From me.minus at gmail.com Sat Aug 1 13:25:20 2015
From: me.minus at gmail.com (Magnus Toneby)
Date: Sat, 1 Aug 2015 15:25:20 +0200
Subject: [Pkg-freeipa-devel] ipa-server-installation fails on 'issuing RA
agent certificate' step
Message-ID:
I'm trying to install FreeIPA on a debian unstable box (updated today).
I got the changes for getProtocol and they seems to work, but a later stage
fails.
Do any of you see the same failure?
I get this in the console:
[18/26]: restarting certificate server
[19/26]: requesting RA certificate from CA
[20/26]: issuing RA agent certificate
['"ipa-ca-agent" [CN=ipa-ca-agent,O=HEMMA]', '', '']
[]
['/usr/bin/sslget', '-v', '-n', 'ipa-ca-agent', '-p', 'XXXXXX', '-d',
'/tmp/tmp-FZybjv', '-r', u'/ca/agent/ca/profileReview?requestId=7',
'host.hostname:8443']
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command ''/usr/bin/sslget' '-v' '-n' 'ipa-ca-agent'
'-p' XXXXXXXX '-d' '/tmp/tmp-FZybjv' '-r'
'/ca/agent/ca/profileReview?requestId=7' 'host.hostname:8443'' returned
non-zero exit status 3
When running the sslget command by hand I get:
Apache Tomcat/7.0.63 (Debian) - Error
report
HTTP Status 500 - Servlet execution threw an
exception
type Exception
report
message Servlet execution threw an
exception
description The server encountered an
internal error that prevented it from fulfilling this
request.
exception
javax.servlet.ServletException:
Servlet execution threw an exception
root cause
java.lang.AbstractMethodError:
org.apache.tomcat.util.net.jss.JSSSupport.getPeerCertificateChain(Z)[Ljava/lang/Object;
org.apache.coyote.http11.Http11Processor.actionInternal(Http11Processor.java:256)
org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:911)
org.apache.coyote.Request.action(Request.java:347)
org.apache.catalina.connector.Request.getAttribute(Request.java:956)
org.apache.catalina.connector.RequestFacade.getAttribute(RequestFacade.java:283)
com.netscape.cms.servlet.base.CMSServlet.getSSLClientCertificate(CMSServlet.java:858)
com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1743)
com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1685)
com.netscape.cms.servlet.profile.ProfileReviewServlet.process(ProfileReviewServlet.java:114)
com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:513)
javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
note The full stack trace of the root cause is
available in the Apache Tomcat/7.0.63 (Debian) logs.
Apache Tomcat/7.0.63 (Debian)
/minus
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From noreply at release.debian.org Sun Aug 9 04:39:04 2015
From: noreply at release.debian.org (Debian testing autoremoval watch)
Date: Sun, 09 Aug 2015 04:39:04 +0000
Subject: [Pkg-freeipa-devel] slapi-nis is marked for autoremoval from testing
Message-ID:
slapi-nis 0.54.2-1 is marked for autoremoval from testing on 2015-09-14
It (build-)depends on packages with these RC bugs:
794301: 389-console: missing bogus dependency
794332: sssd-common: deletes conffile owned by sssd: /etc/logrotate.d/sssd
From ftpmaster at ftp-master.debian.org Tue Aug 11 02:42:06 2015
From: ftpmaster at ftp-master.debian.org (Debian FTP Masters)
Date: Tue, 11 Aug 2015 02:42:06 +0000
Subject: [Pkg-freeipa-devel] Processing of nuxwdog_1.0.3-1_amd64.changes
Message-ID:
nuxwdog_1.0.3-1_amd64.changes uploaded successfully to localhost
along with the files:
nuxwdog_1.0.3-1.dsc
nuxwdog_1.0.3.orig.tar.gz
nuxwdog_1.0.3-1.debian.tar.xz
libnuxwdog-dev_1.0.3-1_amd64.deb
libnuxwdog-java_1.0.3-1_amd64.deb
libnuxwdog0_1.0.3-1_amd64.deb
nuxwdog_1.0.3-1_amd64.deb
Greetings,
Your Debian queue daemon (running on host franck.debian.org)
From ftpmaster at ftp-master.debian.org Tue Aug 11 03:34:45 2015
From: ftpmaster at ftp-master.debian.org (Debian FTP Masters)
Date: Tue, 11 Aug 2015 03:34:45 +0000
Subject: [Pkg-freeipa-devel] nuxwdog_1.0.3-1_amd64.changes REJECTED
Message-ID:
nuxwdog_1.0.3-1.dsc: Does not match file already existing in the pool.
===
Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.
From tjaalton at moszumanska.debian.org Tue Aug 11 06:07:21 2015
From: tjaalton at moszumanska.debian.org (Timo Aaltonen)
Date: Tue, 11 Aug 2015 06:07:21 +0000
Subject: [Pkg-freeipa-devel] nuxwdog: Changes to 'master'
Message-ID:
debian/changelog | 7 +++++++
debian/control | 3 ++-
2 files changed, 9 insertions(+), 1 deletion(-)
New commits:
commit 92a6ff9a174fec2703df216c82338034b3070091
Author: Timo Aaltonen
Date: Tue Aug 11 09:03:22 2015 +0300
releasing package nuxwdog version 1.0.3-2
diff --git a/debian/changelog b/debian/changelog
index 1f48c3c..0ad8e1e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+nuxwdog (1.0.3-2) unstable; urgency=medium
+
+ * Fix copyright.
+ * control: Fix Depends, and Maintainer.
+
+ -- Timo Aaltonen Tue, 11 Aug 2015 09:03:12 +0300
+
nuxwdog (1.0.3-1) unstable; urgency=low
* Initial release (Closes: #793782)
commit c77819450888ce64e0cda9c7bf3e90bd76143927
Author: Timo Aaltonen
Date: Wed Jul 29 09:40:55 2015 +0300
fix maintainer
diff --git a/debian/control b/debian/control
index a490621..caea920 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
Source: nuxwdog
Section: admin
Priority: optional
-Maintainer: Timo Aaltonen
+Maintainer: Debian FreeIPA Team
+Uploaders: Timo Aaltonen
Build-Depends:
ant,
chrpath,
From tjaalton at moszumanska.debian.org Tue Aug 11 06:07:29 2015
From: tjaalton at moszumanska.debian.org (Timo Aaltonen)
Date: Tue, 11 Aug 2015 06:07:29 +0000
Subject: [Pkg-freeipa-devel] nuxwdog: Changes to 'refs/tags/debian/1.0.3-2'
Message-ID:
Tag 'debian/1.0.3-2' created by Timo Aaltonen at 2015-08-11 06:03 +0000
tagging package nuxwdog version debian/1.0.3-2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJVyZAqAAoJEMtwMWWoiYTcU9AP/0zhUS1MtD/5lNXG+EFacejK
IEQ+9Osg4VKcQWmbbUXCzYq3+5b0OgsP3L6f/SyYHGqt0k54fum2Evf9X7ORVqUq
kfdfQn3SqCz0gLO3n7td5VLizufYrJwMZ0tczwPC937AxIj82jKOoz+AghwSWNSZ
inPeoQpweDVqTtE8SOSwt0j/Z/ieMMy5dJOtP34rt8/aNVM4sgGGqXCj63mfewWx
KSJfTXWwHmwuF7s8gE/U1DXcuxZ0FexR8Hp2D6OE3knVQJIzbLrgoGnPr90WyROC
l+7Y0duDj2veqvQWqzVgx2ck6niXoN4GExtV/1I0cEhjs6HJt+S7kHaWidSOpiSj
dh+n/PA4iRT/8FNUM5zufwXUMS8InadPRd29CXGeosesNH+vWRZEbfugc/jd7KKM
Bb3PnCurzwrBgHgus+KyN0QEseHbTbhXZ6hFHCofSJNxe41wkXF0YzfjSHsxvj6v
wBmbjrlQFtvV8R69FF6BxO1swZfZtYIZmKZx/UYzUtimZkSBA/qr4pwewobozph6
5nT/UZp1yGf6eiqAtafBWlT/jDB0jMvp/LTQK7QhfG9Ebeg0RYgNYOZG0YK36EMC
oiFUATGLrydswjWabxLzUKfM98sHoLUDYuyi6p6CepUX2bfjzZU8Cdu552vAVdXV
c17WbPlc5HX+1rFujw0C
=5Sgs
-----END PGP SIGNATURE-----
Changes since the dawn of time:
Timo Aaltonen (9):
Imported Upstream version 1.0.3
remove autogenerated files
initial packaging
run wrap-and-sort -s
releasing package nuxwdog version 1.0.3-1
fix copyright
jni depends on the lib, add it
fix maintainer
releasing package nuxwdog version 1.0.3-2
From ftpmaster at ftp-master.debian.org Tue Aug 11 06:07:34 2015
From: ftpmaster at ftp-master.debian.org (Debian FTP Masters)
Date: Tue, 11 Aug 2015 06:07:34 +0000
Subject: [Pkg-freeipa-devel] Processing of nuxwdog_1.0.3-2_amd64.changes
Message-ID:
nuxwdog_1.0.3-2_amd64.changes uploaded successfully to localhost
along with the files:
nuxwdog_1.0.3-2.dsc
nuxwdog_1.0.3.orig.tar.gz
nuxwdog_1.0.3-2.debian.tar.xz
libnuxwdog-dev_1.0.3-2_amd64.deb
libnuxwdog-java_1.0.3-2_amd64.deb
libnuxwdog0_1.0.3-2_amd64.deb
nuxwdog_1.0.3-2_amd64.deb
Greetings,
Your Debian queue daemon (running on host franck.debian.org)
From ftpmaster at ftp-master.debian.org Tue Aug 11 06:19:01 2015
From: ftpmaster at ftp-master.debian.org (Debian FTP Masters)
Date: Tue, 11 Aug 2015 06:19:01 +0000
Subject: [Pkg-freeipa-devel] nuxwdog_1.0.3-2_amd64.changes is NEW
Message-ID:
binary:libnuxwdog-dev is NEW.
binary:libnuxwdog-java is NEW.
binary:libnuxwdog0 is NEW.
binary:nuxwdog is NEW.
source:nuxwdog is NEW.
nuxwdog_1.0.3.orig.tar.gz is only available in NEW.
nuxwdog_1.0.3.orig.tar.gz is only available in NEW.
Your package has been put into the NEW queue, which requires manual action
from the ftpteam to process. The upload was otherwise valid (it had a good
OpenPGP signature and file hashes are valid), so please be patient.
Packages are routinely processed through to the archive, and do feel
free to browse the NEW queue[1].
If there is an issue with the upload, you will recieve an email from a
member of the ftpteam.
If you have any questions, you may reply to this email.
[1]: https://ftp-master.debian.org/new.html
From ftpmaster at ftp-master.debian.org Tue Aug 11 13:00:24 2015
From: ftpmaster at ftp-master.debian.org (Debian FTP Masters)
Date: Tue, 11 Aug 2015 13:00:24 +0000
Subject: [Pkg-freeipa-devel] nuxwdog_1.0.3-2_amd64.changes ACCEPTED into
unstable, unstable
Message-ID:
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 11 Aug 2015 09:03:12 +0300
Source: nuxwdog
Binary: nuxwdog libnuxwdog0 libnuxwdog-dev libnuxwdog-java
Architecture: source amd64
Version: 1.0.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team
Changed-By: Timo Aaltonen
Description:
libnuxwdog-dev - Watchdog server -- development headers
libnuxwdog-java - Watchdog server -- Java class
libnuxwdog0 - Watchdog server -- shared library
nuxwdog - Watchdog server -- daemon
Changes:
nuxwdog (1.0.3-2) unstable; urgency=medium
.
* Fix copyright.
* control: Fix Depends, and Maintainer.
Checksums-Sha1:
d25f2dc35820912866c345de6e8d5d360af01e57 2203 nuxwdog_1.0.3-2.dsc
149794e21409fd96f1c735e8ae096695614acf18 371188 nuxwdog_1.0.3.orig.tar.gz
74024395a31fa3a37027faa077d071ac7cdae7ff 3668 nuxwdog_1.0.3-2.debian.tar.xz
cf5513ea61e410682523e47dcee33968a06db068 5632 libnuxwdog-dev_1.0.3-2_amd64.deb
32f013463f0aedb3bac732fd696ada0d64413768 5118 libnuxwdog-java_1.0.3-2_amd64.deb
fd9c9fbfab51f21835f40200975bb8e0516c45f3 10016 libnuxwdog0_1.0.3-2_amd64.deb
09aeb2f386d4da71b1cad5cbe898f94b58b0ba54 27308 nuxwdog_1.0.3-2_amd64.deb
Checksums-Sha256:
c9bbcfbc22c49d06195e0fa99f402b139900212dc259cfc30e57ead0a2a49ada 2203 nuxwdog_1.0.3-2.dsc
c9909c18d34489a56613149fccfa780cd92e5a70881c31f4b960765b4acca3f7 371188 nuxwdog_1.0.3.orig.tar.gz
63f354dfb608fcf8c155c33b58fc1a37459c33983b4a803c5ddba2a18db98248 3668 nuxwdog_1.0.3-2.debian.tar.xz
452b595f2d3dd405ae7666ec3e0c35b2f48abe7b8357bd6db8310fddca9040d8 5632 libnuxwdog-dev_1.0.3-2_amd64.deb
9e04b5e15f59c6184c6b49664b0767bee7be47a0ce5c2360c1c90209084e3493 5118 libnuxwdog-java_1.0.3-2_amd64.deb
d5acfd81e520c70db8e5ee072fc4f9551ad74d36238952d0dd54f5bf41f39d27 10016 libnuxwdog0_1.0.3-2_amd64.deb
a4724c22b02ae0b86efaf8dd2ca688c73ae5afbfbcff26c09fabd0e1c06a897a 27308 nuxwdog_1.0.3-2_amd64.deb
Files:
3a3d3e75be634aa8f38851eb5034b06d 2203 admin optional nuxwdog_1.0.3-2.dsc
ba299fbd7efe9dc7efd963441c0cd825 371188 admin optional nuxwdog_1.0.3.orig.tar.gz
bc91da146e0713dbf709d035439cc291 3668 admin optional nuxwdog_1.0.3-2.debian.tar.xz
e1a8e7e900c27840c71257382bfd5f64 5632 libdevel optional libnuxwdog-dev_1.0.3-2_amd64.deb
34fbe91cd421626f0b0b62ad24445966 5118 java optional libnuxwdog-java_1.0.3-2_amd64.deb
d56c4d1c3d5fb96c28829c0c60ecbdd6 10016 admin optional libnuxwdog0_1.0.3-2_amd64.deb
db84ec21c25c892461234d2d745a0107 27308 admin optional nuxwdog_1.0.3-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVyZD/AAoJEMtwMWWoiYTcrmsP+wfT5/LKFYqWbC3pTQ3cOdsG
ByIR4m/z4rWteyF6Onr60EF6LKD9cSGoUV9rCu3BXuNJ5yrPxWh1xqSZYI0BLYeY
QNLxy0H3yZY+V5DnTq9gKkVpMq31ivlPOXHdofZX28IagObC4ZkSIH5RKg2Ko1Rn
QQ7BPUYVTQ8l9W7SiPMn0gqOm6xDr+Nxvp1WrDgaNXYo5x5JZwqF2bRch8eunpD4
l+nBTy8STbwnHft8i57jIF2LARSkWfTJ3gIBS6AX5yny/b56m82PAlVW8y0tJbZ/
tWm9CKQTDHdw4htR97cyzB+YJ28BB4H6lR/so8yTwf6/hdWOV32mE8FOuJFbZiv+
8sauehrCGm0P+KmD+TBeRrqUDKfhfrh0vAU7pqlljnQeoI6l0p3TxxnKMXEuNi1T
6ooJGn3dwinREgOV1i+vZ2LeRuHUj9pMGLDh4AX8ox5cy0jApeojTyKX18L30q2R
J7hci1UWCKWVZOi2RYImeM/gTUYVD3B00XdDsH6wJVpRXGXJ5ASwBagy+ZLUabHK
BuPk/EXonKTKrwrn69FVTwqTgd55OVK2hXAbUDzy6pgFUOljasmSIQqoviDPXMcI
yyN5YlKyds1uAp5QkWlNuWaSJBYllWFR6s8RftSM1+v+ZLHvoGQIx4mWq9gGIcDD
fA5ZqQX0OFj0ohxNmQlU
=6F1k
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
From noreply at release.debian.org Tue Aug 11 16:39:10 2015
From: noreply at release.debian.org (Debian testing watch)
Date: Tue, 11 Aug 2015 16:39:10 +0000
Subject: [Pkg-freeipa-devel] certmonger 0.75.14-4 MIGRATED to testing
Message-ID:
FYI: The status of the certmonger source package
in Debian's testing distribution has changed.
Previous version: 0.75.14-3
Current version: 0.75.14-4
--
This email is automatically generated once a day. As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.
From carnil at debian.org Thu Aug 13 17:33:56 2015
From: carnil at debian.org (Salvatore Bonaccorso)
Date: Thu, 13 Aug 2015 19:33:56 +0200
Subject: [Pkg-freeipa-devel] Bug#795399: freeipa: CVE-2015-5179:
non-printable characters aren't check in every case of user data
Message-ID: <20150813173356.13513.60506.reportbug@eldamar.local>
Source: freeipa
Version: 4.0.5-5
Severity: important
Tags: security upstream
Hi Timo,
the following vulnerability was published for freeipa. I cannot easily
test it for older version 4.0.5, could you confirm that?
