[SSSD] [sssd PR#837][synchronized] p11_child: make OCSP digest configurable
URL: https://github.com/SSSD/sssd/pull/837 Author: sumit-bose Title: #837: p11_child: make OCSP digest configurable Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/837/head:pr837 git checkout pr837 From d8d0835c60a7907f2243bb2abee1de380281b2fc Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 25 Jun 2019 12:46:10 +0200 Subject: [PATCH 1/3] utils: remove unused prototype (cert_to_ssh_key) This is a leftover from a previous cleanup done in the context of https://pagure.io/SSSD/sssd/issue/3489. --- src/util/cert.h | 5 - 1 file changed, 5 deletions(-) diff --git a/src/util/cert.h b/src/util/cert.h index d528029561..2fccc8be9f 100644 --- a/src/util/cert.h +++ b/src/util/cert.h @@ -48,11 +48,6 @@ errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx, const uint8_t *blob, size_t blob_size, char **_str); -errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db, -const uint8_t *der_blob, size_t der_size, -struct cert_verify_opts *cert_verify_opts, -uint8_t **key, size_t *key_size); - errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx, uint8_t *der_blob, size_t der_size, uint8_t **key_blob, size_t *key_size); From 6d37b395ab2b09a47090ad2857b2ba7c0746f825 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 25 Jun 2019 12:57:29 +0200 Subject: [PATCH 2/3] utils: move parse_cert_verify_opts() into separate file parse_cert_verify_opts() is only used by p11_child, so it makes sense to move the sources nearer together. The related test is still in test_utils but it can be split out as well if there are more p11_child related unit tests. Related to https://pagure.io/SSSD/sssd/issue/4032 --- Makefile.am| 11 ++ src/p11_child/p11_child.h | 11 ++ src/p11_child/p11_child_common_utils.c | 182 + src/tests/cmocka/test_utils.c | 1 + src/util/util.c| 153 - src/util/util.h| 11 -- 6 files changed, 205 insertions(+), 164 deletions(-) create mode 100644 src/p11_child/p11_child_common_utils.c diff --git a/Makefile.am b/Makefile.am index 39cdaa1fa3..5ad959c6b4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3036,12 +3036,22 @@ test_ipa_idmap_LDADD = \ test_utils_SOURCES = \ src/tests/cmocka/test_utils.c \ src/tests/cmocka/test_string_utils.c \ +src/p11_child/p11_child_common_utils.c \ $(NULL) if BUILD_SSH test_utils_SOURCES += src/tests/cmocka/test_sss_ssh.c endif test_utils_CFLAGS = \ $(AM_CFLAGS) +if HAVE_NSS +test_utils_CFLAGS += \ +$(NSS_CFLAGS) \ +$(NULL) +else +test_utils_CFLAGS += \ +$(P11_KIT_CFLAGS) \ +$(NULL) +endif test_utils_LDADD = \ $(CMOCKA_LIBS) \ $(POPT_LIBS) \ @@ -4667,6 +4677,7 @@ proxy_child_LDADD = \ p11_child_SOURCES = \ src/p11_child/p11_child_common.c \ +src/p11_child/p11_child_common_utils.c \ src/util/atomic_io.c \ src/util/util.c \ src/util/util_ext.c \ diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h index 92ecf74a89..d31a76f92d 100644 --- a/src/p11_child/p11_child.h +++ b/src/p11_child/p11_child.h @@ -30,6 +30,14 @@ #define PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME 3 struct p11_ctx; +struct cert_verify_opts { +bool do_ocsp; +bool do_verification; +char *ocsp_default_responder; +char *ocsp_default_responder_signing_cert; +char *crl_file; +}; + enum op_mode { OP_NONE, OP_AUTH, @@ -55,4 +63,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, enum op_mode mode, const char *pin, const char *module_name_in, const char *token_name_in, const char *key_id_in, const char *uri, char **_multi); + +errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, + struct cert_verify_opts **cert_verify_opts); #endif /* __P11_CHILD_H__ */ diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c new file mode 100644 index 00..0374eff0ab --- /dev/null +++ b/src/p11_child/p11_child_common_utils.c @@ -0,0 +1,182 @@ +/* +SSSD + +Helper child to commmunicate with SmartCard -- common code + +Authors: +Sumit Bose + +Copyright (C) 2019 Red Hat + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A
