diff --git a/SOURCES/genkey.pl b/SOURCES/genkey.pl index 195c096..35c0ecd 100644 --- a/SOURCES/genkey.pl +++ b/SOURCES/genkey.pl @@ -517,18 +517,17 @@ sub getkeysizeWindow() my $title= <Append(@listitems); @@ -537,7 +536,7 @@ EOT $panel->Add(0, 1, $listbox, 0, 0, 1); $panel->Add(0, 2, NextBackCancelButton()); - Newt::newtListboxSetCurrent($listbox->{co}, 1); + Newt::newtListboxSetCurrent($listbox->{co}, 2); $panel->Draw(); @@ -573,9 +572,8 @@ sub customKeySizeWindow() $title = <Get(); $cert{'CN'} = $ents{'CN'}->Get(); + # Escape commas + foreach my $part (keys %cert) { + $cert{$part} =~ s/,/\\\\,/g; + } + # Build the subject from the details $SEP = ", "; @@ -1415,23 +1432,15 @@ sub genReqWindow genRequestOpenSSL($keyfile, $csrfile, $subject, 730, $randfile, $tmpPasswordFile); } - -# Now make a temporary cert - - if (!$genreq_mode) { - if (!-f $certfile) { - if ($nss) { - makeCertNSS($certfile, - $subject, $cert_days, $nssNickname, - $randfile, $tmpPasswordFile); - } else { - makeCertOpenSSL($keyfile,$certfile, - $subject, $cert_days, - $randfile, $tmpPasswordFile); - } - } + + # Now make a temporary cert; skip for OpenSSL since it would + # overwrite the existing key. + if (!$genreq_mode && !-f $certfile && $nss) { + makeCertNSS($certfile, + $subject, $cert_days, $nssNickname, + $randfile, $tmpPasswordFile); } - + undef $csrtext; open(CSR,"<$csrfile"); while() { diff --git a/SOURCES/keyutil.c b/SOURCES/keyutil.c index 1f50d40..eeb2019 100644 --- a/SOURCES/keyutil.c +++ b/SOURCES/keyutil.c @@ -270,7 +270,7 @@ static SECStatus nss_Init_Tokens(secuPWData *pwdata) if (SECSuccess != ret) { if (PR_GetError() == SEC_ERROR_BAD_PASSWORD) { SECU_PrintError(progName ? progName : "keyutil", - "%s: The password for token '%s' is incorrect\n", + "The password for token '%s' is incorrect\n", PK11_GetTokenName(slot)); } status = SECFailure; @@ -337,7 +337,7 @@ static SECStatus loadCert( cert = PK11_FindCertFromNickname((char *)nickname, NULL); if (!cert) { SECU_PrintError(progName ? progName : "keyutil", - "%s: Can't find cert named (%s), bailing out\n", nickname); + "Can't find cert named (%s), bailing out\n", nickname); rv = 255; break; } else { @@ -404,7 +404,7 @@ static SECStatus loadKey( rv = PK11_Authenticate(slot, PR_TRUE, pwdata); if (rv != SECSuccess) { SECU_PrintError(progName ? progName : "keyutil", - "Can't authenticate\n", PORT_ErrorToString(rv)); + "Can't authenticate\n"); break; } @@ -1484,7 +1484,7 @@ static int keyutil_main( goto shutdown; } - subject = CERT_AsciiToName((char *)subjectstr); + subject = CERT_AsciiToName(subjectstr); if (!subject) { SECU_PrintError(progName, "Improperly formatted name: \"%s\"\n", subjectstr); @@ -1497,7 +1497,7 @@ static int keyutil_main( outFile = PR_Open(certreqfile, PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, 00660); if (!outFile) { SECU_PrintError(progName, - "%s -o: unable to open \"%s\" for writing (%ld, %ld)\n", + "-o: unable to open \"%s\" for writing (%d, %d)\n", certreqfile, PR_GetError(), PR_GetOSError()); return 255; } @@ -1522,7 +1522,7 @@ static int keyutil_main( keyutil_extns[ext_policyConstr] = PR_FALSE; keyutil_extns[ext_inhibitAnyPolicy] = PR_FALSE; - hashAlgTag = SEC_OID_MD5; + hashAlgTag = SEC_OID_SHA1; /* Make a cert request */ rv = CertReq(privkey, pubkey, rsaKey, hashAlgTag, subject, @@ -1560,7 +1560,7 @@ static int keyutil_main( inFile = PR_Open(certreqfile, PR_RDONLY, 0); assert(inFile); if (!inFile) { - SECU_PrintError(progName, "Failed to open file \"%s\" (%ld, %ld) for reading.\n", + SECU_PrintError(progName, "Failed to open file \"%s\" (%d, %d) for reading.\n", certreqfile, PR_GetError(), PR_GetOSError()); rv = SECFailure; goto shutdown; @@ -1568,7 +1568,7 @@ static int keyutil_main( outFile = PR_Open(certfile, PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, 00660); if (!outFile) { - SECU_PrintError(progName, "Failed to open file \"%s\" (%ld, %ld).