CVE-2015-5179[0]:
non-printable characters aren't check in every case of user data
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-5179
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1252567
Regards,
Salvatore
From tjaalton at moszumanska.debian.org Sun Aug 16 08:08:03 2015
From: tjaalton at moszumanska.debian.org (Timo Aaltonen)
Date: Sun, 16 Aug 2015 08:08:03 +0000
Subject: [Pkg-freeipa-devel] certmonger: Changes to 'master'
Message-ID:
certmonger.spec | 7 ++++++-
configure.ac | 2 +-
debian/changelog | 4 ++--
src/getcert.c | 14 ++++++++++++++
src/scep.c | 18 +++++++++---------
5 files changed, 32 insertions(+), 13 deletions(-)
New commits:
commit 306f13c5f9f41dfbfb26b3d0734abf52232f7cf5
Author: Timo Aaltonen
Date: Sun Aug 16 11:02:26 2015 +0300
releasing package certmonger version 0.78.4-1
diff --git a/debian/changelog b/debian/changelog
index ca6b9a0..31d0435 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,9 @@
-certmonger (0.78.4-1) UNRELEASED; urgency=medium
+certmonger (0.78.4-1) unstable; urgency=medium
* New upstream release.
* control: Add libpopt-dev to build-depends.
- -- Timo Aaltonen Tue, 21 Jul 2015 15:15:53 +0300
+ -- Timo Aaltonen Sun, 16 Aug 2015 11:02:04 +0300
certmonger (0.75.14-4) unstable; urgency=medium
commit cd752bfb06326d2153b252fc53796c6eb20a37fb
Author: Timo Aaltonen
Date: Sun Aug 16 11:01:58 2015 +0300
update the changelog
diff --git a/debian/changelog b/debian/changelog
index d7d4473..ca6b9a0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-certmonger (0.78.3-1) UNRELEASED; urgency=medium
+certmonger (0.78.4-1) UNRELEASED; urgency=medium
* New upstream release.
* control: Add libpopt-dev to build-depends.
commit 6d8d43041605e178b9aff00229aec6abd83f6c1b
Author: Nalin Dahyabhai
Date: Tue Aug 4 11:15:37 2015 -0400
tag 0.78.4
diff --git a/certmonger.spec b/certmonger.spec
index 0f91fea..2850554 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -25,7 +25,7 @@
%endif
Name: certmonger
-Version: 0.78.3
+Version: 0.78.4
Release: 1%{?dist}
Summary: Certificate status monitor and PKI enrollment client
@@ -242,6 +242,11 @@ exit 0
%endif
%changelog
+* Tue Aug 4 2015 Nalin Dahyabhai 0.78.4-1
+- fix the "getcert start-tracking" -L and -l options (#1249753)
+- output diagnostics about the second request when scep-submit encounters an
+ error during a second request to the SCEP server
+
* Mon Jul 20 2015 Nalin Dahyabhai 0.78.3-1
- call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit
and the -O and -o flags to dogtag-submit (#1244914)
diff --git a/configure.ac b/configure.ac
index cc5dcae..986169b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT(certmonger,0.78.3)
+AC_INIT(certmonger,0.78.4)
AM_INIT_AUTOMAKE([foreign subdir-objects])
AC_CONFIG_MACRO_DIR(m4)
AM_MAINTAINER_MODE([enable])
commit a8f847f10f66fc6e0fea45a863827f67132b5fce
Author: Nalin Dahyabhai
Date: Tue Aug 4 10:58:42 2015 -0400
Fix "getcert start-tracking"'s -L and -l options
When "getcert start-tracking" was passing changes in enrollment options
to the "modify" API, it was forgetting to pass in new challenge password
and challenge password file names. Add them (#1249753).
diff --git a/src/getcert.c b/src/getcert.c
index c67d618..49840dd 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -2178,6 +2178,20 @@ set_tracking(const char *argv0, const char *category,
} else {
capath = NULL;
}
+ if (cpass != NULL) {
+ param[i].key = CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD;
+ param[i].value_type = cm_tdbusm_dict_s;
+ param[i].value.s = cpass;
+ params[i] = ¶m[i];
+ i++;
+ }
+ if (cpassfile != NULL) {
+ param[i].key = CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD_FILE;
+ param[i].value_type = cm_tdbusm_dict_s;
+ param[i].value.s = cpassfile;
+ params[i] = ¶m[i];
+ i++;
+ }
if (profile != NULL) {
param[i].key = CM_DBUS_PROP_TEMPLATE_PROFILE;
param[i].value_type = cm_tdbusm_dict_s;
commit fd18c558656c241b806af5c726b873b7fbcad7d3
Author: Nalin Dahyabhai
Date: Mon Jul 27 13:08:59 2015 -0400
When we get an error from a pkcsReq, log correctly
When we get an error in response to a pkcsReq or GetInitialCert message,
log the response text from that request, rather than the capabilities
request that preceded it.
diff --git a/src/scep.c b/src/scep.c
index c5db5dc..d3bbc05 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -1031,8 +1031,8 @@ main(int argc, const char **argv)
cm_log(1, "%s\n", buf);
}
s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results,
- results_length);
+ (unsigned char *) results2,
+ results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
@@ -1046,8 +1046,8 @@ main(int argc, const char **argv)
cm_log(1, "%s\n", buf);
}
s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results,
- results_length);
+ (unsigned char *) results2,
+ results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
@@ -1061,8 +1061,8 @@ main(int argc, const char **argv)
cm_log(1, "%s\n", buf);
}
s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results,
- results_length);
+ (unsigned char *) results2,
+ results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
@@ -1079,8 +1079,8 @@ main(int argc, const char **argv)
cm_log(1, "%s\n", buf);
}
s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results,
- results_length);
+ (unsigned char *) results2,
+ results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
@@ -1100,7 +1100,7 @@ main(int argc, const char **argv)
} else {
printf(_("Server reply was of unexpected MIME type "
"\"%s\".\n"), content_type);
- printf("Full reply:\n%.*s", results_length, results);
+ printf("Full reply:\n%.*s", results_length2, results2);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
break;
From tjaalton at moszumanska.debian.org Sun Aug 16 08:08:03 2015
From: tjaalton at moszumanska.debian.org (Timo Aaltonen)
Date: Sun, 16 Aug 2015 08:08:03 +0000
Subject: [Pkg-freeipa-devel] certmonger: Changes to 'upstream'
Message-ID:
certmonger.spec | 7 ++++++-
configure.ac | 2 +-
src/getcert.c | 14 ++++++++++++++
src/scep.c | 18 +++++++++---------
4 files changed, 30 insertions(+), 11 deletions(-)
New commits:
commit 6d8d43041605e178b9aff00229aec6abd83f6c1b
Author: Nalin Dahyabhai
Date: Tue Aug 4 11:15:37 2015 -0400
tag 0.78.4
diff --git a/certmonger.spec b/certmonger.spec
index 0f91fea..2850554 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -25,7 +25,7 @@
%endif
Name: certmonger
-Version: 0.78.3
+Version: 0.78.4
Release: 1%{?dist}
Summary: Certificate status monitor and PKI enrollment client
@@ -242,6 +242,11 @@ exit 0
%endif
%changelog
+* Tue Aug 4 2015 Nalin Dahyabhai 0.78.4-1
+- fix the "getcert start-tracking" -L and -l options (#1249753)
+- output diagnostics about the second request when scep-submit encounters an
+ error during a second request to the SCEP server
+
* Mon Jul 20 2015 Nalin Dahyabhai 0.78.3-1
- call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit
and the -O and -o flags to dogtag-submit (#1244914)
diff --git a/configure.ac b/configure.ac
index cc5dcae..986169b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT(certmonger,0.78.3)
+AC_INIT(certmonger,0.78.4)
AM_INIT_AUTOMAKE([foreign subdir-objects])
AC_CONFIG_MACRO_DIR(m4)
AM_MAINTAINER_MODE([enable])
commit a8f847f10f66fc6e0fea45a863827f67132b5fce
Author: Nalin Dahyabhai
Date: Tue Aug 4 10:58:42 2015 -0400
Fix "getcert start-tracking"'s -L and -l options
When "getcert start-tracking" was passing changes in enrollment options
to the "modify" API, it was forgetting to pass in new challenge password
and challenge password file names. Add them (#1249753).
diff --git a/src/getcert.c b/src/getcert.c
index c67d618..49840dd 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -2178,6 +2178,20 @@ set_tracking(const char *argv0, const char *category,
} else {
capath = NULL;
}
+ if (cpass != NULL) {
+ param[i].key = CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD;
+ param[i].value_type = cm_tdbusm_dict_s;
+ param[i].value.s = cpass;
+ params[i] = ¶m[i];
+ i++;
+ }
+ if (cpassfile != NULL) {
+ param[i].key = CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD_FILE;
+ param[i].value_type = cm_tdbusm_dict_s;
+ param[i].value.s = cpassfile;
+ params[i] = ¶m[i];
+ i++;
+ }
if (profile != NULL) {
param[i].key = CM_DBUS_PROP_TEMPLATE_PROFILE;
param[i].value_type = cm_tdbusm_dict_s;
commit fd18c558656c241b806af5c726b873b7fbcad7d3
Author: Nalin Dahyabhai
Date: Mon Jul 27 13:08:59 2015 -0400
When we get an error from a pkcsReq, log correctly
When we get an error in response to a pkcsReq or GetInitialCert message,
log the response text from that request, rather than the capabilities
request that preceded it.
diff --git a/src/scep.c b/src/scep.c
index c5db5dc..d3bbc05 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -1031,8 +1031,8 @@ main(int argc, const char **argv)
cm_log(1, "%s\n", buf);
}
s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results,
- results_length);
+ (unsigned char *) results2,
+ results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
@@ -1046,8 +1046,8 @@ main(int argc, const char **argv)
cm_log(1, "%s\n", buf);
}
s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results,
- results_length);
+ (unsigned char *) results2,
+ results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
@@ -1061,8 +1061,8 @@ main(int argc, const char **argv)
cm_log(1, "%s\n", buf);
}
s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results,
- results_length);
+ (unsigned char *) results2,
+ results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
@@ -1079,8 +1079,8 @@ main(int argc, const char **argv)
cm_log(1, "%s\n", buf);
}
s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results,
- results_length);
+ (unsigned char *) results2,
+ results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
@@ -1100,7 +1100,7 @@ main(int argc, const char **argv)
} else {
printf(_("Server reply was of unexpected MIME type "
"\"%s\".\n"), content_type);
- printf("Full reply:\n%.*s", results_length, results);
+ printf("Full reply:\n%.*s", results_length2, results2);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
break;
From tjaalton at moszumanska.debian.org Sun Aug 16 08:08:09 2015
From: tjaalton at moszumanska.debian.org (Timo Aaltonen)
Date: Sun, 16 Aug 2015 08:08:09 +0000
Subject: [Pkg-freeipa-devel] certmonger: Changes to
'refs/tags/debian/0.78.4-1'
Message-ID:
Tag 'debian/0.78.4-1' created by Timo Aaltonen at 2015-08-16 08:02 +0000
tagging package certmonger version debian/0.78.4-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJV0EOSAAoJEMtwMWWoiYTcq6EP/jNtq62vBQMfzyduFF1lew/e
NUmADs22LkgzS21TqvY+PQro50tLqJMkwOsBiEqGbjW51sBJHIXuTnaco6gGIfHu
mVbTdddLGDGEEQ9zKftEYhX4Zq1sdS7a+oucfK7GWJlnfH6v/tGosshN+KO3ah+S
/tnOjhDokx2j/yViCQ1e5cIHT08tUXFLhrFQk3LtJk2mAk61v+99RL+E6QTs69cg
znN2+VwZHEGPP5ya/nrxBdWyYCayF8OwVVPlGvUtb7kkmyrbpLMJbhcpTHpFtq6J
na3avtOJYAKnTfzBhNlHKTcTbD8WY4IJt/6ZvEzcLjXIOwW5zHn0j4tDFwnuq1af
8EQZplSY4lcETL1fgmlECl+i49znxprKeNyYZ2mwBthNF1eLMYDmxDS35BY03ps+
7gj4ENwcFgM+CKSAQKCn5c81qDnhxFlepHV7kK6HsYcptheyoV9qeLRfw0CxkBBr
D860/6y4SQHyzQZyHpMZPmDH/gdyX6JWcaf4MAKRuFrEragyWVSmr7pKwdElElS/
A4l+1Z4Tf/OjG7aYe6hg+JTYl1irBLpcIQ1HNWaKNtODbq4XHN5P5jCwhQhDUQuF
psTKKmNnMPgpFoBWMA+nKWMigWIgiNuaf+ZOYHB2EhN+FcQ4GBg1F96TkbyDNICD
SfdjiiSgoNx7eBQ7Xyr+
=vzqt
-----END PGP SIGNATURE-----
Changes since debian/0.75.14-4:
David Kupka (1):
Retrieve string value from DBus property interface reply correctly.
Jan Cholasta (1):
Allow overriding parameter values in Dogtag request approval
Nalin Dahyabhai (438):
getcert status: fix a crash with no request
Up the minimum poll time from 30m to 60m
Loosen name matching for property names
First pass at private server mode
Rename bus "other" to "private", fix connecting
Avoid closing stdio on gating commands
Reset watch handlers after handling them
Refactor bus/listener setup and reconnection logic
Ignore "private" requests from other users
Make it possible to specify the listener socket
Fixup copy/paste errors in help output
Default to a briefer default help message
Add a fallback mode to getcert -S
Pass verbose level in as certmonger -d level
Reset signal handlers for the gate command
Include the helper command in log messages
Document certmonger's -L/-l/-P options
Document that CERTMONGER_PVT_ADDRESS matters
Also use a lock in system mode
Make we'll launch a temporary daemon clearer
Finish a comment
tag 0.76
Updated translations
Minor tweaks to help debug listener mode better
Let people specify abstract locations, too
tag 0.76.1
Note the UID has to match when describing -l/-L clients
Change priorities of XXX_uri/host/server settings
Adjust whitespace
Use SRV lookups to locate IPA's LDAP server
IPA: prefer specified URIs over configured server
Factor out submit/poll and fetch-roots
Factor out locate-directory-server logic
Factor out find-default-naming-context
Add missing newlines for error messages
Fix some error handling code
Add some missing initializers
Add missing #includes
Use discovery for XMLRPC servers, too
Detect support for resolving SRV records
Clean up status messages for init system data
Update translations
Finish conditionalizing SRV support
tag 0.76.2
Update translations
Add a notify case for saved-but-CA-not-saved
Rename the SRV test program
Save CA certs *before* running post-save hooks
This is done: we have a "local" signer now
Add some missing cases
Split off a generic dogtag-submit helper
Remove unused dogtag_version port-guessing
Only error out on missing -A when it's an error
Describe the "local" signer in getting-started.txt
Don't forget to mention $CERTMONGER_CA_PROFILE
Fix a pile of argument-order errors
Fix a static analysis warning initializing keygen
Fix some static analysis leaks
Handle IDN when doing service location
Fix build errors created by the previous commit
tag 0.76.3
Update translations
Update for previous changes to dparse
tag 0.76.4
Call _exit() instead of exit() in canalyze
tag 0.76.5
Call _exit() instead of exit() on OOM in CA save
Avoid exit() hooks on normal subproc exit
Remove leftover code forcing SRV priority to 50
Fix compiling without OpenSSL
tag 0.76.6
Update translations
Fix another pair of memory leaks in the IPA helper
Fix reporting of CA not-valid-after times
tag 0.76.7
Update translations
Set a CM_DELAY_CA_POLL_MAXIMUM
Replace a hard-coded value with the macro
Correct a comment
Abort FETCH-ROOTS if there's no IPA domain
Handle the IPA-not-configured case correctly
Output help for underspecified "status" commands
Go back to retrying when cadata is unconfigured
Drop a duplicate call to time()
Fix a typo in a comment
Formatting fixes
dogtag: check for agent creds when given options
Update dogtag man pages for the -O option
Update translations and their sources
tag 0.76.8
Add missing bug ID reference to the changelog
Add a note about supporting (parts of) ACME
Add missing bug ID to changelog
Fix a static analysis warning
Fix a typo
Update reference for kx509
Try to better enforce DSA key sizes
Add a bug reference for #1180978
Add some bookkeeping request fields for rekeying
First pass at rekey-friendly keygen behavior
Sanitize candidate key filenames and nicknames
Fix detection of candidate key permission errors
Add support for reading candidate keyinfo
First pass at rekey support for CSR generation
First pass at self-signing while rekeying
First pass at saving while rekeying
Add data fields for storing SCEP-specific CA data
Add logic to ask helpers for SCEP-specific CA data
Teach submit-h to return binary-safe data
Generate SCEP transactionIDs when generating CSRs
Add part of the SCEP submission helper
More SCEP helper bits, mostly TODO notes
Fix talloc/free mismatch
Fix a missing #include
Fix an infinite loop sending the request
Add a note about removing old candidates
Make sure we clear the candidate marker on save
Make preserving keys on rekey an option
Finish cleaning up rekey renaming
Fix various warnings and static analysis bugs
Fix a couple of static analysis warnings
Auto-spawn a server when there is no server socket
Auto-launch a daemon for "request", too
Fix a timing issue with this self-test
Fix computation of the buffer size for PEM wrapper
Generate mini-certificates for signing SCEP reqs
Correct the serial number in minicerts
Add logic for pulling certs out of PKCS7 blobs
Correctly parse PKCS#7 SCEP GetCACert replies
Accept redirection on HTTP with no client auth
Add a function for wrapping a CSR in an envelope
Get even more flexible parsing PKCS#7 signed-data
Refactor enveloping code
Add issuer-and-subject envelopes, use binary mode
Set a default SCEP CA ID for GetCACert messages
Also retrieve and cache an SCEP server's CA's cert
Add storage for SCEP request data
Encode the right subject name
First part of SCEP request generation
Tweak parsing PKCS#7 lists of certificates
Extend the pile-of-certificate parsing API
Fix and test sorting of certificate chains
Fetch an SCEP server's CA chain, too
Add the signer's chain to signed-data for SCEP
In-progress changes to handle chains better in NSS
Refactor the code to make reusing the signing easier
Work around NSS's always-verify behavior
Add SCEP attributes to signed messages
Add the ability to check for RSA keys
Wire in new states to trigger SCEP generation
Restart any waiting scepgen tasks with new certs
Let helpers see SCEP data, cache SCEP CA IDs
Encode pkiMessages when talking to SCEP servers
We don't have a place to put other certs yet
Shorten the wait after realizing we need SCEP data
Only restart when encryption certs *change*
Add a couple of diagnostics for now, clarify names
Always generate fresh SCEP data
Stop depending on PKCS7_SIGNER_INFO_sign()
Quick fix for a test on older RHEL
Include a missing header
Include a missing header
Add missing script
Really fix that timing issue this time
Strip out random blank lines in issued certificate
Send the right operation type for SCEP enrollments
Add a content-type signed attribute to SCEP reqs
Expand on ChallengePassword handling
Fix a few subprocess exit status values
Be ready to refresh SCEP server certificates
PEM-encode application/x-pki-message SCEP replies
Send verbose messages to stderr
Add logic for parsing SCEP PKCS#7 signed-data
Use defined names for SCEP protocol constants
Verify SCEP requests, start parsing SCEP replies
Put contentInfo inside of encapsulatedContentInfo
Understand md5, des, and des3 as preferences
Improve algorithm selection when generating SCEP
Clean up parsing of SCEP CA data
Fix a couple of warnings, expand SCEP failure text
Refactor passing of args to external helpers
Postprocess helper "success" output
Check for handling of binary helper output
Add more error checking to the HTTP part of SCEP
Use the right macro; drop an unused variable
Add hooks for decrypting PKCS#7 EnvelopedData
Add a framework for decrypting enveloped-data
Add missing source files
Rewrite parsing of enveloped-data using NSS
Avoid EVP_PKEY_CTX, which wasn't there on EL5
Avoid X509_ALGOR_set0(), which wasn't on EL5
Right, so PK11_PrivDecrypt() wasn't always there
Fix a few compiler warnings
Avoid crashing the test harness
Fix a string comparison (static analysis)
Fix a dereference-before-check (static analysis)
Add a missing include header
Check key_from_file()'s return (static analysis)
Skip a redundant check (static analysis)
Free some memory before _exit() (static analysis)
Handle not having an RA cert (static analysis)
Tweak some logic to make static analysis happy
Drop a redundant goto to the next line (static analysis)
Drop some dead code (static analysis)
Drop some dead code (static analysis)
Whoops, missing a break; (static analysis)
Call va_end() even on error (static analysis)
Fix a copy/paste error (static analysis)
Free an error string in the IPA helper (static analysis)
Free memory returned by cm_submit_u_pem_from_base64() (static analysis)
Open the right "next" key (static analysis)
Fix an uninitialized pointer compare (static analysis)
Set the recipient_nonce correctly (static analysis)
Correct result (static analysis)
Also do a run-through with SCEP ops
Accept a passed-in CA certificate as an anchor
Whoops, getcert should accept -l/-L properly
Avoid an integer expression overflow on 32-bit
Fix the width of the format specifier
Add a man page for scep-submit(8).
