rpms / swtpm

Clone
Source Code
GIT

Blame SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch

c8-beta-stream-rhel c8-stream-rhel c8s-stream-rhel c9 c9-beta
  1.   df853b420cbcdd48b80fba7cc283ce1fe4c1e018
  2.   SOURCES
  3.   0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
Blob History Raw
df853b 
From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001
df853b 
From: Stefan Berger <stefanb@linux.ibm.com>
df853b 
Date: Tue, 1 Feb 2022 12:40:06 -0500
df853b 
Subject: [PATCH] swtpm_localca: Test for available issuercert before creating
df853b 
 CA
df853b
df853b 
Avoid trying to create TPM certificates while the issuer certificate has
df853b 
not been created, yet (in a 2nd step).
df853b
df853b 
To resolve this do not just test for availability of the signing key, which
df853b 
is created first, but also test for the issuer certifcate, which is created
df853b 
in a 2nd step when the local CA is created. If either one is missing,
df853b 
attempt to create the CA.
df853b
df853b 
Resolves: https://github.com/stefanberger/swtpm/issues/644
df853b 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
df853b 
---
df853b 
 src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++-
df853b 
 1 file changed, 16 insertions(+), 1 deletion(-)
df853b
df853b 
diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
df853b 
index 037bfd5266bb..089e4e0db4ce 100644
df853b 
--- a/src/swtpm_localca/swtpm_localca.c
df853b 
+++ b/src/swtpm_localca/swtpm_localca.c
df853b 
@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir,
df853b 
             goto error;
df853b 
     }
df853b
df853b 
-    if (access(signkey, R_OK) != 0) {
df853b 
+    if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) {
df853b 
         g_autofree gchar *directory = g_path_get_dirname(signkey);
df853b 
         g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL);
df853b 
         g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL);
df853b 
@@ -808,13 +808,28 @@ int main(int argc, char *argv[])
df853b 
         if (ret != 0)
df853b 
             goto error;
df853b 
     } else {
df853b 
+        int create_certs = 0;
df853b 
+
df853b 
+        /* create certificate if either the signing key or issuer cert are missing */
df853b 
         if (access(signkey, R_OK) != 0) {
df853b 
             if (stat(signkey, &statbuf) == 0) {
df853b 
                 logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n",
df853b 
                        signkey, curr_user ? curr_user->pw_name : "<unknown>");
df853b 
                 goto error;
df853b 
             }
df853b 
+            create_certs = 1;
df853b 
+        }
df853b 
+
df853b 
+        if (access(issuercert, R_OK) != 0) {
df853b 
+            if (stat(issuercert, &statbuf) == 0) {
df853b 
+                logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n",
df853b 
+                       issuercert, curr_user ? curr_user->pw_name : "<unknown>");
df853b 
+                goto error;
df853b 
+            }
df853b 
+            create_certs = 1;
df853b 
+        }
df853b
df853b 
+        if (create_certs) {
df853b 
             logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n");
df853b 
             if (create_localca_cert(lockfile, statedir, signkey, signkey_password,
df853b 
                                     issuercert) != 0) {
df853b 
--
df853b 
2.37.0.rc0
df853b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation