[certmonger] check for errors from X509_REQ_to_X509()

[Nalin Dahyabhai]

commit d7b55107b26a745df6e1d25f1d7e49ece4e1aa79
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Tue Nov 27 18:54:12 2012 -0500

    check for errors from X509_REQ_to_X509()
    
    backport a change from git to report X509_REQ_to_X509() failures as
    CA-rejected-our-request failures

 certmonger-x509-req-to-x509.patch |   23 ++++++++++++++++++++++-
 certmonger.spec                   |    1 +
 2 files changed, 23 insertions(+), 1 deletions(-)
---
diff --git a/certmonger-x509-req-to-x509.patch b/certmonger-x509-req-to-x509.patch
index f550c56..2dfaf66 100644
--- a/certmonger-x509-req-to-x509.patch
+++ b/certmonger-x509-req-to-x509.patch
@@ -6,11 +6,17 @@ Date:   Tue Nov 27 12:18:51 2012 -0500
 
     check for errors from X509_REQ_to_X509()
 
+commit 8a8a95489bb35271542999d07bdd62d7aca177ac
+Author: Nalin Dahyabhai <nalin at redhat.com>
+Date:   Tue Nov 27 18:32:06 2012 -0500
+
+    present failure to self-sign as rejection
+
 diff --git a/src/submit-so.c b/src/submit-so.c
 index 7ad799e..39c3d33 100644
 --- a/src/submit-so.c
 +++ b/src/submit-so.c
-@@ -117,45 +117,51 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+@@ -117,45 +117,52 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
  							cert = X509_REQ_to_X509(req,
  										0,
  										pkey);
@@ -88,6 +94,7 @@ index 7ad799e..39c3d33 100644
 +								cm_log(1, "Error building "
 +								       "certificate from "
 +								       "signing request.\n");
++								status = 2;
 + 							}
 -							/* finish up */
 -							X509_sign(cert, pkey,
@@ -96,3 +103,17 @@ index 7ad799e..39c3d33 100644
  						} else {
  							cm_log(1, "Error reading "
  							       "signing request.\n");
+@@ -260,7 +261,12 @@ static int
+ cm_submit_so_rejected(struct cm_store_entry *entry,
+ 		      struct cm_submit_state *state)
+ {
+-	return -1; /* it never gets rejected */
++	int status;
++	status = cm_subproc_get_exitstatus(entry, state->subproc);
++	if (!WIFEXITED(status) || (WEXITSTATUS(status) != 2)) {
++		return -1; /* it should never get rejected */
++	}
++	return 0;
+ }
+ 
+ /* Check if the CA was unreachable. */
diff --git a/certmonger.spec b/certmonger.spec
index 3991203..4ca086d 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -206,6 +206,7 @@ exit 0
 * Tue Nov 27 2012 Nalin Dahyabhai <nalin at redhat.com> 0.61-3
 - backport change from git to not choke if X509_REQ_to_X509() fails when we're
   self-signing using OpenSSL
+- backport another change from git to represent this as a CA-rejected error
 
 * Mon Sep 24 2012 Nalin Dahyabhai <nalin at redhat.com> 0.61-1
 - fix a regression in reading old request tracking files where the