From afe1fc05a5da349c3e24e8c96b1e185e4da53613 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 17 Aug 2017 11:38:43 +1000
Subject: [PATCH] MS cert template: add D-Bus property and storage
Add a D-Bus property and storage for a new template attribute, which
will hold data to be included in CSRs in the MS V2 certificate
template extension.
The server does not validate the extension data (validation
behaviour is implemented in a subsequent commit).
Part of: https://pagure.io/certmonger/issue/78
---
doc/api.txt | 2 ++
src/store-files.c | 10 ++++++++++
src/store-int.h | 1 +
src/tdbus.h | 1 +
src/tdbush.c | 29 ++++++++++++++++++++++++++++-
tests/028-dbus/expected.out | 1 +
6 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/doc/api.txt b/doc/api.txt
index 31016be..83cf375 100644
--- a/doc/api.txt
+++ b/doc/api.txt
@@ -56,6 +56,7 @@ o object layout
{("template-crldp"),array-of-string (CRL distribution point URIs)}
{("template-ns-comment"),string (Netscape comment)}
{("template-profile"),string (certificate profile)}
+ {("template-ms-certificate-template"),string (MS V2 template specifier; format: <oid>:<major-version>[:<minor-version>] )}
{("template-issuer"),string (requested issuer)}
{("template-challenge-password"),string (password to add to CSR)}
{("template-challenge-password-file"),string (password file)
@@ -165,6 +166,7 @@ o object layout
{("template-crldp"),array-of-string (CRL distribution point URIs)}
{("template-ns-comment"),string (Netscape comment)}
{("template-profile"),string (certificate profile)}
+ {("template-ms-certificate-template"),string (MS V2 template specifier; format: <oid>:<major-version>[:<minor-version>] )}
{("template-issuer"),string (requested issuer)}
{("template-challenge-password"),string (password to add to CSR)}
{("template-challenge-password-file"),string (password file)
diff --git a/src/store-files.c b/src/store-files.c
index 889829c..977e896 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -130,6 +130,7 @@ enum cm_store_file_field {
cm_store_entry_field_template_ns_comment,
cm_store_entry_field_template_profile,
cm_store_entry_field_template_issuer,
+ cm_store_entry_field_template_certificate_template,
cm_store_entry_field_template_no_ocsp_check,
cm_store_entry_field_template_ns_certtype,
@@ -305,6 +306,7 @@ static struct cm_store_file_field_list {
{cm_store_entry_field_template_profile, "template_profile"}, /* right */
{cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */
{cm_store_entry_field_template_issuer, "template_issuer"},
+ {cm_store_entry_field_template_certificate_template, "template_certificate_template"},
{cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"},
{cm_store_entry_field_template_ns_certtype, "template_ns_certtype"},
@@ -1129,6 +1131,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp)
case cm_store_entry_field_template_profile:
ret->cm_template_profile = free_if_empty(p);
break;
+ case cm_store_entry_field_template_certificate_template:
+ ret->cm_template_certificate_template = free_if_empty(p);
+ break;
case cm_store_entry_field_template_issuer:
ret->cm_template_issuer = free_if_empty(p);
break;
@@ -1375,6 +1380,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp)
case cm_store_entry_field_template_ocsp_location:
case cm_store_entry_field_template_ns_comment:
case cm_store_entry_field_template_profile:
+ case cm_store_entry_field_template_certificate_template:
case cm_store_entry_field_template_issuer:
case cm_store_entry_field_template_no_ocsp_check:
case cm_store_entry_field_template_ns_certtype:
@@ -1984,6 +1990,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry)
entry->cm_template_no_ocsp_check ? 1 : 0);
cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype,
entry->cm_template_ns_certtype);
+ cm_store_file_write_str(fp, cm_store_entry_field_template_certificate_template,
+ entry->cm_template_certificate_template);
cm_store_file_write_str(fp, cm_store_entry_field_challenge_password,
entry->cm_template_challenge_password);
@@ -2745,6 +2753,8 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry)
ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile);
ret->cm_template_issuer = cm_store_maybe_strdup(ret, entry->cm_template_issuer);
ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check;