[SSSD] [sssd PR#837][synchronized] p11_child: make OCSP digest configurable
URL: https://github.com/SSSD/sssd/pull/837 Author: sumit-bose Title: #837: p11_child: make OCSP digest configurable Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/837/head:pr837 git checkout pr837 From 2b2a5b135d454cde6dc7132e9e63481201b8a4c7 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 25 Jun 2019 12:46:10 +0200 Subject: [PATCH 1/3] utils: remove unused prototype (cert_to_ssh_key) This is a leftover from a previous cleanup done in the context of https://pagure.io/SSSD/sssd/issue/3489. --- src/util/cert.h | 5 - 1 file changed, 5 deletions(-) diff --git a/src/util/cert.h b/src/util/cert.h index d528029561..2fccc8be9f 100644 --- a/src/util/cert.h +++ b/src/util/cert.h @@ -48,11 +48,6 @@ errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx, const uint8_t *blob, size_t blob_size, char **_str); -errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db, -const uint8_t *der_blob, size_t der_size, -struct cert_verify_opts *cert_verify_opts, -uint8_t **key, size_t *key_size); - errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx, uint8_t *der_blob, size_t der_size, uint8_t **key_blob, size_t *key_size); From a17e5e6f78304fd457beae9fef885d6644cab330 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 25 Jun 2019 12:57:29 +0200 Subject: [PATCH 2/3] utils: move parse_cert_verify_opts() into separate file parse_cert_verify_opts() is only used by p11_child, so it makes sense to move the sources nearer together. The related test is still in test_utils but it can be split out as well if there are more p11_child related unit tests. Related to https://pagure.io/SSSD/sssd/issue/4032 --- Makefile.am| 11 ++ src/p11_child/p11_child.h | 11 ++ src/p11_child/p11_child_common_utils.c | 182 + src/tests/cmocka/test_utils.c | 1 + src/util/util.c| 153 - src/util/util.h| 11 -- 6 files changed, 205 insertions(+), 164 deletions(-) create mode 100644 src/p11_child/p11_child_common_utils.c diff --git a/Makefile.am b/Makefile.am index 043a7ebb44..fa28b1dfd5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3034,12 +3034,22 @@ test_ipa_idmap_LDADD = \ test_utils_SOURCES = \ src/tests/cmocka/test_utils.c \ src/tests/cmocka/test_string_utils.c \ +src/p11_child/p11_child_common_utils.c \ $(NULL) if BUILD_SSH test_utils_SOURCES += src/tests/cmocka/test_sss_ssh.c endif test_utils_CFLAGS = \ $(AM_CFLAGS) +if HAVE_NSS +test_utils_CFLAGS += \ +$(NSS_CFLAGS) \ +$(NULL) +else +test_utils_CFLAGS += \ +$(P11_KIT_CFLAGS) \ +$(NULL) +endif test_utils_LDADD = \ $(CMOCKA_LIBS) \ $(POPT_LIBS) \ @@ -4660,6 +4670,7 @@ proxy_child_LDADD = \ p11_child_SOURCES = \ src/p11_child/p11_child_common.c \ +src/p11_child/p11_child_common_utils.c \ src/util/atomic_io.c \ src/util/util.c \ src/util/util_ext.c \ diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h index 92ecf74a89..d31a76f92d 100644 --- a/src/p11_child/p11_child.h +++ b/src/p11_child/p11_child.h @@ -30,6 +30,14 @@ #define PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME 3 struct p11_ctx; +struct cert_verify_opts { +bool do_ocsp; +bool do_verification; +char *ocsp_default_responder; +char *ocsp_default_responder_signing_cert; +char *crl_file; +}; + enum op_mode { OP_NONE, OP_AUTH, @@ -55,4 +63,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, enum op_mode mode, const char *pin, const char *module_name_in, const char *token_name_in, const char *key_id_in, const char *uri, char **_multi); + +errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, + struct cert_verify_opts **cert_verify_opts); #endif /* __P11_CHILD_H__ */ diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c new file mode 100644 index 00..0374eff0ab --- /dev/null +++ b/src/p11_child/p11_child_common_utils.c @@ -0,0 +1,182 @@ +/* +SSSD + +Helper child to commmunicate with SmartCard -- common code + +Authors: +Sumit Bose + +Copyright (C) 2019 Red Hat + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A