Remove a redundant check for no old key (static analysis)
Document scep-submit's -i option
Correctly select the SCEP request digest
Store SCEP request data in PEM form
Expose SCEP CA data as properties
Display an SCEP CA's certificate's thumbprint
Display thumbprint values for SCEP, as appropriate
Refresh all of a CA's data when its helper changes
Add tests for reading ssvs arguments
Make the scep-ca-identifier property settable
Drop an errant sed invocation
Add getcert add-ca/add-scep-ca/modify-ca/remove-ca
Update status docs
Add a bit of docs on how to use SCEP
SCEP needs OpenSSL in many places, so require it
Fix a syntax error
Drop cadata when a helper reports "unsupported"
Cache the last-transmitted SCEP nonce value
Update helper documentation
NUL-terminate the result string properly
Only generate "new key" SCEP data with a new key
Rework which keys we prefer for SCEP
Add framework for PIN, token certsave errors
Fix a couple of memory leaks (static analysis)
Remove a line of dead code (static analysis)
Remove logically dead code (static analysis)
Call BIO_new_mem_buf() with length -1 for strings
Add more PKCS#7/SCEP debug logging
Clean up the SCEP -R/-r options
Correct use of certsave-specific status codes
Test rekey saving with encrypted keys, too
Log in to NSS key databases for cert saving
Set a PIN, if one hasn't been set, during certsave
Move from Transifex to Zanata
Update translations
Have "getcert list" print the certificate profile
Drop Transifex config, since we're using Zanata
The CA profile is supposed to be read-only
Clear SCEP data when we generate a new CSR
Whoops, we use cmsutil in tests now
Handle "rejected" status from CA data requests
Try to sanity-check capabilities CA data by size
Try to accommodate Dogtag's GetCACert results
Break out of the cert retrieval loop on duplicates
Learn about Dogtag's SCEP failInfo status codes
Debug log SCEP replies in base64-encoded form
Update translations
Tag 0.77
Whoops, tag 0.77.1
A slide on using SCEP
Separate local validity lifetime's from selfsign's
Read nsCertType extension, write EnrollmentProfile
Note that SCEP usually wants a ChallengePassword
Expose certificate validity as D-Bus properties
Add plumbing for "long long" D-Bus properties
Fix potential segfault when parsing helper output
Document the dogtag helper's -N and -R flags
Update translations
tag 0.77.2
Retrieve the list of profiles from Dogtag CAs
Handle success from Dogtag's submit endpoint
Rename some variables
Learn to pass submission params to Dogtag
Add more auth options to dogtag-submit
Wire valgrind in to self-tests
Whitespace fixup
Fix a self-test uninitialized memory bug
Avoid using xmlXPathNodeEval(), not in EL 5
Add a barely-working "ls" knockoff
Manage ownership and permissions on keys and certs
Fix a potential crash in the local signer
Fix certificate retrieval in dogtag-submit
Update self-tests
Don't use O_NOFOLLOW
Silence a static analysis warning
Try to address a static analysis TOC-TOU warning
Start switching to popt
Add $POPT_CFLAGS and $POPT_LIBS to the test tools
Switch base2pem test tool to popt
Switch base64 test tool to popt
Switch the cadata test tool to popt
Switch the casave test tool to popt
Switch the hooks test tool to popt
Drop an unused #include header
Whitespace edits for makefiles
Port toklist sample to popt
Port the tlslayer WIP code to popt
Port the tdbusm-check tool to popt
Port the submit-x tool to popt
Port submit-h to using popt
Port the SCEP submit helper to use popt
Port the submit-d tool to popt
Port the certmaster submit helper to use popt
Port the local signer to use popt
Port the dogtag submit helper to use popt
Port the IPA submit helper to use popt
Port the main certmonger binary to popt
Port "getcert" to popt
Fix a static analysis warning
Check for error results from fcntl() and remove()
Fix a static analysis warning
Fix a memory leak in cm_submit_d_submit_result()
Remember to close a descriptor when saving to NSS
Update translations
Pass the template/profile to IPA as a "profile"
Default to re-using ns-certtype values
configure should error out without popt
Fix a typo in a self-test error message
Work around changes in OpenSSL 1.0.2a
Handle properties with no value in self-test
Handle setting template ns-certtype, key/cert perms
Wire {key,cert}_{owner,perms} into getcert
Also track per-certificate CA sets
When saving CA certs, also save per-request certs
Add a 'getcert rekey' option
Double-check that keys were changed in rekey test
Actualy test the 'modify' D-Bus method
Add a debug message if we're ignoring idle timeout
Fix an overrun gathering arguments
Add some JSON support
Update translations
Correct the wrong flag in a man page
Whoops, actually run those new tests
Add one more invalid sample to the json test cases
Update the expected output for that last test
Check for strtold(), use strtod() otherwise
Don't depend on getline(), in case it isn't there
Be consistent about using our stpcpy() knockoff
Fix a possible NULL dereference
Remove an unused variable (static analysis)
Fix the prototype for the getline() stand-in
Silence some dead-code warnings
Don't assign one uninitialized pointer to another
Have the self-test check the file size after open
Fix a read-after-close in a self-test
Handle 0 bytes in JSON strings
Handle setting NULL to remove items from JSON objs
Catch invalid expressions when parsing JSON
Add more type-safety to the JSON bits
When parsing possibly-PKCS#7, handle length==1
Add some more PKCS#7 parsing cases
Add another expected-to-fail-to-parse JSON sample
Add entry callbacks to the 'iterate' test tool
Make sure leafs aren't tops when parsing PKCS#7
When saving CA certs fails, add a couple of logs
Add a way for helpers to provide per-cert roots
Give helpers a way to force us to rekey
Handle CERT_ImportCerts() returning an empty array
Start keeping track of key lifetimes and usage
Catch unterminated string values in JSON
Catch up the test helper on new helper exit codes
Only record next-key info when we have a next-key
Add debug log checking for key/cert pubkey matches
Handle cases where the CA reuses a key on us
Remove an unused OID variable
Add some comments
tag 0.77.3
Fix an uninitialized pointer error (valgrind)
Correct a self-test error
Let NSS's safeguards against key deletion work
Fix the -c flag for vanilla getcert
Add a --wait-timeout flag for use with the -w flag
New test: getcert request/resubmit/rekey
Add some more info to this test run's output
Make the getcert test include preserving rekey
Suppress PINs in "getcert list" output (#42)
Expose key generation time and use count as props
Add test cases for CA-reuses-key-on-rekey-request
Trigger rekeying on key lifetime or use count
getcert: correctly pass the command to certmonger
Display the right command in help output
Rework how we clean up after rekeys with NSS
Extend a post-0.77 test case for that last change
merge changelog from 0.77.4
scep-submit: always keep track of the mode
Mention exit status 17 (need-rekey) in helper mans
Provide requested IP addresses to helpers
Handle more unusual PKCS#7 verification for SCEP
Handle CERTMONGER_REQ_IP_ADDRESS in requirements
Use preprocessor names for document elements
Add some JSON type checking in submit-e
Accept CA roots as a JSON object
Expand on comments for 481811e76908f50b
Guess "profile_id" instead of "profile" for IPA
Add a -v/--version option to the daemon
Rework parsing of JSON enrollment results
Tweak the accepted CA JSON format
Resync .spec file with Fedora
Add logic for SCEP renewal with key change
Document the helper interface from the helper PoV
Add more expected-to-parse-correctly JSON samples
Check generated key size after checking for NULL
Fix a signedness comparison problem
Require that binary decoding leaves no leftovers
Add an alternate accepted result for DSA keygen
Accept 1016 instead of 1024 bit for DSA keygen
Add a missing flag to the synopsis in the scep man
Whitespace fixup
Update translations
Log more about what's going on in SCEP
tag 0.78
Update translations
Add some bugzilla/tracs references to the chglog
Get vague about what we expect from certutil
Tag 0.78.1
Add a wrapper to avoid passing NULL to setenv()
Don't check a never-NULL pointer for being NULL
Fix checking for errors when fetching SCEP chain
Don't forget to close the output file structure
Register our bus name after setting up handlers
Rework how we do system bus activation
Updated translations
tag 0.78.2
Use poptGetOptArg() correctly
tag 0.78.3
When we get an error from a pkcsReq, log correctly
Fix "getcert start-tracking"'s -L and -l options
tag 0.78.4
Timo Aaltonen (6):
Merge branch 'upstream'
bump the version
control: Add libpopt-dev to build-depends.
Merge branch 'upstream'
update the changelog
releasing package certmonger version 0.78.4-1
vagrant (1):
Print the full gate command in debug mode
---
Makefile.am | 3
STATUS | 17
certmonger.spec | 171 +
configure.ac | 131 +
debian/changelog | 7
debian/control | 1
doc/api.txt | 4
doc/design.txt | 215 +-
doc/getting-started.txt | 45
doc/helpers.txt | 227 ++
doc/scep.odp |binary
doc/scep.txt | 38
doc/selinux.txt | 2
doc/submit.txt | 48
po/ach.po | 1339 +++++++++++---
po/af.po | 1339 +++++++++++---
po/af_ZA.po | 1307 +++++++++++---
po/aln.po | 1339 +++++++++++---
po/am.po | 1339 +++++++++++---
po/ar.po | 1342 +++++++++++---
po/as.po | 1339 +++++++++++---
po/ast.po | 1339 +++++++++++---
po/az.po | 1339 +++++++++++---
po/bal.po | 1339 +++++++++++---
po/be.po | 1342 +++++++++++---
po/bg.po | 1454 ++++++++++++----
po/bn.po | 1339 +++++++++++---
po/bn_IN.po | 1339 +++++++++++---
po/bo.po | 1339 +++++++++++---
po/br.po | 1339 +++++++++++---
po/brx.po | 1339 +++++++++++---
po/bs.po | 1342 +++++++++++---
po/ca.po | 1843 ++++++++++++++------
po/certmonger.pot | 1309 +++++++++++---
po/cs.po | 1339 +++++++++++---
po/cs_CZ.po | 1307 +++++++++++---
po/cy.po | 1342 +++++++++++---
po/da.po | 1395 +++++++++++----
po/de.po | 1457 ++++++++++++----
po/de_CH.po | 1339 +++++++++++---
po/dz.po | 1339 +++++++++++---
po/el.po | 1339 +++++++++++---
po/en_GB.po | 1339 +++++++++++---
po/eo.po | 1339 +++++++++++---
po/es.po | 1559 +++++++++++++----
po/es_ES.po | 1307 +++++++++++---
po/et.po | 1339 +++++++++++---
po/eu.po | 1344 +++++++++++----
po/eu_ES.po | 1307 +++++++++++---
po/fa.po | 1339 +++++++++++---
po/fa_IR.po | 1307 +++++++++++---
po/fi.po | 1339 +++++++++++---
po/fr.po | 1507 ++++++++++++----
po/ga.po | 1342 +++++++++++---
po/gl.po | 1339 +++++++++++---
po/gu.po | 1344 +++++++++++----
po/he.po | 1339 +++++++++++---
po/hi.po | 1339 +++++++++++---
po/hr.po | 1342 +++++++++++---
po/hr_HR.po | 1307 +++++++++++---
po/hu.po | 1490 ++++++++++++----
po/hy.po | 1339 +++++++++++---
po/ia.po | 1339 +++++++++++---
po/id.po | 1381 +++++++++++----
po/ilo.po | 1339 +++++++++++---
po/is.po | 1339 +++++++++++---
po/it.po | 1425 ++++++++++++---
po/it_IT.po | 1307 +++++++++++---
po/ja.po | 1388 +++++++++++----
po/ja_JP.po | 1307 +++++++++++---
po/ka.po | 1339 +++++++++++---
po/kk.po | 1339 +++++++++++---
po/km.po | 1339 +++++++++++---
po/kn.po | 1339 +++++++++++---
po/ko.po | 1339 +++++++++++---
po/ks.po | 1339 +++++++++++---
po/ku.po | 1339 +++++++++++---
po/ky.po | 1339 +++++++++++---
po/la.po | 1339 +++++++++++---
po/lo.po | 1339 +++++++++++---
po/lt.po | 1406 ++++++++++++---
po/lv.po | 1342 +++++++++++---
po/mai.po | 1339 +++++++++++---
po/mg.po | 1339 +++++++++++---
po/mk.po | 1339 +++++++++++---
po/ml.po | 1339 +++++++++++---
po/mn.po | 1339 +++++++++++---
po/mr.po | 1339 +++++++++++---
po/ms.po | 1339 +++++++++++---
po/ms_MY.po | 1307 +++++++++++---
po/my.po | 1339 +++++++++++---
po/nb.po | 1344 +++++++++++----
po/nds.po | 1339 +++++++++++---
po/ne.po | 1339 +++++++++++---
po/nl.po | 1504 ++++++++++++----
po/nn.po | 1339 +++++++++++---
po/no.po | 1339 +++++++++++---
po/nso.po | 1339 +++++++++++---
po/or.po | 1339 +++++++++++---
po/pa.po | 1339 +++++++++++---
po/pl.po | 1479 ++++++++++++----
po/pt.po | 1412 ++++++++++++---
po/pt_BR.po | 1541 +++++++++++++----
po/ro.po | 1342 +++++++++++---
po/ru.po | 1360 +++++++++++----
po/ru_RU.po | 1344 +++++++++++----
po/si.po | 1339 +++++++++++---
po/sk.po | 1339 +++++++++++---
po/sl.po | 1342 +++++++++++---
po/sq.po | 1339 +++++++++++---
po/sr.po | 1342 +++++++++++---
po/sr at latin.po | 1342 +++++++++++---
po/sv.po | 1428 ++++++++++++---
po/ta.po | 1342 +++++++++++---
po/ta_IN.po | 1307 +++++++++++---
po/te.po | 1339 +++++++++++---
po/tg.po | 1339 +++++++++++---
po/th.po | 1339 +++++++++++---
po/tl.po | 1339 +++++++++++---
po/tr.po | 1342 +++++++++++---
po/uk.po | 1524 ++++++++++++-----
po/uk_UA.po | 1307 +++++++++++---
po/ur.po | 1339 +++++++++++---
po/uz.po | 1339 +++++++++++---
po/vi.po | 1339 +++++++++++---
po/wo.po | 1339 +++++++++++---
po/xh.po | 1339 +++++++++++---
po/zh_CN.GB2312.po | 1931 +++++++++++++++++++++
po/zh_CN.po | 1377 +++++++++++----
po/zh_HK.po | 1339 +++++++++++---
po/zh_TW.Big5.po | 1931 +++++++++++++++++++++
po/zh_TW.po | 1353 +++++++++++----
po/zu.po | 1339 +++++++++++---
src/Makefile.am | 107 -
src/cadata.c | 449 ++++-
src/cadata.h | 5
src/canalyze.c | 108 +
src/canalyze.h | 3
src/casave.c | 140 +
src/certext.c | 246 ++
src/certmaster-getcert.1.in | 14
src/certmaster.c | 79
src/certmonger-certmaster-submit.8.in | 11
src/certmonger-dogtag-ipa-renew-agent-submit.8.in | 32
src/certmonger-dogtag-submit.8.in | 239 ++
src/certmonger-ipa-submit.8.in | 29
src/certmonger-local-submit.8.in | 12
src/certmonger-scep-submit.8.in | 146 +
src/certmonger.8.in | 41
src/certmonger.conf.5.in | 43
src/certmonger.conf.in | 3
src/certread-n.c | 10
src/certread-o.c | 7
src/certread.c | 12
src/certsave-int.h | 10
src/certsave-n.c | 312 +++
src/certsave-o.c | 353 +++
src/certsave.c | 21
src/certsave.h | 7
src/cm.c | 51
src/cm.h | 4
src/csrgen-int.h | 3
src/csrgen-n.c | 499 +++++
src/csrgen-o.c | 170 +
src/csrgen.c | 69
src/dogtag-ipa.c | 50
src/dogtag-ipa.h | 23
src/dogtag.c | 426 +++-
src/env-session.c | 6
src/env-shared.c | 6
src/env-system.c | 11
src/getcert-add-ca.1.in | 52
src/getcert-add-scep-ca.1.in | 84
src/getcert-list-cas.1.in | 9
src/getcert-list.1.in | 65
src/getcert-modify-ca.1.in | 47
src/getcert-refresh-ca.1.in | 9
src/getcert-refresh.1.in | 9
src/getcert-remove-ca.1.in | 45
src/getcert-request.1.in | 22
src/getcert-resubmit.1.in | 22
src/getcert-start-tracking.1.in | 22
src/getcert-status.1.in | 11
src/getcert-stop-tracking.1.in | 11
src/getcert.1.in | 25
src/getcert.c | 1969 +++++++++++++++++++---
src/hook.c | 2
src/introspect.sh.in | 15
src/ipa-getcert.1.in | 12
src/ipa.c | 837 ++++++---
src/iterate.c | 625 +++++-
src/json.c | 1155 ++++++++++++
src/json.h | 78
src/keygen-n.c | 245 ++
src/keygen-o.c | 160 +
src/keyiread-n.c | 94 -
src/keyiread-n.h | 6
src/keyiread-o.c | 78
src/keyiread.c | 60
src/local-getcert.1.in | 12
src/local.c | 71
src/log.h | 2
src/main.c | 200 +-
src/notify.c | 41
src/notify.h | 1
src/pkcs7.c | 1208 +++++++++++++
src/pkcs7.h | 66
src/prefs-n.c | 56
src/prefs-n.h | 4
src/prefs-o.c | 29
src/prefs-o.h | 2
src/prefs.c | 71
src/prefs.h | 11
src/scep-o.c | 82
src/scep-o.h | 28
src/scep.c | 1109 ++++++++++++
src/scep.h | 47
src/scepgen-int.h | 51
src/scepgen-n.c | 475 +++++
src/scepgen-o.c | 855 +++++++++
src/scepgen.c | 115 +
src/scepgen.h | 57
src/selfsign-getcert.1.in | 12
src/srvloc.c | 249 ++
src/srvloc.h | 31
src/store-files.c | 509 +++++
src/store-gen.c | 42
src/store-int.h | 76
src/store.h | 2
src/submit-d.c | 393 +++-
src/submit-d.h | 12
src/submit-e.c | 831 +++++++--
src/submit-e.h | 13
src/submit-h.c | 140 -
src/submit-h.h | 5
src/submit-int.h | 25
src/submit-n.c | 471 +++++
src/submit-o.c | 109 +
src/submit-o.h | 3
src/submit-sn.c | 48
src/submit-so.c | 50
src/submit-u.c | 33
src/submit-x.c | 108 -
src/submit.c | 14
src/submit.h | 6
src/subproc.c | 35
src/subproc.h | 2
src/tdbus.c | 371 +++-
src/tdbus.h | 29
src/tdbush.c | 743 ++++++++
src/tdbush.h | 3
src/tdbusm-check.c | 46
src/tdbusm.c | 61
src/tdbusm.h | 3
src/tlslayer.c | 75
src/toklist.c | 44
src/util-m.h | 4
src/util-n.c | 191 ++
src/util-n.h | 10
src/util-o.c | 119 +
src/util-o.h | 12
systemd/Makefile.am | 5
systemd/certmonger.path.in | 9
systemd/org.fedorahosted.certmonger.service.in | 4
tests/001-keyiread-dsa/expected.out | 36
tests/001-keyiread-dsa/run.sh | 10
tests/002-keygen-dsa/expected.out.2 | 45
tests/002-keygen-dsa/expected.out.3 | 45
tests/002-keygen/expected.out | 72
tests/002-keygen/run.sh | 22
tests/003-csrgen-dsa/expected.out | 2
tests/003-csrgen-dsa/run.sh | 7
tests/003-csrgen-ec/expected.out | 2
tests/003-csrgen-ec/run.sh | 7
tests/003-csrgen/expected.out | 48
tests/003-csrgen/run.sh | 94 -
tests/004-selfsign/run.sh | 3
tests/005-dbusm/expected.out | 1
tests/008-certread/expected.out | 1
tests/010-iterate/expected.out | 232 ++
tests/010-iterate/run.sh | 237 ++
tests/019-dparse/expected.out | 162 +
tests/019-dparse/good.profileList | 1028 +++++++++++
tests/019-dparse/good.profileSubmit.issued | 1
tests/019-dparse/run.sh | 4
tests/021-resume/expected.out | 436 +++-
tests/021-resume/run.sh | 23
tests/023-cadata/expected.out | 24
tests/023-cadata/run.sh | 23
tests/024-citerate/expected.out | 200 ++
tests/024-citerate/run.sh | 8
tests/025-casave/expected.out | 62
tests/025-casave/run.sh | 186 ++
tests/028-dbus/entry | 6
tests/028-dbus/expected.out | 62
tests/028-dbus/run.sh | 1
tests/028-dbus/walk.py | 47
tests/030-rekey/expected.out | 345 +++
tests/030-rekey/run.sh | 246 ++
tests/031-pkcs7/expected.out | 209 ++
tests/031-pkcs7/prequal.sh | 2
tests/031-pkcs7/run.sh | 252 ++
tests/032-chain/expected.out | 1
tests/032-chain/run.sh | 54
tests/033-scep/expected.out | 24
tests/033-scep/run.sh | 213 ++
tests/034-perms-dbm/expected.out | 94 +
tests/034-perms-dbm/run.sh | 2
tests/034-perms-sql/expected.out | 94 +
tests/034-perms-sql/run.sh | 2
tests/034-perms/expected.out | 94 +
tests/034-perms/run.sh | 199 ++
tests/035-json/bad.1 | 14
tests/035-json/bad.15 | 1
tests/035-json/bad.1a | 14
tests/035-json/bad.1b | 14
tests/035-json/bad.1c | 14
tests/035-json/bad.1d | 13
tests/035-json/bad.1e | 14
tests/035-json/bad.2 |binary
tests/035-json/bad.3 | 1
tests/035-json/bad.4 | 60
tests/035-json/bad.5 | 1
tests/035-json/bad.6 | 1
tests/035-json/bad.8 | 1
tests/035-json/bad.9 | 1
tests/035-json/expected.out | 66
tests/035-json/good.1 | 14
tests/035-json/good.10 | 1
tests/035-json/good.11 | 1
tests/035-json/good.12 | 1
tests/035-json/good.13 | 1
tests/035-json/good.14 | 1
tests/035-json/good.15 | 1
tests/035-json/good.16 | 22
tests/035-json/good.17 | 23
tests/035-json/good.18 | 22
tests/035-json/good.19 | 11
tests/035-json/good.2 | 23
tests/035-json/good.20 | 26
tests/035-json/good.21 | 88
tests/035-json/good.22 | 27
tests/035-json/good.2a | 10
tests/035-json/good.2b | 10
tests/035-json/good.2c | 12
tests/035-json/good.3 | 1
tests/035-json/good.4 | 1
tests/035-json/good.5 | 1
tests/035-json/good.6 | 1
tests/035-json/good.7 | 1
tests/035-json/good.8 | 1
tests/035-json/good.9 | 1
tests/035-json/run.sh | 20
tests/036-getcert/expected.out | 74
tests/036-getcert/run.sh | 190 ++
tests/037-rekey2/expected.out | 233 ++
tests/037-rekey2/run.sh | 205 ++
tests/Makefile.am | 48
tests/run-tests.sh | 16
tests/tools/Makefile.am | 18
tests/tools/addcinfo.c | 109 +
tests/tools/base2pem.c | 29
tests/tools/base64.c | 46
tests/tools/cachain.sh | 90 +
tests/tools/cadata.c | 72
tests/tools/casave.c | 58
tests/tools/dparse.c | 27
tests/tools/hooks.c | 58
tests/tools/iterate.c | 68
tests/tools/json-utf8.c | 112 +
tests/tools/json.c | 187 ++
tests/tools/keyiread.c | 85
tests/tools/ls.c | 82
tests/tools/pk7decrypt.c | 106 +
tests/tools/pk7env.c | 183 ++
tests/tools/pk7parse.c | 102 +
tests/tools/pk7verify.c | 159 +
tests/tools/prefs.c | 9
tests/tools/printenv.c | 40
tests/tools/scepgen.c | 142 +
tests/tools/srv.c | 53
tests/tools/submit.c | 22
zanata.xml | 106 +
383 files changed, 151966 insertions(+), 38948 deletions(-)
---
From ftpmaster at ftp-master.debian.org Sun Aug 16 08:08:32 2015
From: ftpmaster at ftp-master.debian.org (Debian FTP Masters)
Date: Sun, 16 Aug 2015 08:08:32 +0000
Subject: [Pkg-freeipa-devel] Processing of certmonger_0.78.4-1_amd64.changes
Message-ID:
certmonger_0.78.4-1_amd64.changes uploaded successfully to localhost
along with the files:
certmonger_0.78.4-1.dsc
certmonger_0.78.4.orig.tar.gz
certmonger_0.78.4-1.diff.gz
certmonger_0.78.4-1_amd64.deb
Greetings,
Your Debian queue daemon (running on host franck.debian.org)
From ftpmaster at ftp-master.debian.org Sun Aug 16 09:34:34 2015
From: ftpmaster at ftp-master.debian.org (Debian FTP Masters)
Date: Sun, 16 Aug 2015 09:34:34 +0000
Subject: [Pkg-freeipa-devel] certmonger_0.78.4-1_amd64.changes ACCEPTED into
unstable
Message-ID:
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 16 Aug 2015 11:02:04 +0300
Source: certmonger
Binary: certmonger
Architecture: source amd64
Version: 0.78.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team
Changed-By: Timo Aaltonen
Description:
certmonger - D-Bus -based service to simplify interaction with certificate aut
Changes:
certmonger (0.78.4-1) unstable; urgency=medium
.
* New upstream release.
* control: Add libpopt-dev to build-depends.
Checksums-Sha1:
95ab49f8f5ddd40ee379d54941f75b3261c316ef 2244 certmonger_0.78.4-1.dsc
277aca37d5ee3b693108ce7d9398ec3b44beb634 1848610 certmonger_0.78.4.orig.tar.gz
9ef0fc7cdff48b19092c6b70eb6a8f3184327f78 955251 certmonger_0.78.4-1.diff.gz
e368fb6160243612ad0cf58b5f25fce29186cee8 434000 certmonger_0.78.4-1_amd64.deb
Checksums-Sha256:
bdeaf1da3cf33069056a843185bfd7281cab47e8ca9431bac868fe8efb1991f7 2244 certmonger_0.78.4-1.dsc
45eeac6b4176a605b1a12fead6415c09af16c25382a87edc2bfe7d666a2c3915 1848610 certmonger_0.78.4.orig.tar.gz
19842b64a923f74a5998edf908d536dc51f5b252faa8805536b4f957ae6a27ac 955251 certmonger_0.78.4-1.diff.gz
46b877082897a09fa01fc1c262288f3d29c6d065498134de1a57eb799a12b803 434000 certmonger_0.78.4-1_amd64.deb
Files:
0d31b0d1d2e8d2a5dda23cb23a0b8864 2244 utils extra certmonger_0.78.4-1.dsc
976149477a82e0db959bfe2b81967d20 1848610 utils extra certmonger_0.78.4.orig.tar.gz
07a9cd193cdbac22f2125d9e48f1bc30 955251 utils extra certmonger_0.78.4-1.diff.gz
75cc32e4b53c21f956b7e2e565edb078 434000 utils extra certmonger_0.78.4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJV0EStAAoJEMtwMWWoiYTcANcP/jaWT5AkPEp1XQ29p6neYRnh
RARwF6Ni5S6w9ZXtHfl9OrZEsjBsErO3jTKM+GcOfe9XHPXI09//b0HZCqOhMgIz
4ddB/bMBZRMGVZOCohC2X+br832XBlPUAaNtiCsg+O5n7XsKnB1GjLFPJKaBQU73
VGvz+iIfFwX2FfiVEfSjyjZXYaz2T/5e8pAT9S51GsqWmGuk0QWAKwUTrI3V3fvd
68/IullJRpVjd3nGqhcQCelqkOkhsH+MdIx+JrF1YT6GcffYJ2a/dgvSzbRJlELp
j01cEZrtY4gKPdmHGGKgc3dRYSjtAm4FHaGHD8GmPbvvy34kZYQ8y9oe0+XjypBn
N8uBZgGwUsltfb+l3PmbHuYG/VHHHRYbVHsQcXWv4k2YhuuVZY06qz2wh8DQjiRR
Dwfs9Gqwq3ri0iZJWCDDBigRsFiEJiWq6AFQ76Ubw+jdtBRRHua73Y0l0/aY7bqF
2+MbEA8SV4pSDauybSf2rUcv7zc9OD76wijfZA0XEw4cpDMkQd3DSvAj64PZO5Lq
u3WQhsdzOwWvsAOsDtRLkk0QZPp0IQu8EuGBaYQYCesGfg+A5RdHoVgk7eFqz3EX
wbGCs6Y2hN5KjUkRakookyqhp6uNc0g16j0vVk4A85QE84aII1C7KQhyrmgRojgo
U/aWyljBVwFqF+sxGfI/
=04dS
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
From tjaalton at moszumanska.debian.org Sun Aug 16 18:33:41 2015
From: tjaalton at moszumanska.debian.org (Timo Aaltonen)
Date: Sun, 16 Aug 2015 18:33:41 +0000
Subject: [Pkg-freeipa-devel] python-nss: Changes to 'master'
Message-ID:
.hgtags | 8
debian/changelog | 6
doc/ChangeLog | 203 +++
doc/examples/cert_trust.py | 165 ++
doc/examples/ssl_example.py | 43
doc/examples/ssl_version_range.py | 122 +
doc/examples/verify_server.py | 44
setup.py | 2
src/SECerrs.h | 12
src/SSLerrs.h | 29
src/__init__.py | 14
src/py_nspr_common.h | 153 ++
src/py_nss.c | 486 +++++--
src/py_nss.h | 44
src/py_shared_doc.h | 43
src/py_ssl.c | 2359 ++++++++++++++++++++++++++++++++++----
src/py_ssl.h | 25
test/test_client_server.py | 9
18 files changed, 3319 insertions(+), 448 deletions(-)
New commits:
commit 0f971ac56378be8384e781dacb4d476d19d98e94
Author: Timo Aaltonen
Date: Sun Aug 16 11:18:41 2015 +0300
releasing package python-nss version 0.16.0-1
diff --git a/debian/changelog b/debian/changelog
index 87dc59f..7c28d32 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,8 @@
-python-nss (0.16.0-1) UNRELEASED; urgency=medium
+python-nss (0.16.0-1) unstable; urgency=medium
* New upstream release.
- -- Timo Aaltonen Sun, 16 Aug 2015 11:12:06 +0300
+ -- Timo Aaltonen Sun, 16 Aug 2015 11:18:20 +0300
python-nss (0.15.0-1) unstable; urgency=medium
commit 91ddae5ebc8244212c82ddd0f287d011044a55a6
Author: Timo Aaltonen
Date: Sun Aug 16 11:12:26 2015 +0300
update the changelog
diff --git a/debian/changelog b/debian/changelog
index 715043b..87dc59f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+python-nss (0.16.0-1) UNRELEASED; urgency=medium
+
+ * New upstream release.
+
+ -- Timo Aaltonen Sun, 16 Aug 2015 11:12:06 +0300
+
python-nss (0.15.0-1) unstable; urgency=medium
* New upstream release.
commit 841f576de6afae22380b505af33135dafd0c50ae
Author: John Dennis
Date: Tue Oct 28 14:50:39 2014 -0400
add py_shared_doc.h to MANIFEST
diff --git a/MANIFEST b/MANIFEST
index 297bb58..5f1d623 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -34,6 +34,7 @@ src/py_nspr_io.c
src/py_nspr_io.h
src/py_nss.c
src/py_nss.h
+src/py_shared_doc.h
src/py_ssl.c
src/py_ssl.h
src/py_traceback.h
commit 564ec92dbeac04a5475ed5a415e7f7e1c1635c84
Author: John Dennis
Date: Mon Oct 27 11:19:14 2014 -0400
Added tag PYNSS_RELEASE_0_16_0 for changeset 07759f773c0b
diff --git a/.hgtags b/.hgtags
index b209bbe..3ee56fd 100644
--- a/.hgtags
+++ b/.hgtags
@@ -20,3 +20,5 @@ f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1
58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0
+e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0
+07759f773c0b643e0543ed3cf8168cd2937966dd PYNSS_RELEASE_0_16_0
commit 8f6b727f4cd5ba50b95800cd9520d181e95a852c
Author: John Dennis
Date: Mon Oct 27 11:19:00 2014 -0400
Fix doc typos
diff --git a/src/__init__.py b/src/__init__.py
index 42c2534..c1506fb 100644
--- a/src/__init__.py
+++ b/src/__init__.py
@@ -66,18 +66,6 @@ should not be used, they will be removed in a subsequent release.
not respected, port will be value when `HostEntry` object was
created.
-`ssl.nssinit()`
- nssinit has been moved to the nss module, use `nss.nss_init()`
- instead of ssl.nssinit
-
-`ssl.nss_init()`
- nss_init has been moved to the nss module, use `nss.nss_init()`
- instead of ssl.nssinit
-
-`ssl.nss_shutdown()`
- nss_shutdown() has been moved to the nss module, use
- `nss.nss_shutdown()` instead of ssl.nss_shutdown()
-
`io.Socket()` and `ssl.SSLSocket()` without explicit family parameter
Socket initialization will require the family parameter in the future.
The default family parameter of PR_AF_INET is deprecated because
diff --git a/src/py_shared_doc.h b/src/py_shared_doc.h
index 9a57279..79b4b83 100644
--- a/src/py_shared_doc.h
+++ b/src/py_shared_doc.h
@@ -30,13 +30,13 @@ representing the indentation level for that line. Any remaining items\n\
in the tuple are strings to be output on that line.\n\
\n\
The output of this function can be formatted into a single string by\n\
-calling `indented_format()`, e.g.:\n\
+calling `nss.nss.indented_format()`, e.g.:\n\
\n\
print indented_format(obj.format_lines())\n\
\n\
The reason this function returns a tuple as opposed to an single\n\
indented string is to support other text formatting systems such as\n\
-GUI's with indentation controls. See `indented_format()` for a\n\
+GUI's with indentation controls. See `nss.nss.indented_format()` for a\n\
complete explanation.\n\
");
diff --git a/src/py_ssl.c b/src/py_ssl.c
index 3e0dbf6..c345b6c 100644
--- a/src/py_ssl.c
+++ b/src/py_ssl.c
@@ -3107,9 +3107,6 @@ SSLChannelInformation_dealloc(SSLChannelInformation* self)
PyDoc_STRVAR(SSLChannelInformation_doc,
"SSLChannelInformation(obj)\n\
\n\
-:Parameters:\n\
- obj : xxx\n\
-\n\
An object representing SSLChannelInformation.\n\
");
@@ -3902,7 +3899,7 @@ PyDoc_STRVAR(SSL_get_ssl_version_from_major_minor_doc,
:Parameters:\n\
major : int\n\
The major version number.\n\
- mainor : int\n\
+ minor : int\n\
The minor version number.\n\
repr_kind : RepresentationKind constant\n\
Specifies what format the return value will be in.\n\
@@ -4177,7 +4174,7 @@ PyDoc_STRVAR(SSL_get_cipher_suite_info_doc,
suite : int\n\
a cipher suite enumerated constant\n\
\n\
-Returns a `SSLCipherSuiteInfo object`.\n\
+Returns a `ssl.SSLCipherSuiteInfo`.\n\
");
static PyObject *
commit f9ecf9c3855a5f2b32ca1f1cb02b31a749cb3ed3
Author: John Dennis
Date: Mon Oct 27 10:03:47 2014 -0400
Added tag PYNSS_RELEASE_0_16_0 for changeset e07c4d352c1d
diff --git a/.hgtags b/.hgtags
index 7f6f84c..b209bbe 100644
--- a/.hgtags
+++ b/.hgtags
@@ -18,3 +18,5 @@ f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1
288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
+58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
+e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0
commit e1e4f1a74f5cc4d234e992290f52fe8373ffd25a
Author: John Dennis
Date: Mon Oct 27 10:02:59 2014 -0400
Added tag PYNSS_RELEASE_0_16_0 for changeset 58faa8ba467a
diff --git a/.hgtags b/.hgtags
index 17e02d6..7f6f84c 100644
--- a/.hgtags
+++ b/.hgtags
@@ -16,3 +16,5 @@ e9302e97739fc677b660d6324efadea8294131ea PYNSS_RELEASE_0_14_1
f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1
73d6871d2b0770fa7f00e691c85f314bc0849309 PYNSS_RELEASE_0_15_0
288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
+288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
+58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
commit d11afcac6fa541ae2e629d70ad5e71d8dcef682c
Author: John Dennis
Date: Mon Oct 27 10:02:19 2014 -0400
Add SSLCipherSuiteInfo, SSLChannelInfo classes.
Add SSLSocket.connection_info*
diff --git a/doc/ChangeLog b/doc/ChangeLog
index c03df82..dcf5260 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,20 +1,49 @@
2014-10-21 John Dennis 0.16.0
The primary enhancements in this version is adding support for the
- setting trust attributes on a Certificate and the SSL version range API.
+ setting trust attributes on a Certificate, the SSL version range API,
+ information on the SSL cipher suites and information on the SSL connection.
* The following module functions were added:
- - get_default_ssl_version_range
- - get_supported_ssl_version_range
- - set_default_ssl_version_range
- - ssl_library_version_from_name
- - ssl_library_version_name
+
+ - ssl.get_ssl_version_from_major_minor
+ - ssl.get_default_ssl_version_range
+ - ssl.get_supported_ssl_version_range
+ - ssl.set_default_ssl_version_range
+ - ssl.ssl_library_version_from_name
+ - ssl.ssl_library_version_name
+ - ssl.get_cipher_suite_info
+ - ssl.ssl_cipher_suite_name
+ - ssl.ssl_cipher_suite_from_name
+
+ * The following deprecated module functions were removed:
+
+ - ssl.nssinit
+ - ssl.nss_ini
+ - ssl.nss_shutdown
+
+ * The following classes were added:
+
+ - SSLCipherSuiteInfo
+ - SSLChannelInfo
* The following class methods were added:
- Certificate.trust_flags
- Certificate.set_trust_attributes
+
- SSLSocket.set_ssl_version_range
- SSLSocket.get_ssl_version_range
+ - SSLSocket.get_ssl_channel_info
+ - SSLSocket.get_negotiated_host
+ - SSLSocket.connection_info_format_lines
+ - SSLSocket.connection_info_format
+ - SSLSocket.connection_info_str
+
+ - SSLCipherSuiteInfo.format_lines
+ - SSLCipherSuiteInfo.format
+
+ - SSLChannelInfo.format_lines
+ - SSLChannelInfo.format
* The following class properties were added:
@@ -22,6 +51,42 @@
- Certificate.email_trust_flags
- Certificate.signing_trust_flags
+ - SSLCipherSuiteInfo.cipher_suite
+ - SSLCipherSuiteInfo.cipher_suite_name
+ - SSLCipherSuiteInfo.auth_algorithm
+ - SSLCipherSuiteInfo.auth_algorithm_name
+ - SSLCipherSuiteInfo.kea_type
+ - SSLCipherSuiteInfo.kea_type_name
+ - SSLCipherSuiteInfo.symmetric_cipher
+ - SSLCipherSuiteInfo.symmetric_cipher_name
+ - SSLCipherSuiteInfo.symmetric_key_bits
+ - SSLCipherSuiteInfo.symmetric_key_space
+ - SSLCipherSuiteInfo.effective_key_bits
+ - SSLCipherSuiteInfo.mac_algorithm
+ - SSLCipherSuiteInfo.mac_algorithm_name
+ - SSLCipherSuiteInfo.mac_bits
+ - SSLCipherSuiteInfo.is_fips
+ - SSLCipherSuiteInfo.is_exportable
+ - SSLCipherSuiteInfo.is_nonstandard
+
+ - SSLChannelInfo.protocol_version
+ - SSLChannelInfo.protocol_version_str
+ - SSLChannelInfo.protocol_version_enum
+ - SSLChannelInfo.major_protocol_version
+ - SSLChannelInfo.minor_protocol_version
+ - SSLChannelInfo.cipher_suite
+ - SSLChannelInfo.auth_key_bits
+ - SSLChannelInfo.kea_key_bits
+ - SSLChannelInfo.creation_time
+ - SSLChannelInfo.creation_time_utc
+ - SSLChannelInfo.last_access_time
+ - SSLChannelInfo.last_access_time_utc
+ - SSLChannelInfo.expiration_time
+ - SSLChannelInfo.expiration_time_utc
+ - SSLChannelInfo.compression_method
+ - SSLChannelInfo.compression_method_name
+ - SSLChannelInfo.session_id
+
* The following files were added:
- doc/examples/cert_trust.py
@@ -131,6 +196,7 @@
- ssl.tls1.3
* The following methods were missing thread locks, this has been fixed.
+
- nss.nss_initialize
- nss.nss_init_context
- nss.nss_shutdown_context
diff --git a/doc/examples/ssl_example.py b/doc/examples/ssl_example.py
index 74b83d7..e5084bb 100755
--- a/doc/examples/ssl_example.py
+++ b/doc/examples/ssl_example.py
@@ -40,7 +40,13 @@ def password_callback(slot, retry, password):
return getpass.getpass("Enter password: ");
def handshake_callback(sock):
- print "handshake complete, peer = %s" % (sock.get_peer_name())
+ print "-- handshake complete --"
+ print "peer: %s" % (sock.get_peer_name())
+ print "negotiated host: %s" % (sock.get_negotiated_host())
+ print
+ print sock.connection_info_str()
+ print "-- handshake complete --"
+ print
def auth_certificate_callback(sock, check_sig, is_server, certdb):
print "auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server)
@@ -382,6 +388,12 @@ parser.add_argument('--request-cert-once', dest='client_cert_action',
parser.add_argument('--request-cert-always', dest='client_cert_action',
action='store_const', const=REQUEST_CLIENT_CERT_ALWAYS)
+parser.add_argument('--min-ssl-version',
+ help='minimum SSL version')
+
+parser.add_argument('--max-ssl-version',
+ help='minimum SSL version')
+
parser.set_defaults(client = False,
server = False,
db_name = 'sql:pki',
@@ -413,7 +425,34 @@ else:
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
-# Run as a client or as a server
+min_ssl_version, max_ssl_version = \
+ ssl.get_supported_ssl_version_range(repr_kind=nss.AsString)
+print "Supported SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
+min_ssl_version, max_ssl_version = \
+ ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+print "Default SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
+if options.min_ssl_version is not None or \
+ options.max_ssl_version is not None:
+
+ if options.min_ssl_version is not None:
+ min_ssl_version = options.min_ssl_version
+ if options.max_ssl_version is not None:
+ max_ssl_version = options.max_ssl_version
+
+ print "Setting default SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+ ssl.set_default_ssl_version_range(min_ssl_version, max_ssl_version)
+
+ min_ssl_version, max_ssl_version = \
+ ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+ print "Default SSL version range now: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
+# Run as a client or as a serveri
if options.client:
print "starting as client"
Client()
diff --git a/doc/examples/ssl_version_range.py b/doc/examples/ssl_version_range.py
index 11fe85e..c784a99 100644
--- a/doc/examples/ssl_version_range.py
+++ b/doc/examples/ssl_version_range.py
@@ -118,3 +118,5 @@ for name in names:
enum = ssl.ssl_library_version_from_name(name)
enum_name = ssl.ssl_library_version_name(enum, nss.AsString)
print "name='%s' -> %s (%#06x)" % (name, enum_name, enum)
+
+
diff --git a/doc/examples/verify_server.py b/doc/examples/verify_server.py
index e58c21e..3318ed7 100755
--- a/doc/examples/verify_server.py
+++ b/doc/examples/verify_server.py
@@ -27,7 +27,13 @@ GET /index.html HTTP/1.0
# -----------------------------------------------------------------------------
def handshake_callback(sock):
- print "handshake complete, peer = %s" % (sock.get_peer_name())
+ print "-- handshake complete --"
+ print "peer: %s" % (sock.get_peer_name())
+ print "negotiated host: %s" % (sock.get_negotiated_host())
+ print
+ print sock.connection_info_str()
+ print "-- handshake complete --"
+ print
def auth_certificate_callback(sock, check_sig, is_server, certdb):
print "auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server)
@@ -170,14 +176,48 @@ parser.set_defaults(db_name = 'sql:pki',
port = 443,
)
+parser.add_argument('--min-ssl-version',
+ help='minimum SSL version')
+
+parser.add_argument('--max-ssl-version',
+ help='minimum SSL version')
+
options = parser.parse_args()
# Perform basic configuration and setup
try:
nss.nss_init(options.db_name)
ssl.set_domestic_policy()
+
+ min_ssl_version, max_ssl_version = \
+ ssl.get_supported_ssl_version_range(repr_kind=nss.AsString)
+ print "Supported SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
+ min_ssl_version, max_ssl_version = \
+ ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+ print "Default SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
+ if options.min_ssl_version is not None or \
+ options.max_ssl_version is not None:
+
+ if options.min_ssl_version is not None:
+ min_ssl_version = options.min_ssl_version
+ if options.max_ssl_version is not None:
+ max_ssl_version = options.max_ssl_version
+
+ print "Setting default SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+ ssl.set_default_ssl_version_range(min_ssl_version, max_ssl_version)
+
+ min_ssl_version, max_ssl_version = \
+ ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+ print "Default SSL version range now: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
except Exception, e:
- print >>sys.stderr, e.strerror
+ print >>sys.stderr, str(e)
sys.exit(1)
client()
diff --git a/src/SECerrs.h b/src/SECerrs.h
index 04d0c11..8b6b36f 100644
--- a/src/SECerrs.h
+++ b/src/SECerrs.h
@@ -115,7 +115,7 @@ ER3(SEC_ERROR_EXTENSION_NOT_FOUND, (SEC_ERROR_BASE + 35),
ER3(SEC_ERROR_CA_CERT_INVALID, (SEC_ERROR_BASE + 36),
"Issuer certificate is invalid.")
-
+
ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, (SEC_ERROR_BASE + 37),
"Certificate path length constraint is invalid.")
@@ -343,7 +343,7 @@ ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, (SEC_ERROR_BASE + 109),
ER3(SEC_ERROR_OLD_KRL, (SEC_ERROR_BASE + 110),
"New KRL is not later than the current one.")
-
+
ER3(SEC_ERROR_CKL_CONFLICT, (SEC_ERROR_BASE + 111),
"New CKL has different issuer than current CKL. Delete current CKL.")
@@ -515,9 +515,6 @@ ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION, (SEC_ERROR_BASE + 165),
ER3(SEC_ERROR_LIBPKIX_INTERNAL, (SEC_ERROR_BASE + 166),
"Libpkix internal error occurred during cert validation.")
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 13)
-
-
ER3(SEC_ERROR_PKCS11_GENERAL_ERROR, (SEC_ERROR_BASE + 167),
"A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
@@ -545,10 +542,6 @@ ER3(SEC_ERROR_UNKNOWN_PKCS11_ERROR, (SEC_ERROR_BASE + 174),
ER3(SEC_ERROR_BAD_CRL_DP_URL, (SEC_ERROR_BASE + 175),
"Invalid or unsupported URL in CRL distribution point name.")
-#endif
-
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
-
ER3(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, (SEC_ERROR_BASE + 176),
"The certificate was signed using a signature algorithm that is disabled because it is not secure.")
@@ -558,4 +551,3 @@ ER3(SEC_ERROR_LEGACY_DATABASE, (SEC_ERROR_BASE + 177),
ER3(SEC_ERROR_APPLICATION_CALLBACK_ERROR, (SEC_ERROR_BASE + 178),
"The certificate was rejected by extra checks in the application.")
-#endif
diff --git a/src/SSLerrs.h b/src/SSLerrs.h
index 7e05af2..174037b 100644
--- a/src/SSLerrs.h
+++ b/src/SSLerrs.h
@@ -359,8 +359,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109),
ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110),
"SSL received a malformed New Session Ticket handshake message.")
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 13)
-
ER3(SSL_ERROR_DECOMPRESSION_FAILURE, (SSL_ERROR_BASE + 111),
"SSL received a compressed record that could not be decompressed.")
@@ -376,10 +374,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD, (SSL_ERROR_BASE + 114),
ER3(SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY, (SSL_ERROR_BASE + 115),
"SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.")
-#endif
-
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
-
ER3(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, (SSL_ERROR_BASE + 116),
"SSL received invalid NPN extension data.")
@@ -407,11 +401,24 @@ ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST, (SSL_ERROR_BASE + 123),
ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, (SSL_ERROR_BASE + 124),
"SSL feature not supported for the protocol version.")
-#endif
-
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 15)
-
ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, (SSL_ERROR_BASE + 125),
"SSL received an unexpected Certificate Status handshake message.")
-#endif
+ER3(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, (SSL_ERROR_BASE + 126),
+"Unsupported hash algorithm used by TLS peer.")
+
+ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR_BASE + 127),
+"Digest function failed.")
+
+ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128),
+"Incorrect signature algorithm specified in a digitally-signed element.")
+
+ER3(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK, (SSL_ERROR_BASE + 129),
+"The next protocol negotiation extension was enabled, but the callback was cleared prior to being needed.")
+
+ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE + 130),
+"The server supports no protocols that the client advertises in the ALPN extension.")
