[SSSD] [sssd PR#837][synchronized] p11_child: make OCSP digest configurable
URL: https://github.com/SSSD/sssd/pull/837
Author: sumit-bose
Title: #837: p11_child: make OCSP digest configurable
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/837/head:pr837
git checkout pr837
From d8d0835c60a7907f2243bb2abee1de380281b2fc Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Tue, 25 Jun 2019 12:46:10 +0200
Subject: [PATCH 1/3] utils: remove unused prototype (cert_to_ssh_key)
This is a leftover from a previous cleanup done in the context of
https://pagure.io/SSSD/sssd/issue/3489.
---
src/util/cert.h | 5 -
1 file changed, 5 deletions(-)
diff --git a/src/util/cert.h b/src/util/cert.h
index d528029561..2fccc8be9f 100644
--- a/src/util/cert.h
+++ b/src/util/cert.h
@@ -48,11 +48,6 @@ errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx,
const uint8_t *blob, size_t blob_size,
char **_str);
-errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db,
-const uint8_t *der_blob, size_t der_size,
-struct cert_verify_opts *cert_verify_opts,
-uint8_t **key, size_t *key_size);
-
errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx,
uint8_t *der_blob, size_t der_size,
uint8_t **key_blob, size_t *key_size);
From 6d37b395ab2b09a47090ad2857b2ba7c0746f825 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Tue, 25 Jun 2019 12:57:29 +0200
Subject: [PATCH 2/3] utils: move parse_cert_verify_opts() into separate file
parse_cert_verify_opts() is only used by p11_child, so it makes sense to
move the sources nearer together. The related test is still in
test_utils but it can be split out as well if there are more p11_child
related unit tests.
Related to https://pagure.io/SSSD/sssd/issue/4032
---
Makefile.am| 11 ++
src/p11_child/p11_child.h | 11 ++
src/p11_child/p11_child_common_utils.c | 182 +
src/tests/cmocka/test_utils.c | 1 +
src/util/util.c| 153 -
src/util/util.h| 11 --
6 files changed, 205 insertions(+), 164 deletions(-)
create mode 100644 src/p11_child/p11_child_common_utils.c
diff --git a/Makefile.am b/Makefile.am
index 39cdaa1fa3..5ad959c6b4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3036,12 +3036,22 @@ test_ipa_idmap_LDADD = \
test_utils_SOURCES = \
src/tests/cmocka/test_utils.c \
src/tests/cmocka/test_string_utils.c \
+src/p11_child/p11_child_common_utils.c \
$(NULL)
if BUILD_SSH
test_utils_SOURCES += src/tests/cmocka/test_sss_ssh.c
endif
test_utils_CFLAGS = \
$(AM_CFLAGS)
+if HAVE_NSS
+test_utils_CFLAGS += \
+$(NSS_CFLAGS) \
+$(NULL)
+else
+test_utils_CFLAGS += \
+$(P11_KIT_CFLAGS) \
+$(NULL)
+endif
test_utils_LDADD = \
$(CMOCKA_LIBS) \
$(POPT_LIBS) \
@@ -4667,6 +4677,7 @@ proxy_child_LDADD = \
p11_child_SOURCES = \
src/p11_child/p11_child_common.c \
+src/p11_child/p11_child_common_utils.c \
src/util/atomic_io.c \
src/util/util.c \
src/util/util_ext.c \
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
index 92ecf74a89..d31a76f92d 100644
--- a/src/p11_child/p11_child.h
+++ b/src/p11_child/p11_child.h
@@ -30,6 +30,14 @@
#define PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME 3
struct p11_ctx;
+struct cert_verify_opts {
+bool do_ocsp;
+bool do_verification;
+char *ocsp_default_responder;
+char *ocsp_default_responder_signing_cert;
+char *crl_file;
+};
+
enum op_mode {
OP_NONE,
OP_AUTH,
@@ -55,4 +63,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
enum op_mode mode, const char *pin,
const char *module_name_in, const char *token_name_in,
const char *key_id_in, const char *uri, char **_multi);
+
+errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
+ struct cert_verify_opts **cert_verify_opts);
#endif /* __P11_CHILD_H__ */
diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c
new file mode 100644
index 00..0374eff0ab
--- /dev/null
+++ b/src/p11_child/p11_child_common_utils.c
@@ -0,0 +1,182 @@
+/*
+SSSD
+
+Helper child to commmunicate with SmartCard -- common code
+
+Authors:
+Sumit Bose
+
+Copyright (C) 2019 Red Hat
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A
[SSSD] [sssd PR#837][synchronized] p11_child: make OCSP digest configurable
URL: https://github.com/SSSD/sssd/pull/837
Author: sumit-bose
Title: #837: p11_child: make OCSP digest configurable
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/837/head:pr837
git checkout pr837
From 2b2a5b135d454cde6dc7132e9e63481201b8a4c7 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Tue, 25 Jun 2019 12:46:10 +0200
Subject: [PATCH 1/3] utils: remove unused prototype (cert_to_ssh_key)
This is a leftover from a previous cleanup done in the context of
https://pagure.io/SSSD/sssd/issue/3489.
---
src/util/cert.h | 5 -
1 file changed, 5 deletions(-)
diff --git a/src/util/cert.h b/src/util/cert.h
index d528029561..2fccc8be9f 100644
--- a/src/util/cert.h
+++ b/src/util/cert.h
@@ -48,11 +48,6 @@ errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx,
const uint8_t *blob, size_t blob_size,
char **_str);
-errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db,
-const uint8_t *der_blob, size_t der_size,
-struct cert_verify_opts *cert_verify_opts,
-uint8_t **key, size_t *key_size);
-
errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx,
uint8_t *der_blob, size_t der_size,
uint8_t **key_blob, size_t *key_size);
From a17e5e6f78304fd457beae9fef885d6644cab330 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Tue, 25 Jun 2019 12:57:29 +0200
Subject: [PATCH 2/3] utils: move parse_cert_verify_opts() into separate file
parse_cert_verify_opts() is only used by p11_child, so it makes sense to
move the sources nearer together. The related test is still in
test_utils but it can be split out as well if there are more p11_child
related unit tests.
Related to https://pagure.io/SSSD/sssd/issue/4032
---
Makefile.am| 11 ++
src/p11_child/p11_child.h | 11 ++
src/p11_child/p11_child_common_utils.c | 182 +
src/tests/cmocka/test_utils.c | 1 +
src/util/util.c| 153 -
src/util/util.h| 11 --
6 files changed, 205 insertions(+), 164 deletions(-)
create mode 100644 src/p11_child/p11_child_common_utils.c
diff --git a/Makefile.am b/Makefile.am
index 043a7ebb44..fa28b1dfd5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3034,12 +3034,22 @@ test_ipa_idmap_LDADD = \
test_utils_SOURCES = \
src/tests/cmocka/test_utils.c \
src/tests/cmocka/test_string_utils.c \
+src/p11_child/p11_child_common_utils.c \
$(NULL)
if BUILD_SSH
test_utils_SOURCES += src/tests/cmocka/test_sss_ssh.c
endif
test_utils_CFLAGS = \
$(AM_CFLAGS)
+if HAVE_NSS
+test_utils_CFLAGS += \
+$(NSS_CFLAGS) \
+$(NULL)
+else
+test_utils_CFLAGS += \
+$(P11_KIT_CFLAGS) \
+$(NULL)
+endif
test_utils_LDADD = \
$(CMOCKA_LIBS) \
$(POPT_LIBS) \
@@ -4660,6 +4670,7 @@ proxy_child_LDADD = \
p11_child_SOURCES = \
src/p11_child/p11_child_common.c \
+src/p11_child/p11_child_common_utils.c \
src/util/atomic_io.c \
src/util/util.c \
src/util/util_ext.c \
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
index 92ecf74a89..d31a76f92d 100644
--- a/src/p11_child/p11_child.h
+++ b/src/p11_child/p11_child.h
@@ -30,6 +30,14 @@
#define PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME 3
struct p11_ctx;
+struct cert_verify_opts {
+bool do_ocsp;
+bool do_verification;
+char *ocsp_default_responder;
+char *ocsp_default_responder_signing_cert;
+char *crl_file;
+};
+
enum op_mode {
OP_NONE,
OP_AUTH,
@@ -55,4 +63,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
enum op_mode mode, const char *pin,
const char *module_name_in, const char *token_name_in,
const char *key_id_in, const char *uri, char **_multi);
+
+errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
+ struct cert_verify_opts **cert_verify_opts);
#endif /* __P11_CHILD_H__ */
diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c
new file mode 100644
index 00..0374eff0ab
--- /dev/null
+++ b/src/p11_child/p11_child_common_utils.c
@@ -0,0 +1,182 @@
+/*
+SSSD
+
+Helper child to commmunicate with SmartCard -- common code
+
+Authors:
+Sumit Bose
+
+Copyright (C) 2019 Red Hat
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A