\n", + SECU_PrintError(progName, "Failed to open file \"%s\" (%d, %d).\n", certfile, PR_GetError(), PR_GetOSError()); rv = SECFailure; goto shutdown; @@ -1588,8 +1588,8 @@ static int keyutil_main( ASCIIForIO,SelfSign,certutil_extns, thecert */ if (rv) { - SECU_PrintError(progName, "Failed to create certificate \"%s\" (%ld).\n", - outFile, PR_GetError()); + SECU_PrintError(progName, "Failed to create certificate \"%s\" (%d).\n", + certreqfile, PR_GetError()); rv = SECFailure; goto shutdown; } @@ -1681,6 +1681,8 @@ int main(int argc, char **argv) CommandType cmd = cmd_CertReq; PRBool initialized = PR_FALSE; + progName = argv[0]; + while ((optc = getopt_long(argc, argv, "atc:rs:g:v:e:f:d:z:i:p:o:k:h", options, NULL)) != -1) { switch (optc) { case 'a': diff --git a/SOURCES/secutil.c b/SOURCES/secutil.c index 0255c60..bc769a5 100644 --- a/SOURCES/secutil.c +++ b/SOURCES/secutil.c @@ -116,15 +116,12 @@ SECU_GetString(int16 error_number) return errString; } -void -SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...) +static void +SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, va_list args) { - va_list args; PRErrorCode err = PORT_GetError(); const char * errString = PORT_ErrorToString(err); - va_start(args, msg); - SECU_Indent(out, level); fprintf(out, "%s: ", progName); vfprintf(out, msg, args); @@ -132,13 +129,15 @@ SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...) fprintf(out, ": %s\n", errString); else fprintf(out, ": error %d\n", (int)err); - - va_end(args); } void SECU_PrintError(char *progName, char *msg, ...) { - SECU_PrintErrMsg(stderr, 0, progName, msg); + va_list args; + + va_start(args, msg); + SECU_PrintErrMsg(stderr, 0, progName, msg, args); + va_end(args); } #define INDENT_MULT 4 diff --git a/SOURCES/secutil.h b/SOURCES/secutil.h index 3a416f2..e601a40 100644 --- a/SOURCES/secutil.h +++ b/SOURCES/secutil.h @@ -89,10 +89,13 @@ extern char *SECU_NoPassword(PK11SlotInfo *slot, PRBool retry, void *arg); extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg); /* print out an error message */ -extern void SECU_PrintError(char *progName, char *msg, ...); + +extern void SECU_PrintError(char *progName, char *msg, ...) + __attribute__((format(printf, 2, 3))); /* print out a system error message */ -extern void SECU_PrintSystemError(char *progName, char *msg, ...); +extern void SECU_PrintSystemError(char *progName, char *msg, ...) + __attribute__((format(printf, 2, 3))); /* Read the contents of a file into a SECItem */ extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src); diff --git a/SPECS/crypto-utils.spec b/SPECS/crypto-utils.spec index 6d6d0e6..e702fcd 100644 --- a/SPECS/crypto-utils.spec +++ b/SPECS/crypto-utils.spec @@ -4,7 +4,7 @@ Summary: SSL certificate and key management utilities Name: crypto-utils Version: 2.4.1 -Release: 39%{?dist} +Release: 42%{?dist} Group: Applications/System License: MIT and GPLv2+ and MPLv1.0 @@ -127,6 +127,23 @@ chmod -R u+w $RPM_BUILD_ROOT %{perl_vendorarch}/auto/Crypt %changelog +* Thu Feb 13 2014 Joe Orton - 2.4.1-42 +- genkey: skip cert generation after CSR for OpenSSL (#1039896) +- keyutil: fix error reporting (#1039896) + +* Fri Jan 24 2014 Daniel Mach - 2.4.1-41 +- Mass rebuild 2014-01-24 + +* Wed Jan 22 2014 Joe Orton - 2.4.1-40.2 +- genkey: further improvement to wording around key size (#1039896) + +* Wed Jan 22 2014 Joe Orton - 2.4.1-40.1 +- keyutil: use SHA1 as default hash in created certs (#1030470) +- genkey: default to 2048 bit keysize (#1039896) + +* Fri Dec 27 2013 Daniel Mach - 2.4.1-40 +- Mass rebuild 2013-12-27 + * Sat Feb 23 2013 Elio Maldonado - 2.4.1-39 - Resolves: rhbz#862430 - CVE-2012-3504 - insecure temporary file usage in genkey