+
+ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 131),
+"The server rejected the handshake because the client downgraded to a lower "
+"TLS version than the server supports.")
diff --git a/src/py_nspr_common.h b/src/py_nspr_common.h
index b576d15..d123139 100644
--- a/src/py_nspr_common.h
+++ b/src/py_nspr_common.h
@@ -4,6 +4,8 @@
//#define DEBUG
+typedef PyObject *(*format_lines_func)(PyObject *self, PyObject *args, PyObject *kwds);
+
typedef enum RepresentationKindEnum {
AsObject,
AsString,
@@ -50,6 +52,107 @@ do { \
} while (0)
+/******************************************************************************/
+
+#define OCTETS_PER_LINE_DEFAULT 16
+#define HEX_SEPARATOR_DEFAULT ":"
+
+#define FMT_OBJ_AND_APPEND(dst_fmt_tuples, label, src_obj, level, fail) \
+{ \
+ PyObject *fmt_tuple = NULL; \
+ \
+ if ((fmt_tuple = line_fmt_tuple(level, label, src_obj)) == NULL) { \
+ goto fail; \
+ } \
+ if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \
+ Py_DECREF(fmt_tuple); \
+ goto fail; \
+ } \
+}
+
+#define FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail) \
+{ \
+ PyObject *fmt_tuple = NULL; \
+ \
+ if ((fmt_tuple = fmt_label(level, label)) == NULL) { \
+ goto fail; \
+ } \
+ if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \
+ Py_DECREF(fmt_tuple); \
+ goto fail; \
+ } \
+}
+
+#define APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, src_fmt_tuples, fail) \
+{ \
+ PyObject *src_obj; \
+ Py_ssize_t len, i; \
+ if (src_fmt_tuples) { \
+ len = PyList_Size(src_fmt_tuples); \
+ for (i = 0; i < len; i++) { \
+ src_obj = PyList_GetItem(src_fmt_tuples, i); \
+ PyList_Append(dst_fmt_tuples, src_obj); \
+ } \
+ Py_CLEAR(src_fmt_tuples); \
+ } \
+}
+
+#define APPEND_LINES_AND_CLEAR(dst_fmt_tuples, src_lines, level, fail) \
+{ \
+ PyObject *src_obj; \
+ Py_ssize_t len, i; \
+ if (src_lines) { \
+ len = PySequence_Size(src_lines); \
+ for (i = 0; i < len; i++) { \
+ src_obj = PySequence_GetItem(src_lines, i); \
+ FMT_OBJ_AND_APPEND(dst_fmt_tuples, NULL, src_obj, level, fail); \
+ Py_DECREF(src_obj); \
+ } \
+ Py_CLEAR(src_lines); \
+ } \
+}
+
+#define CALL_FORMAT_LINES_AND_APPEND(dst_fmt_tuples, obj, level, fail) \
+{ \
+ PyObject *obj_line_fmt_tuples; \
+ \
+ if ((obj_line_fmt_tuples = \
+ PyObject_CallMethod(obj, "format_lines", \
+ "(i)", level)) == NULL) { \
+ goto fail; \
+ } \
+ \
+ APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_line_fmt_tuples, fail); \
+}
+
+
+#define APPEND_OBJ_TO_HEX_LINES_AND_CLEAR(dst_fmt_tuples, obj, level, fail) \
+{ \
+ PyObject *obj_lines; \
+ \
+ if ((obj_lines = obj_to_hex(obj, OCTETS_PER_LINE_DEFAULT, \
+ HEX_SEPARATOR_DEFAULT)) == NULL) { \
+ goto fail; \
+ } \
+ Py_CLEAR(obj); \
+ APPEND_LINES_AND_CLEAR(dst_fmt_tuples, obj_lines, level, fail); \
+}
+
+#define FMT_SEC_INT_OBJ_APPEND_AND_CLEAR(dst_fmt_tuples, label, obj, level, fail) \
+{ \
+ PyObject *obj_lines = NULL; \
+ SecItem *item = (SecItem *)obj; \
+ \
+ FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail); \
+ if ((obj_lines = secitem_integer_format_lines(&item->item, level+1)) == NULL) { \
+ goto fail; \
+ } \
+ Py_CLEAR(obj); \
+ APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_lines, fail); \
+}
+
+/******************************************************************************/
+
// Gettext
#ifndef _
#define _(s) s
diff --git a/src/py_nss.c b/src/py_nss.c
index 95d3958..a34fae3 100644
--- a/src/py_nss.c
+++ b/src/py_nss.c
@@ -355,10 +355,12 @@ NewType_new_from_NSSType(NSSType *id)
#define PY_SSIZE_T_CLEAN
#include "Python.h"
#include "structmember.h"
+#include "datetime.h"
#include "py_nspr_common.h"
#define NSS_NSS_MODULE
#include "py_nss.h"
+#include "py_shared_doc.h"
#include "py_nspr_error.h"
#include "secder.h"
@@ -379,8 +381,6 @@ NewType_new_from_NSSType(NSSType *id)
#define MAX_AVAS 10
#define MAX_RDNS 10
-#define OCTETS_PER_LINE_DEFAULT 16
-#define HEX_SEPARATOR_DEFAULT ":"
#ifdef DEBUG
#include "py_traceback.h"
@@ -534,8 +534,6 @@ PyString_UTF8(PyObject *obj, char *name);
/* ========================================================================== */
-typedef PyObject *(*format_lines_func)(PyObject *self, PyObject *args, PyObject *kwds);
-
static PyObject *
line_fmt_tuple(int level, const char *label, PyObject *py_value);
@@ -554,140 +552,6 @@ format_from_lines(format_lines_func formatter, PyObject *self, PyObject *args, P
static PyObject *
py_indented_format(PyObject *self, PyObject *args, PyObject *kwds);
-#define FMT_OBJ_AND_APPEND(dst_fmt_tuples, label, src_obj, level, fail) \
-{ \
- PyObject *fmt_tuple = NULL; \
- \
- if ((fmt_tuple = line_fmt_tuple(level, label, src_obj)) == NULL) { \
- goto fail; \
- } \
- if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \
- Py_DECREF(fmt_tuple); \
- goto fail; \
- } \
-}
-
-#define FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail) \
-{ \
- PyObject *fmt_tuple = NULL; \
- \
- if ((fmt_tuple = fmt_label(level, label)) == NULL) { \
- goto fail; \
- } \
- if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \
- Py_DECREF(fmt_tuple); \
- goto fail; \
- } \
-}
-
-#define APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, src_fmt_tuples, fail) \
-{ \
- PyObject *src_obj; \
- Py_ssize_t len, i; \
- if (src_fmt_tuples) { \
- len = PyList_Size(src_fmt_tuples); \
- for (i = 0; i < len; i++) { \
- src_obj = PyList_GetItem(src_fmt_tuples, i); \
- PyList_Append(dst_fmt_tuples, src_obj); \
- } \
- Py_CLEAR(src_fmt_tuples); \
- } \
-}
-
-#define APPEND_LINES_AND_CLEAR(dst_fmt_tuples, src_lines, level, fail) \
-{ \
- PyObject *src_obj; \
- Py_ssize_t len, i; \
- if (src_lines) { \
- len = PySequence_Size(src_lines); \
- for (i = 0; i < len; i++) { \
- src_obj = PySequence_GetItem(src_lines, i); \
- FMT_OBJ_AND_APPEND(dst_fmt_tuples, NULL, src_obj, level, fail); \
- Py_DECREF(src_obj); \
- } \
- Py_CLEAR(src_lines); \
- } \
-}
-
-#define CALL_FORMAT_LINES_AND_APPEND(dst_fmt_tuples, obj, level, fail) \
-{ \
- PyObject *obj_line_fmt_tuples; \
- \
- if ((obj_line_fmt_tuples = \
- PyObject_CallMethod(obj, "format_lines", \
- "(i)", level)) == NULL) { \
- goto fail; \
- } \
- \
- APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_line_fmt_tuples, fail); \
-}
-
-
-#define APPEND_OBJ_TO_HEX_LINES_AND_CLEAR(dst_fmt_tuples, obj, level, fail) \
-{ \
- PyObject *obj_lines; \
- \
- if ((obj_lines = obj_to_hex(obj, OCTETS_PER_LINE_DEFAULT, \
- HEX_SEPARATOR_DEFAULT)) == NULL) { \
- goto fail; \
- } \
- Py_CLEAR(obj); \
- APPEND_LINES_AND_CLEAR(dst_fmt_tuples, obj_lines, level, fail); \
-}
-
-#define FMT_SEC_INT_OBJ_APPEND_AND_CLEAR(dst_fmt_tuples, label, obj, level, fail) \
-{ \
- PyObject *obj_lines = NULL; \
- SecItem *item = (SecItem *)obj; \
- \
- FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail); \
- if ((obj_lines = secitem_integer_format_lines(&item->item, level+1)) == NULL) { \
- goto fail; \
- } \
- Py_CLEAR(obj); \
- APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_lines, fail); \
-}
-
-PyDoc_STRVAR(generic_format_doc,
-"format(level=0, indent=' ') -> string)\n\
-\n\
-:Parameters:\n\
- level : integer\n\
- Initial indentation level, all subsequent indents are relative\n\
- to this starting level.\n\
- indent : string\n\
- string replicated once for each indent level then prepended to output line\n\
-\n\
-This is equivalent to:\n\
-indented_format(obj.format_lines()) on an object providing a format_lines() method.\n\
-");
-
-PyDoc_STRVAR(generic_format_lines_doc,
-"format_lines(level=0) -> [(level, string),...]\n\
-\n\
-:Parameters:\n\
- level : integer\n\
- Initial indentation level, all subsequent indents are relative\n\
- to this starting level.\n\
-\n\
-Formats the object into a sequence of lines with indent level\n\
-information. The return value is a list where each list item is a\n\
-tuple. The first item in the tuple is an integer\n\
-representing the indentation level for that line. Any remaining items\n\
-in the tuple are strings to be output on that line.\n\
-\n\
-The output of this function can be formatted into a single string by\n\
-calling `indented_format()`, e.g.:\n\
-\n\
- print indented_format(obj.format_lines())\n\
-\n\
-The reason this function returns a tuple as opposed to an single\n\
-indented string is to support other text formatting systems such as\n\
-GUI's with indentation controls. See `indented_format()` for a\n\
-complete explanation.\n\
-");
-
-
/* Steals reference to obj_str */
static PyObject *
line_fmt_tuple(int level, const char *label, PyObject *py_value)
@@ -1794,6 +1658,9 @@ CERTCertExtensions_from_CERTAttribute(PRArenaPool *arena,
static SECStatus
My_CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, CERTCertExtension ***exts);
+static PyObject *
+timestamp_to_DateTime(time_t timestamp, bool utc);
+
/* ==================================== */
typedef struct BitStringTableStr {
@@ -1844,6 +1711,23 @@ static BitStringTable CertTypeDef[] = {
BITSTRING_TBL_INIT(NS_CERT_TYPE_OBJECT_SIGNING_CA, _("Object Signing CA") ), /* bit 7 */
};
+static PyObject *
+timestamp_to_DateTime(time_t timestamp, bool utc)
+{
+ double d_timestamp = timestamp;
+ PyObject *py_datetime = NULL;
+ char *method;
+
+ method = utc ? "utcfromtimestamp" : "fromtimestamp";
+ if ((py_datetime =
+ PyObject_CallMethod((PyObject *)PyDateTimeAPI->DateTimeType,
+ method, "(d)", d_timestamp)) == NULL) {
+ return NULL;
+ }
+
+ return py_datetime;
+}
+
/* returns new reference or NULL on error */
PyObject *
PyString_UTF8(PyObject *obj, char *name)
@@ -5209,6 +5093,8 @@ SecItem_str(SecItem *self)
break;
case SECITEM_algorithm:
return oid_secitem_to_pystr_desc(&self->item);
+ case SECITEM_buffer:
+ return secitem_to_pystr_hex(&self->item);
default:
return der_any_secitem_to_pystr(&self->item);
break;
@@ -23973,6 +23859,13 @@ static PyNSPR_NSS_C_API_Type nspr_nss_c_api =
cert_distnames_as_CERTDistNames,
_AddIntConstantWithLookup,
_AddIntConstantAlias,
+ format_from_lines,
+ line_fmt_tuple,
+ obj_sprintf,
+ obj_to_hex,
+ raw_data_to_hex,
+ fmt_label,
+ timestamp_to_DateTime
};
/* ============================== Module Construction ============================= */
@@ -23991,6 +23884,8 @@ initnss(void)
return;
}
+ PyDateTime_IMPORT;
+
if ((m = Py_InitModule3("nss.nss", module_methods, module_doc)) == NULL) {
return;
}
diff --git a/src/py_nss.h b/src/py_nss.h
index c9661e2..1fb858a 100644
--- a/src/py_nss.h
+++ b/src/py_nss.h
@@ -414,6 +414,18 @@ typedef struct {
PyObject *value_to_name);
int (*_AddIntConstantAlias)(const char *name, long value,
PyObject *name_to_value);
+ PyObject *(*format_from_lines)(format_lines_func formatter, PyObject *self,
+ PyObject *args, PyObject *kwds);
+ PyObject *(*line_fmt_tuple)(int level, const char *label,
+ PyObject *py_value);
+ PyObject *(*obj_sprintf)(const char *fmt, ...);
+ PyObject *(*obj_to_hex)(PyObject *obj,
+ int octets_per_line, char *separator);
+ PyObject *(*raw_data_to_hex)(unsigned char *data, int data_len,
+ int octets_per_line, char *separator);
+ PyObject *(*fmt_label)(int level, char *label);
+ PyObject *(*timestamp_to_DateTime)(time_t timestamp, bool utc);
+
} PyNSPR_NSS_C_API_Type;
@@ -452,6 +464,13 @@ static PyNSPR_NSS_C_API_Type nspr_nss_c_api;
#define cert_distnames_as_CERTDistNames (*nspr_nss_c_api.cert_distnames_as_CERTDistNames)
#define _AddIntConstantWithLookup (*nspr_nss_c_api._AddIntConstantWithLookup)
#define _AddIntConstantAlias (*nspr_nss_c_api._AddIntConstantAlias)
+#define format_from_lines (*nspr_nss_c_api.format_from_lines)
+#define line_fmt_tuple (*nspr_nss_c_api.line_fmt_tuple)
+#define obj_sprintf (*nspr_nss_c_api.obj_sprintf)
+#define obj_to_hex (*nspr_nss_c_api.obj_to_hex)
+#define raw_data_to_hex (*nspr_nss_c_api.raw_data_to_hex)
+#define fmt_label (*nspr_nss_c_api.fmt_label)
+#define timestamp_to_DateTime (*nspr_nss_c_api.timestamp_to_DateTime)
static int
import_nspr_nss_c_api(void)
diff --git a/src/py_shared_doc.h b/src/py_shared_doc.h
new file mode 100644
index 0000000..9a57279
--- /dev/null
+++ b/src/py_shared_doc.h
@@ -0,0 +1,43 @@
+#ifndef PY_SHARED_DOC_H
+#define PY_SHARED_DOC_H
+
+PyDoc_STRVAR(generic_format_doc,
+"format(level=0, indent=' ') -> string)\n\
+\n\
+:Parameters:\n\
+ level : integer\n\
+ Initial indentation level, all subsequent indents are relative\n\
+ to this starting level.\n\
+ indent : string\n\
From tjaalton at moszumanska.debian.org Sun Aug 16 18:33:41 2015
From: tjaalton at moszumanska.debian.org (Timo Aaltonen)
Date: Sun, 16 Aug 2015 18:33:41 +0000
Subject: [Pkg-freeipa-devel] python-nss: Changes to 'upstream'
Message-ID:
.hgtags | 8
MANIFEST | 3
doc/ChangeLog | 203 +++
doc/examples/cert_trust.py | 165 ++
doc/examples/ssl_example.py | 43
doc/examples/ssl_version_range.py | 122 +
doc/examples/verify_server.py | 44
setup.py | 2
src/SECerrs.h | 12
src/SSLerrs.h | 29
src/__init__.py | 14
src/py_nspr_common.h | 153 ++
src/py_nss.c | 486 +++++--
src/py_nss.h | 44
src/py_shared_doc.h | 43
src/py_ssl.c | 2359 ++++++++++++++++++++++++++++++++++----
src/py_ssl.h | 25
test/test_client_server.py | 9
18 files changed, 3316 insertions(+), 448 deletions(-)
New commits:
commit 841f576de6afae22380b505af33135dafd0c50ae
Author: John Dennis
Date: Tue Oct 28 14:50:39 2014 -0400
add py_shared_doc.h to MANIFEST
diff --git a/MANIFEST b/MANIFEST
index 297bb58..5f1d623 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -34,6 +34,7 @@ src/py_nspr_io.c
src/py_nspr_io.h
src/py_nss.c
src/py_nss.h
+src/py_shared_doc.h
src/py_ssl.c
src/py_ssl.h
src/py_traceback.h
commit 564ec92dbeac04a5475ed5a415e7f7e1c1635c84
Author: John Dennis
Date: Mon Oct 27 11:19:14 2014 -0400
Added tag PYNSS_RELEASE_0_16_0 for changeset 07759f773c0b
diff --git a/.hgtags b/.hgtags
index b209bbe..3ee56fd 100644
--- a/.hgtags
+++ b/.hgtags
@@ -20,3 +20,5 @@ f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1
58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0
+e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0
+07759f773c0b643e0543ed3cf8168cd2937966dd PYNSS_RELEASE_0_16_0
commit 8f6b727f4cd5ba50b95800cd9520d181e95a852c
Author: John Dennis
Date: Mon Oct 27 11:19:00 2014 -0400
Fix doc typos
diff --git a/src/__init__.py b/src/__init__.py
index 42c2534..c1506fb 100644
--- a/src/__init__.py
+++ b/src/__init__.py
@@ -66,18 +66,6 @@ should not be used, they will be removed in a subsequent release.
not respected, port will be value when `HostEntry` object was
created.
-`ssl.nssinit()`
- nssinit has been moved to the nss module, use `nss.nss_init()`
- instead of ssl.nssinit
-
-`ssl.nss_init()`
- nss_init has been moved to the nss module, use `nss.nss_init()`
- instead of ssl.nssinit
-
-`ssl.nss_shutdown()`
- nss_shutdown() has been moved to the nss module, use
- `nss.nss_shutdown()` instead of ssl.nss_shutdown()
-
`io.Socket()` and `ssl.SSLSocket()` without explicit family parameter
Socket initialization will require the family parameter in the future.
