="out"/>

    <arg name="path" type="o" direction="out"/>

   </method>

-  <method name="rekey">

-   <arg name="working" type="b" direction="out"/>

-  </method>

   <method name="resubmit">

    <arg name="working" type="b" direction="out"/>

   </method>

@@ -484,9 +481,6 @@ recently

 1 on /org/fedorahosted/certmonger/requests/Request2

 After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)

-[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]

-1

-

 [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.resubmit ]

 1

diff --git a/tests/036-getcert/expected.out b/tests/036-getcert/expected.out

index c1a13c8..b6d1eaf 100644

--- a/tests/036-getcert/expected.out

+++ b/tests/036-getcert/expected.out

@@ -11,20 +11,21 @@ certs:1

 keys:1

 -----BEGIN PRIVATE KEY-----

 [Files, rekey]

-Resubmitting "first" to "local".

 certs:1

 -----BEGIN CERTIFICATE-----

 keys:1

 -----BEGIN PRIVATE KEY-----

+ERROR: keys were not changed on rekey

+ERROR: cert was not changed on rekey

 [Files, rekey with preserve=1]

-Resubmitting "first" to "local".

 certs:1

 -----BEGIN CERTIFICATE-----

-keys:2

------BEGIN PRIVATE KEY-----

+keys:1

 -----BEGIN PRIVATE KEY-----

+ERROR: keys were not changed on rekey

+ERROR: cert was not changed on rekey

+ERROR: old keys were not saved on rekey

 [Files, rekey with jerk CA]

-Resubmitting "first" to "jerkca".

 certs:1

 -----BEGIN CERTIFICATE-----

 keys:1

@@ -44,30 +45,31 @@ pk12util: PKCS12 EXPORT SUCCESSFUL

 cert:1

 key:1

 [Database, rekey]

-Resubmitting "first" to "local".

 certs:1

 keys:1

 pk12util: PKCS12 EXPORT SUCCESSFUL

 cert:1

 key:1

+ERROR: keys were not changed on rekey

+ERROR: cert was not changed on rekey

 [Database, rekey with preserve=1]

-Resubmitting "first" to "local".

 certs:1

-keys:2

+keys:1

 pk12util: PKCS12 EXPORT SUCCESSFUL

 cert:1

 key:1

+ERROR: keys were not changed on rekey

+ERROR: cert was not changed on rekey

+ERROR: old keys were not saved on rekey

 [Database, rekey with jerk CA]

-Resubmitting "first" to "jerkca".

 certs:1

-keys:3

+keys:1

 pk12util: PKCS12 EXPORT SUCCESSFUL

 cert:1

 key:1

 [Database, rekey with jerk CA, nonpreserving]

-Resubmitting "first" to "jerkca".

 certs:1

-keys:3

+keys:1

 pk12util: PKCS12 EXPORT SUCCESSFUL

 cert:1

 key:1

diff --git a/tests/037-rekey2/expected.out b/tests/037-rekey2/expected.out

index bd8cca7..62a1c74 100644

--- a/tests/037-rekey2/expected.out

+++ b/tests/037-rekey2/expected.out

@@ -112,7 +112,7 @@ MONITORING

 -STOP-

 MONITORING

 -START-

-NEED_KEY_PAIR

+NEED_CSR

 -STOP-

 [Uses = 2.]

 NEED_KEY_PAIR

@@ -228,6 +228,6 @@ MONITORING

 -STOP-

 MONITORING

 -START-

-NEED_KEY_PAIR

+NEED_CSR

 -STOP-

 Test complete.

-- 

2.14.4