+ ret->cm_template_certificate_template =
+ cm_store_maybe_strdup(ret, entry->cm_template_certificate_template);
ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret,
entry->cm_template_ns_certtype);
diff --git a/src/store-int.h b/src/store-int.h
index 2d3a353..98b37e6 100644
--- a/src/store-int.h
+++ b/src/store-int.h
@@ -144,6 +144,7 @@ struct cm_store_entry {
char *cm_template_profile;
char *cm_template_issuer;
char *cm_template_ns_certtype;
+ char *cm_template_certificate_template;
unsigned int cm_template_no_ocsp_check: 1;
/* A challenge password, which may be included (in cleartext form!) in
* a CSR. */
diff --git a/src/tdbus.h b/src/tdbus.h
index 496f2dd..7164f11 100644
--- a/src/tdbus.h
+++ b/src/tdbus.h
@@ -110,6 +110,7 @@
#define CM_DBUS_PROP_TEMPLATE_PROFILE "template-profile"
#define CM_DBUS_PROP_TEMPLATE_ISSUER "template-issuer"
#define CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE "template-ns-certtype"
+#define CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE "template-ms-certificate-template"
#define CM_DBUS_SIGNAL_REQUEST_CERT_SAVED "SavedCertificate"
#define CM_DBUS_PROP_CA_PRESAVE_COMMAND "ca-presave-command"
#define CM_DBUS_PROP_CA_PRESAVE_UID "ca-presave-uid"
diff --git a/src/tdbush.c b/src/tdbush.c
index 631da3e..94bf793 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -1568,6 +1568,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
new_entry->cm_template_issuer = maybe_strdup(new_entry,
param->value.s);
}
+ param = cm_tdbusm_find_dict_entry(d,
+ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE,
+ cm_tdbusm_dict_s);
+ if (param != NULL) {
+ // TODO check validity
+ new_entry->cm_template_certificate_template = maybe_strdup(new_entry,
+ param->value.s);
+ }
param = cm_tdbusm_find_dict_entry(d,
CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD,
cm_tdbusm_dict_s);
@@ -3320,6 +3328,17 @@ request_modify(DBusConnection *conn, DBusMessage *msg,
propname[n_propname++] = CM_DBUS_PROP_TEMPLATE_ISSUER;
}
} else
+ if ((param->value_type == cm_tdbusm_dict_s) &&
+ (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE) == 0)) {
+ talloc_free(entry->cm_template_certificate_template);
+ // TODO check validity
+ entry->cm_template_certificate_template =
+ maybe_strdup(entry, param->value.s);
+ if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) {
+ propname[n_propname++] =
+ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE;
+ }
+ } else
if ((param->value_type == cm_tdbusm_dict_s) &&
(strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD) == 0)) {
talloc_free(entry->cm_template_challenge_password);
@@ -6734,6 +6753,14 @@ cm_tdbush_iface_request(void)
offsetof(struct cm_store_entry, cm_template_issuer),
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL),
+ make_interface_item(cm_tdbush_interface_property,
+ make_property(CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE,
+ cm_tdbush_property_string,
+ cm_tdbush_property_readwrite,
+ cm_tdbush_property_char_p,
+ offsetof(struct cm_store_entry, cm_template_certificate_template),
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+ NULL),
make_interface_item(cm_tdbush_interface_property,
make_property(CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE,
cm_tdbush_property_string,
@@ -7179,7 +7206,7 @@ cm_tdbush_iface_request(void)
make_interface_item(cm_tdbush_interface_signal,
make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED,
NULL),
- NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
+ NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
}
return ret;
}
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index 93cc4d1..8a81a7f 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -330,6 +330,7 @@ OK
<property name="template-ns-comment" type="s" access="readwrite"/>
<property name="template-profile" type="s" access="readwrite"/>
<property name="template-issuer" type="s" access="readwrite"/>
+ <property name="template-ms-certificate-template" type="s" access="readwrite"/>
<property name="template-ns-certtype" type="s" access="readwrite"/>
<property name="template-challenge-password" type="s" access="readwrite"/>
<property name="template-challenge-password-file" type="s" access="readwrite"/>
--
2.14.4