The default family parameter of PR_AF_INET is deprecated because
diff --git a/src/py_shared_doc.h b/src/py_shared_doc.h
index 9a57279..79b4b83 100644
--- a/src/py_shared_doc.h
+++ b/src/py_shared_doc.h
@@ -30,13 +30,13 @@ representing the indentation level for that line. Any remaining items\n\
in the tuple are strings to be output on that line.\n\
\n\
The output of this function can be formatted into a single string by\n\
-calling `indented_format()`, e.g.:\n\
+calling `nss.nss.indented_format()`, e.g.:\n\
\n\
print indented_format(obj.format_lines())\n\
\n\
The reason this function returns a tuple as opposed to an single\n\
indented string is to support other text formatting systems such as\n\
-GUI's with indentation controls. See `indented_format()` for a\n\
+GUI's with indentation controls. See `nss.nss.indented_format()` for a\n\
complete explanation.\n\
");
diff --git a/src/py_ssl.c b/src/py_ssl.c
index 3e0dbf6..c345b6c 100644
--- a/src/py_ssl.c
+++ b/src/py_ssl.c
@@ -3107,9 +3107,6 @@ SSLChannelInformation_dealloc(SSLChannelInformation* self)
PyDoc_STRVAR(SSLChannelInformation_doc,
"SSLChannelInformation(obj)\n\
\n\
-:Parameters:\n\
- obj : xxx\n\
-\n\
An object representing SSLChannelInformation.\n\
");
@@ -3902,7 +3899,7 @@ PyDoc_STRVAR(SSL_get_ssl_version_from_major_minor_doc,
:Parameters:\n\
major : int\n\
The major version number.\n\
- mainor : int\n\
+ minor : int\n\
The minor version number.\n\
repr_kind : RepresentationKind constant\n\
Specifies what format the return value will be in.\n\
@@ -4177,7 +4174,7 @@ PyDoc_STRVAR(SSL_get_cipher_suite_info_doc,
suite : int\n\
a cipher suite enumerated constant\n\
\n\
-Returns a `SSLCipherSuiteInfo object`.\n\
+Returns a `ssl.SSLCipherSuiteInfo`.\n\
");
static PyObject *
commit f9ecf9c3855a5f2b32ca1f1cb02b31a749cb3ed3
Author: John Dennis
Date: Mon Oct 27 10:03:47 2014 -0400
Added tag PYNSS_RELEASE_0_16_0 for changeset e07c4d352c1d
diff --git a/.hgtags b/.hgtags
index 7f6f84c..b209bbe 100644
--- a/.hgtags
+++ b/.hgtags
@@ -18,3 +18,5 @@ f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1
288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
+58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
+e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0
commit e1e4f1a74f5cc4d234e992290f52fe8373ffd25a
Author: John Dennis
Date: Mon Oct 27 10:02:59 2014 -0400
Added tag PYNSS_RELEASE_0_16_0 for changeset 58faa8ba467a
diff --git a/.hgtags b/.hgtags
index 17e02d6..7f6f84c 100644
--- a/.hgtags
+++ b/.hgtags
@@ -16,3 +16,5 @@ e9302e97739fc677b660d6324efadea8294131ea PYNSS_RELEASE_0_14_1
f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1
73d6871d2b0770fa7f00e691c85f314bc0849309 PYNSS_RELEASE_0_15_0
288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
+288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
+58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
commit d11afcac6fa541ae2e629d70ad5e71d8dcef682c
Author: John Dennis
Date: Mon Oct 27 10:02:19 2014 -0400
Add SSLCipherSuiteInfo, SSLChannelInfo classes.
Add SSLSocket.connection_info*
diff --git a/doc/ChangeLog b/doc/ChangeLog
index c03df82..dcf5260 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,20 +1,49 @@
2014-10-21 John Dennis 0.16.0
The primary enhancements in this version is adding support for the
- setting trust attributes on a Certificate and the SSL version range API.
+ setting trust attributes on a Certificate, the SSL version range API,
+ information on the SSL cipher suites and information on the SSL connection.
* The following module functions were added:
- - get_default_ssl_version_range
- - get_supported_ssl_version_range
- - set_default_ssl_version_range
- - ssl_library_version_from_name
- - ssl_library_version_name
+
+ - ssl.get_ssl_version_from_major_minor
+ - ssl.get_default_ssl_version_range
+ - ssl.get_supported_ssl_version_range
+ - ssl.set_default_ssl_version_range
+ - ssl.ssl_library_version_from_name
+ - ssl.ssl_library_version_name
+ - ssl.get_cipher_suite_info
+ - ssl.ssl_cipher_suite_name
+ - ssl.ssl_cipher_suite_from_name
+
+ * The following deprecated module functions were removed:
+
+ - ssl.nssinit
+ - ssl.nss_ini
+ - ssl.nss_shutdown
+
+ * The following classes were added:
+
+ - SSLCipherSuiteInfo
+ - SSLChannelInfo
* The following class methods were added:
- Certificate.trust_flags
- Certificate.set_trust_attributes
+
- SSLSocket.set_ssl_version_range
- SSLSocket.get_ssl_version_range
+ - SSLSocket.get_ssl_channel_info
+ - SSLSocket.get_negotiated_host
+ - SSLSocket.connection_info_format_lines
+ - SSLSocket.connection_info_format
+ - SSLSocket.connection_info_str
+
+ - SSLCipherSuiteInfo.format_lines
+ - SSLCipherSuiteInfo.format
+
+ - SSLChannelInfo.format_lines
+ - SSLChannelInfo.format
* The following class properties were added:
@@ -22,6 +51,42 @@
- Certificate.email_trust_flags
- Certificate.signing_trust_flags
+ - SSLCipherSuiteInfo.cipher_suite
+ - SSLCipherSuiteInfo.cipher_suite_name
+ - SSLCipherSuiteInfo.auth_algorithm
+ - SSLCipherSuiteInfo.auth_algorithm_name
+ - SSLCipherSuiteInfo.kea_type
+ - SSLCipherSuiteInfo.kea_type_name
+ - SSLCipherSuiteInfo.symmetric_cipher
+ - SSLCipherSuiteInfo.symmetric_cipher_name
+ - SSLCipherSuiteInfo.symmetric_key_bits
+ - SSLCipherSuiteInfo.symmetric_key_space
+ - SSLCipherSuiteInfo.effective_key_bits
+ - SSLCipherSuiteInfo.mac_algorithm
+ - SSLCipherSuiteInfo.mac_algorithm_name
+ - SSLCipherSuiteInfo.mac_bits
+ - SSLCipherSuiteInfo.is_fips
+ - SSLCipherSuiteInfo.is_exportable
+ - SSLCipherSuiteInfo.is_nonstandard
+
+ - SSLChannelInfo.protocol_version
+ - SSLChannelInfo.protocol_version_str
+ - SSLChannelInfo.protocol_version_enum
+ - SSLChannelInfo.major_protocol_version
+ - SSLChannelInfo.minor_protocol_version
+ - SSLChannelInfo.cipher_suite
+ - SSLChannelInfo.auth_key_bits
+ - SSLChannelInfo.kea_key_bits
+ - SSLChannelInfo.creation_time
+ - SSLChannelInfo.creation_time_utc
+ - SSLChannelInfo.last_access_time
+ - SSLChannelInfo.last_access_time_utc
+ - SSLChannelInfo.expiration_time
+ - SSLChannelInfo.expiration_time_utc
+ - SSLChannelInfo.compression_method
+ - SSLChannelInfo.compression_method_name
+ - SSLChannelInfo.session_id
+
* The following files were added:
- doc/examples/cert_trust.py
@@ -131,6 +196,7 @@
- ssl.tls1.3
* The following methods were missing thread locks, this has been fixed.
+
- nss.nss_initialize
- nss.nss_init_context
- nss.nss_shutdown_context
diff --git a/doc/examples/ssl_example.py b/doc/examples/ssl_example.py
index 74b83d7..e5084bb 100755
--- a/doc/examples/ssl_example.py
+++ b/doc/examples/ssl_example.py
@@ -40,7 +40,13 @@ def password_callback(slot, retry, password):
return getpass.getpass("Enter password: ");
def handshake_callback(sock):
- print "handshake complete, peer = %s" % (sock.get_peer_name())
+ print "-- handshake complete --"
+ print "peer: %s" % (sock.get_peer_name())
+ print "negotiated host: %s" % (sock.get_negotiated_host())
+ print
+ print sock.connection_info_str()
+ print "-- handshake complete --"
+ print
def auth_certificate_callback(sock, check_sig, is_server, certdb):
print "auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server)
@@ -382,6 +388,12 @@ parser.add_argument('--request-cert-once', dest='client_cert_action',
parser.add_argument('--request-cert-always', dest='client_cert_action',
action='store_const', const=REQUEST_CLIENT_CERT_ALWAYS)
+parser.add_argument('--min-ssl-version',
+ help='minimum SSL version')
+
+parser.add_argument('--max-ssl-version',
+ help='minimum SSL version')
+
parser.set_defaults(client = False,
server = False,
db_name = 'sql:pki',
@@ -413,7 +425,34 @@ else:
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
-# Run as a client or as a server
+min_ssl_version, max_ssl_version = \
+ ssl.get_supported_ssl_version_range(repr_kind=nss.AsString)
+print "Supported SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
+min_ssl_version, max_ssl_version = \
+ ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+print "Default SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
+if options.min_ssl_version is not None or \
+ options.max_ssl_version is not None:
+
+ if options.min_ssl_version is not None:
+ min_ssl_version = options.min_ssl_version
+ if options.max_ssl_version is not None:
+ max_ssl_version = options.max_ssl_version
+
+ print "Setting default SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+ ssl.set_default_ssl_version_range(min_ssl_version, max_ssl_version)
+
+ min_ssl_version, max_ssl_version = \
+ ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+ print "Default SSL version range now: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
+# Run as a client or as a serveri
if options.client:
print "starting as client"
Client()
diff --git a/doc/examples/ssl_version_range.py b/doc/examples/ssl_version_range.py
index 11fe85e..c784a99 100644
--- a/doc/examples/ssl_version_range.py
+++ b/doc/examples/ssl_version_range.py
@@ -118,3 +118,5 @@ for name in names:
enum = ssl.ssl_library_version_from_name(name)
enum_name = ssl.ssl_library_version_name(enum, nss.AsString)
print "name='%s' -> %s (%#06x)" % (name, enum_name, enum)
+
+
diff --git a/doc/examples/verify_server.py b/doc/examples/verify_server.py
index e58c21e..3318ed7 100755
--- a/doc/examples/verify_server.py
+++ b/doc/examples/verify_server.py
@@ -27,7 +27,13 @@ GET /index.html HTTP/1.0
# -----------------------------------------------------------------------------
def handshake_callback(sock):
- print "handshake complete, peer = %s" % (sock.get_peer_name())
+ print "-- handshake complete --"
+ print "peer: %s" % (sock.get_peer_name())
+ print "negotiated host: %s" % (sock.get_negotiated_host())
+ print
+ print sock.connection_info_str()
+ print "-- handshake complete --"
+ print
def auth_certificate_callback(sock, check_sig, is_server, certdb):
print "auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server)
@@ -170,14 +176,48 @@ parser.set_defaults(db_name = 'sql:pki',
port = 443,
)
+parser.add_argument('--min-ssl-version',
+ help='minimum SSL version')
+
+parser.add_argument('--max-ssl-version',
+ help='minimum SSL version')
+
options = parser.parse_args()
# Perform basic configuration and setup
try:
nss.nss_init(options.db_name)
ssl.set_domestic_policy()
+
+ min_ssl_version, max_ssl_version = \
+ ssl.get_supported_ssl_version_range(repr_kind=nss.AsString)
+ print "Supported SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
+ min_ssl_version, max_ssl_version = \
+ ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+ print "Default SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
+ if options.min_ssl_version is not None or \
+ options.max_ssl_version is not None:
+
+ if options.min_ssl_version is not None:
+ min_ssl_version = options.min_ssl_version
+ if options.max_ssl_version is not None:
+ max_ssl_version = options.max_ssl_version
+
+ print "Setting default SSL version range: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+ ssl.set_default_ssl_version_range(min_ssl_version, max_ssl_version)
+
+ min_ssl_version, max_ssl_version = \
+ ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+ print "Default SSL version range now: min=%s, max=%s" % \
+ (min_ssl_version, max_ssl_version)
+
except Exception, e:
- print >>sys.stderr, e.strerror
+ print >>sys.stderr, str(e)
sys.exit(1)
client()
diff --git a/src/SECerrs.h b/src/SECerrs.h
index 04d0c11..8b6b36f 100644
--- a/src/SECerrs.h
+++ b/src/SECerrs.h
@@ -115,7 +115,7 @@ ER3(SEC_ERROR_EXTENSION_NOT_FOUND, (SEC_ERROR_BASE + 35),
ER3(SEC_ERROR_CA_CERT_INVALID, (SEC_ERROR_BASE + 36),
"Issuer certificate is invalid.")
-
+
ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, (SEC_ERROR_BASE + 37),
"Certificate path length constraint is invalid.")
@@ -343,7 +343,7 @@ ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, (SEC_ERROR_BASE + 109),
ER3(SEC_ERROR_OLD_KRL, (SEC_ERROR_BASE + 110),
"New KRL is not later than the current one.")
-
+
ER3(SEC_ERROR_CKL_CONFLICT, (SEC_ERROR_BASE + 111),
"New CKL has different issuer than current CKL. Delete current CKL.")
@@ -515,9 +515,6 @@ ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION, (SEC_ERROR_BASE + 165),
ER3(SEC_ERROR_LIBPKIX_INTERNAL, (SEC_ERROR_BASE + 166),
"Libpkix internal error occurred during cert validation.")
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 13)
-
-
ER3(SEC_ERROR_PKCS11_GENERAL_ERROR, (SEC_ERROR_BASE + 167),
"A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
@@ -545,10 +542,6 @@ ER3(SEC_ERROR_UNKNOWN_PKCS11_ERROR, (SEC_ERROR_BASE + 174),
ER3(SEC_ERROR_BAD_CRL_DP_URL, (SEC_ERROR_BASE + 175),
"Invalid or unsupported URL in CRL distribution point name.")
-#endif
-
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
-
ER3(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, (SEC_ERROR_BASE + 176),
"The certificate was signed using a signature algorithm that is disabled because it is not secure.")
@@ -558,4 +551,3 @@ ER3(SEC_ERROR_LEGACY_DATABASE, (SEC_ERROR_BASE + 177),
ER3(SEC_ERROR_APPLICATION_CALLBACK_ERROR, (SEC_ERROR_BASE + 178),
"The certificate was rejected by extra checks in the application.")
-#endif
diff --git a/src/SSLerrs.h b/src/SSLerrs.h
index 7e05af2..174037b 100644
--- a/src/SSLerrs.h
+++ b/src/SSLerrs.h
@@ -359,8 +359,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109),
ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110),
"SSL received a malformed New Session Ticket handshake message.")
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 13)
-
ER3(SSL_ERROR_DECOMPRESSION_FAILURE, (SSL_ERROR_BASE + 111),
"SSL received a compressed record that could not be decompressed.")
@@ -376,10 +374,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD, (SSL_ERROR_BASE + 114),
ER3(SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY, (SSL_ERROR_BASE + 115),
"SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.")
-#endif
-
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
-
ER3(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, (SSL_ERROR_BASE + 116),
"SSL received invalid NPN extension data.")
@@ -407,11 +401,24 @@ ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST, (SSL_ERROR_BASE + 123),
ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, (SSL_ERROR_BASE + 124),
"SSL feature not supported for the protocol version.")
-#endif
-
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 15)
-
ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, (SSL_ERROR_BASE + 125),
"SSL received an unexpected Certificate Status handshake message.")
-#endif
+ER3(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, (SSL_ERROR_BASE + 126),
+"Unsupported hash algorithm used by TLS peer.")
+
+ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR_BASE + 127),
+"Digest function failed.")
+
+ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128),
+"Incorrect signature algorithm specified in a digitally-signed element.")
+
+ER3(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK, (SSL_ERROR_BASE + 129),
+"The next protocol negotiation extension was enabled, but the callback was cleared prior to being needed.")
+
+ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE + 130),
+"The server supports no protocols that the client advertises in the ALPN extension.")
