[certmonger] check for errors from X509_REQ_to_X509()
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Nov 27 23:55:00 UTC 2012
commit d7b55107b26a745df6e1d25f1d7e49ece4e1aa79
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue Nov 27 18:54:12 2012 -0500
check for errors from X509_REQ_to_X509()
backport a change from git to report X509_REQ_to_X509() failures as
CA-rejected-our-request failures
certmonger-x509-req-to-x509.patch | 23 ++++++++++++++++++++++-
certmonger.spec | 1 +
2 files changed, 23 insertions(+), 1 deletions(-)
---
diff --git a/certmonger-x509-req-to-x509.patch b/certmonger-x509-req-to-x509.patch
index f550c56..2dfaf66 100644
--- a/certmonger-x509-req-to-x509.patch
+++ b/certmonger-x509-req-to-x509.patch
@@ -6,11 +6,17 @@ Date: Tue Nov 27 12:18:51 2012 -0500
check for errors from X509_REQ_to_X509()
+commit 8a8a95489bb35271542999d07bdd62d7aca177ac
+Author: Nalin Dahyabhai <nalin at redhat.com>
+Date: Tue Nov 27 18:32:06 2012 -0500
+
+ present failure to self-sign as rejection
+
diff --git a/src/submit-so.c b/src/submit-so.c
index 7ad799e..39c3d33 100644
--- a/src/submit-so.c
+++ b/src/submit-so.c
-@@ -117,45 +117,51 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+@@ -117,45 +117,52 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cert = X509_REQ_to_X509(req,
0,
pkey);
@@ -88,6 +94,7 @@ index 7ad799e..39c3d33 100644
+ cm_log(1, "Error building "
+ "certificate from "
+ "signing request.\n");
++ status = 2;
+ }
- /* finish up */
- X509_sign(cert, pkey,
@@ -96,3 +103,17 @@ index 7ad799e..39c3d33 100644
} else {
cm_log(1, "Error reading "
"signing request.\n");
+@@ -260,7 +261,12 @@ static int
+ cm_submit_so_rejected(struct cm_store_entry *entry,
+ struct cm_submit_state *state)
+ {
+- return -1; /* it never gets rejected */
++ int status;
++ status = cm_subproc_get_exitstatus(entry, state->subproc);
++ if (!WIFEXITED(status) || (WEXITSTATUS(status) != 2)) {
++ return -1; /* it should never get rejected */
++ }
++ return 0;
+ }
+
+ /* Check if the CA was unreachable. */
diff --git a/certmonger.spec b/certmonger.spec
index 3991203..4ca086d 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -206,6 +206,7 @@ exit 0
* Tue Nov 27 2012 Nalin Dahyabhai <nalin at redhat.com> 0.61-3
- backport change from git to not choke if X509_REQ_to_X509() fails when we're
self-signing using OpenSSL
+- backport another change from git to represent this as a CA-rejected error
* Mon Sep 24 2012 Nalin Dahyabhai <nalin at redhat.com> 0.61-1
- fix a regression in reading old request tracking files where the
More information about the scm-commits
mailing list