+
+ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 131),
+"The server rejected the handshake because the client downgraded to a lower "
+"TLS version than the server supports.")
diff --git a/src/py_nspr_common.h b/src/py_nspr_common.h
index b576d15..d123139 100644
--- a/src/py_nspr_common.h
+++ b/src/py_nspr_common.h
@@ -4,6 +4,8 @@
//#define DEBUG
+typedef PyObject *(*format_lines_func)(PyObject *self, PyObject *args, PyObject *kwds);
+
typedef enum RepresentationKindEnum {
AsObject,
AsString,
@@ -50,6 +52,107 @@ do { \
} while (0)
+/******************************************************************************/
+
+#define OCTETS_PER_LINE_DEFAULT 16
+#define HEX_SEPARATOR_DEFAULT ":"
+
+#define FMT_OBJ_AND_APPEND(dst_fmt_tuples, label, src_obj, level, fail) \
+{ \
+ PyObject *fmt_tuple = NULL; \
+ \
+ if ((fmt_tuple = line_fmt_tuple(level, label, src_obj)) == NULL) { \
+ goto fail; \
+ } \
+ if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \
+ Py_DECREF(fmt_tuple); \
+ goto fail; \
+ } \
+}
+
+#define FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail) \
+{ \
+ PyObject *fmt_tuple = NULL; \
+ \
+ if ((fmt_tuple = fmt_label(level, label)) == NULL) { \
+ goto fail; \
+ } \
+ if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \
+ Py_DECREF(fmt_tuple); \
+ goto fail; \
+ } \
+}
+
+#define APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, src_fmt_tuples, fail) \
+{ \
+ PyObject *src_obj; \
+ Py_ssize_t len, i; \
+ if (src_fmt_tuples) { \
+ len = PyList_Size(src_fmt_tuples); \
+ for (i = 0; i < len; i++) { \
+ src_obj = PyList_GetItem(src_fmt_tuples, i); \
+ PyList_Append(dst_fmt_tuples, src_obj); \
+ } \
+ Py_CLEAR(src_fmt_tuples); \
+ } \
+}
+
+#define APPEND_LINES_AND_CLEAR(dst_fmt_tuples, src_lines, level, fail) \
+{ \
+ PyObject *src_obj; \
+ Py_ssize_t len, i; \
+ if (src_lines) { \
+ len = PySequence_Size(src_lines); \
+ for (i = 0; i < len; i++) { \
+ src_obj = PySequence_GetItem(src_lines, i); \
+ FMT_OBJ_AND_APPEND(dst_fmt_tuples, NULL, src_obj, level, fail); \
+ Py_DECREF(src_obj); \
+ } \
+ Py_CLEAR(src_lines); \
+ } \
+}
+
+#define CALL_FORMAT_LINES_AND_APPEND(dst_fmt_tuples, obj, level, fail) \
+{ \
+ PyObject *obj_line_fmt_tuples; \
+ \
+ if ((obj_line_fmt_tuples = \
+ PyObject_CallMethod(obj, "format_lines", \
+ "(i)", level)) == NULL) { \
+ goto fail; \
+ } \
+ \
+ APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_line_fmt_tuples, fail); \
+}
+
+
+#define APPEND_OBJ_TO_HEX_LINES_AND_CLEAR(dst_fmt_tuples, obj, level, fail) \
+{ \
+ PyObject *obj_lines; \
+ \
+ if ((obj_lines = obj_to_hex(obj, OCTETS_PER_LINE_DEFAULT, \
+ HEX_SEPARATOR_DEFAULT)) == NULL) { \
+ goto fail; \
+ } \
+ Py_CLEAR(obj); \
+ APPEND_LINES_AND_CLEAR(dst_fmt_tuples, obj_lines, level, fail); \
+}
+
+#define FMT_SEC_INT_OBJ_APPEND_AND_CLEAR(dst_fmt_tuples, label, obj, level, fail) \
+{ \
+ PyObject *obj_lines = NULL; \
+ SecItem *item = (SecItem *)obj; \
+ \
+ FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail); \
+ if ((obj_lines = secitem_integer_format_lines(&item->item, level+1)) == NULL) { \
+ goto fail; \
+ } \
+ Py_CLEAR(obj); \
+ APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_lines, fail); \
+}
+
+/******************************************************************************/
+
// Gettext
#ifndef _
#define _(s) s
diff --git a/src/py_nss.c b/src/py_nss.c
index 95d3958..a34fae3 100644
--- a/src/py_nss.c
+++ b/src/py_nss.c
@@ -355,10 +355,12 @@ NewType_new_from_NSSType(NSSType *id)
#define PY_SSIZE_T_CLEAN
#include "Python.h"
#include "structmember.h"
+#include "datetime.h"
#include "py_nspr_common.h"
#define NSS_NSS_MODULE
#include "py_nss.h"
+#include "py_shared_doc.h"
#include "py_nspr_error.h"
#include "secder.h"
@@ -379,8 +381,6 @@ NewType_new_from_NSSType(NSSType *id)
#define MAX_AVAS 10
#define MAX_RDNS 10
-#define OCTETS_PER_LINE_DEFAULT 16
-#define HEX_SEPARATOR_DEFAULT ":"
#ifdef DEBUG
#include "py_traceback.h"
@@ -534,8 +534,6 @@ PyString_UTF8(PyObject *obj, char *name);
/* ========================================================================== */
-typedef PyObject *(*format_lines_func)(PyObject *self, PyObject *args, PyObject *kwds);
-
static PyObject *
line_fmt_tuple(int level, const char *label, PyObject *py_value);
@@ -554,140 +552,6 @@ format_from_lines(format_lines_func formatter, PyObject *self, PyObject *args, P
static PyObject *
py_indented_format(PyObject *self, PyObject *args, PyObject *kwds);
-#define FMT_OBJ_AND_APPEND(dst_fmt_tuples, label, src_obj, level, fail) \
-{ \
- PyObject *fmt_tuple = NULL; \
- \
- if ((fmt_tuple = line_fmt_tuple(level, label, src_obj)) == NULL) { \
- goto fail; \
- } \
- if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \
- Py_DECREF(fmt_tuple); \
- goto fail; \
- } \
-}
-
-#define FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail) \
-{ \
- PyObject *fmt_tuple = NULL; \
- \
- if ((fmt_tuple = fmt_label(level, label)) == NULL) { \
- goto fail; \
- } \
- if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \
- Py_DECREF(fmt_tuple); \
- goto fail; \
- } \
-}
-
-#define APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, src_fmt_tuples, fail) \
-{ \
- PyObject *src_obj; \
- Py_ssize_t len, i; \
- if (src_fmt_tuples) { \
- len = PyList_Size(src_fmt_tuples); \
- for (i = 0; i < len; i++) { \
- src_obj = PyList_GetItem(src_fmt_tuples, i); \
- PyList_Append(dst_fmt_tuples, src_obj); \
- } \
- Py_CLEAR(src_fmt_tuples); \
- } \
-}
-
-#define APPEND_LINES_AND_CLEAR(dst_fmt_tuples, src_lines, level, fail) \
-{ \
- PyObject *src_obj; \
- Py_ssize_t len, i; \
- if (src_lines) { \
- len = PySequence_Size(src_lines); \
- for (i = 0; i < len; i++) { \
- src_obj = PySequence_GetItem(src_lines, i); \
- FMT_OBJ_AND_APPEND(dst_fmt_tuples, NULL, src_obj, level, fail); \
- Py_DECREF(src_obj); \
- } \
- Py_CLEAR(src_lines); \
- } \
-}
-
-#define CALL_FORMAT_LINES_AND_APPEND(dst_fmt_tuples, obj, level, fail) \
-{ \
- PyObject *obj_line_fmt_tuples; \
- \
- if ((obj_line_fmt_tuples = \
- PyObject_CallMethod(obj, "format_lines", \
- "(i)", level)) == NULL) { \
- goto fail; \
- } \
- \
- APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_line_fmt_tuples, fail); \
-}
-
-
-#define APPEND_OBJ_TO_HEX_LINES_AND_CLEAR(dst_fmt_tuples, obj, level, fail) \
-{ \
- PyObject *obj_lines; \
- \
- if ((obj_lines = obj_to_hex(obj, OCTETS_PER_LINE_DEFAULT, \
- HEX_SEPARATOR_DEFAULT)) == NULL) { \
- goto fail; \
- } \
- Py_CLEAR(obj); \
- APPEND_LINES_AND_CLEAR(dst_fmt_tuples, obj_lines, level, fail); \
-}
-
-#define FMT_SEC_INT_OBJ_APPEND_AND_CLEAR(dst_fmt_tuples, label, obj, level, fail) \
-{ \
- PyObject *obj_lines = NULL; \
- SecItem *item = (SecItem *)obj; \
- \
- FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail); \
- if ((obj_lines = secitem_integer_format_lines(&item->item, level+1)) == NULL) { \
- goto fail; \
- } \
- Py_CLEAR(obj); \
- APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_lines, fail); \
-}
-
-PyDoc_STRVAR(generic_format_doc,
-"format(level=0, indent=' ') -> string)\n\
-\n\
-:Parameters:\n\
- level : integer\n\
- Initial indentation level, all subsequent indents are relative\n\
- to this starting level.\n\
- indent : string\n\
- string replicated once for each indent level then prepended to output line\n\
-\n\
-This is equivalent to:\n\
-indented_format(obj.format_lines()) on an object providing a format_lines() method.\n\
-");
-
-PyDoc_STRVAR(generic_format_lines_doc,
-"format_lines(level=0) -> [(level, string),...]\n\
-\n\
-:Parameters:\n\
- level : integer\n\
- Initial indentation level, all subsequent indents are relative\n\
- to this starting level.\n\
-\n\
-Formats the object into a sequence of lines with indent level\n\
-information. The return value is a list where each list item is a\n\
-tuple. The first item in the tuple is an integer\n\
-representing the indentation level for that line. Any remaining items\n\
-in the tuple are strings to be output on that line.\n\
-\n\
-The output of this function can be formatted into a single string by\n\
-calling `indented_format()`, e.g.:\n\
-\n\
- print indented_format(obj.format_lines())\n\
-\n\
-The reason this function returns a tuple as opposed to an single\n\
-indented string is to support other text formatting systems such as\n\
-GUI's with indentation controls. See `indented_format()` for a\n\
-complete explanation.\n\
-");
-
-
/* Steals reference to obj_str */
static PyObject *
line_fmt_tuple(int level, const char *label, PyObject *py_value)
@@ -1794,6 +1658,9 @@ CERTCertExtensions_from_CERTAttribute(PRArenaPool *arena,
static SECStatus
My_CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, CERTCertExtension ***exts);
+static PyObject *
+timestamp_to_DateTime(time_t timestamp, bool utc);
+
/* ==================================== */
typedef struct BitStringTableStr {
@@ -1844,6 +1711,23 @@ static BitStringTable CertTypeDef[] = {
BITSTRING_TBL_INIT(NS_CERT_TYPE_OBJECT_SIGNING_CA, _("Object Signing CA") ), /* bit 7 */
};
+static PyObject *
+timestamp_to_DateTime(time_t timestamp, bool utc)
+{
+ double d_timestamp = timestamp;
+ PyObject *py_datetime = NULL;
+ char *method;
+
+ method = utc ? "utcfromtimestamp" : "fromtimestamp";
+ if ((py_datetime =
+ PyObject_CallMethod((PyObject *)PyDateTimeAPI->DateTimeType,
+ method, "(d)", d_timestamp)) == NULL) {
+ return NULL;
+ }
+
+ return py_datetime;
+}
+
/* returns new reference or NULL on error */
PyObject *
PyString_UTF8(PyObject *obj, char *name)
@@ -5209,6 +5093,8 @@ SecItem_str(SecItem *self)
break;
case SECITEM_algorithm:
return oid_secitem_to_pystr_desc(&self->item);
+ case SECITEM_buffer:
+ return secitem_to_pystr_hex(&self->item);
default:
return der_any_secitem_to_pystr(&self->item);
break;
@@ -23973,6 +23859,13 @@ static PyNSPR_NSS_C_API_Type nspr_nss_c_api =
cert_distnames_as_CERTDistNames,
_AddIntConstantWithLookup,
_AddIntConstantAlias,
+ format_from_lines,
+ line_fmt_tuple,
+ obj_sprintf,
+ obj_to_hex,
+ raw_data_to_hex,
+ fmt_label,
+ timestamp_to_DateTime
};
/* ============================== Module Construction ============================= */
@@ -23991,6 +23884,8 @@ initnss(void)
return;
}
+ PyDateTime_IMPORT;
+
if ((m = Py_InitModule3("nss.nss", module_methods, module_doc)) == NULL) {
return;
}
diff --git a/src/py_nss.h b/src/py_nss.h
index c9661e2..1fb858a 100644
--- a/src/py_nss.h
+++ b/src/py_nss.h
@@ -414,6 +414,18 @@ typedef struct {
PyObject *value_to_name);
int (*_AddIntConstantAlias)(const char *name, long value,
PyObject *name_to_value);
+ PyObject *(*format_from_lines)(format_lines_func formatter, PyObject *self,
+ PyObject *args, PyObject *kwds);
+ PyObject *(*line_fmt_tuple)(int level, const char *label,
+ PyObject *py_value);
+ PyObject *(*obj_sprintf)(const char *fmt, ...);
+ PyObject *(*obj_to_hex)(PyObject *obj,
+ int octets_per_line, char *separator);
+ PyObject *(*raw_data_to_hex)(unsigned char *data, int data_len,
+ int octets_per_line, char *separator);
+ PyObject *(*fmt_label)(int level, char *label);
+ PyObject *(*timestamp_to_DateTime)(time_t timestamp, bool utc);
+
} PyNSPR_NSS_C_API_Type;
@@ -452,6 +464,13 @@ static PyNSPR_NSS_C_API_Type nspr_nss_c_api;
#define cert_distnames_as_CERTDistNames (*nspr_nss_c_api.cert_distnames_as_CERTDistNames)
#define _AddIntConstantWithLookup (*nspr_nss_c_api._AddIntConstantWithLookup)
#define _AddIntConstantAlias (*nspr_nss_c_api._AddIntConstantAlias)
+#define format_from_lines (*nspr_nss_c_api.format_from_lines)
+#define line_fmt_tuple (*nspr_nss_c_api.line_fmt_tuple)
+#define obj_sprintf (*nspr_nss_c_api.obj_sprintf)
+#define obj_to_hex (*nspr_nss_c_api.obj_to_hex)
+#define raw_data_to_hex (*nspr_nss_c_api.raw_data_to_hex)
+#define fmt_label (*nspr_nss_c_api.fmt_label)
+#define timestamp_to_DateTime (*nspr_nss_c_api.timestamp_to_DateTime)
static int
import_nspr_nss_c_api(void)
diff --git a/src/py_shared_doc.h b/src/py_shared_doc.h
new file mode 100644
index 0000000..9a57279
--- /dev/null
+++ b/src/py_shared_doc.h
@@ -0,0 +1,43 @@
+#ifndef PY_SHARED_DOC_H
+#define PY_SHARED_DOC_H
+
+PyDoc_STRVAR(generic_format_doc,
+"format(level=0, indent=' ') -> string)\n\
+\n\
+:Parameters:\n\
+ level : integer\n\
+ Initial indentation level, all subsequent indents are relative\n\
+ to this starting level.\n\
+ indent : string\n\
+ string replicated once for each indent level then prepended to output line\n\
+\n\
+This is equivalent to:\n\
+indented_format(obj.format_lines()) on an object providing a format_lines() method.\n\
+");
+
+PyDoc_STRVAR(generic_format_lines_doc,
+"format_lines(level=0) -> [(level, string),...]\n\
+\n\
+:Parameters:\n\
+ level : integer\n\
+ Initial indentation level, all subsequent indents are relative\n\
+ to this starting level.\n\
+\n\
+Formats the object into a sequence of lines with indent level\n\
+information. The return value is a list where each list item is a\n\
+tuple. The first item in the tuple is an integer\n\
+representing the indentation level for that line. Any remaining items\n\
+in the tuple are strings to be output on that line.\n\
+\n\
+The output of this function can be formatted into a single string by\n\
+calling `indented_format()`, e.g.:\n\
+\n\
+ print indented_format(obj.format_lines())\n\
+\n\
+The reason this function returns a tuple as opposed to an single\n\
+indented string is to support other text formatting systems such as\n\
+GUI's with indentation controls. See `indented_format()` for a\n\
+complete explanation.\n\
+");
+
+#endif // PY_SHARED_DOC_H
diff --git a/src/py_ssl.c b/src/py_ssl.c
index a1dbdce..3e0dbf6 100644
--- a/src/py_ssl.c
+++ b/src/py_ssl.c
@@ -15,12 +15,18 @@
#define NSS_SSL_MODULE
#include "py_ssl.h"
#include "py_nss.h"
+#include "py_shared_doc.h"
#include "py_nspr_error.h"
From tjaalton at moszumanska.debian.org Sun Aug 16 18:33:48 2015
From: tjaalton at moszumanska.debian.org (Timo Aaltonen)
Date: Sun, 16 Aug 2015 18:33:48 +0000
Subject: [Pkg-freeipa-devel] python-nss: Changes to
'refs/tags/debian/0.16.0-1'
Message-ID:
Tag 'debian/0.16.0-1' created by Timo Aaltonen at 2015-08-16 08:18 +0000
tagging package python-nss version debian/0.16.0-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJV0EdhAAoJEMtwMWWoiYTcHRwP+wWJ/Hfi1YfFUtpZnLKJ7pbu
GzXWjHEfsEPsXkc0oXrlJ/lkP0FGzCxI8QP5fyfSf4iaWMQc94pMZ1OZgvXlVonk
S1dtJcoPvEx5fQp9cIleassLKQgkYz4MMmMiGCk6HSH33xnPSl7KyatX14zHARnE
ceOG7aJBUzrBoQg3Vng7HMuM/iC07lcqO6upxVmJ6Vx5cI4BnqLcbmXi//sYt+bn
21ovrU99YiQ++MNDyF8hh3otLcDFDh1CMC0GkF3/g2zm4nnbSEjXSHtOdNvH1jOn
ThYUtw8ENvKcYq8WlEUD6SQUm9Iwf1YvSu8LdpV5GPwdnJy+98PS2a1HQfzbl9dm
08JLn7eYuLGWEEVDsjcew4E7usTj7KawZIc3WcVup/szVCJrkGirPJRqYcFHVPDD
I3xsyeYNDP4gQfQlJA4Dz2jue+s01HZbgn5FG/todqpWqUnepiik3qczs5q3ZiPB
cMtbYMTlpdNoV0SYBecK9gPBdBaWP1AHoudMSd1PmBXo/NIahPobAe9x4nL3udxH
HZi/IqcH1Clp0ouJlxFepHqvEVZKcZ9cLF4ahaBhp9cwzjrml8ObTk4lG4MTxXp2
akNNgIHTGzuaUrtBiqEzc+ZfM0LmtZIeS7hsMJ7m6G4FD6I6XcRBnIsGm46vS6gk
80frRACLJRX2AM6AJnJ2
=ZhoD
-----END PGP SIGNATURE-----
Changes since debian/0.15.0-1:
John Dennis (11):
Added tag PYNSS_RELEASE_0_15_0 for changeset 73d6871d2b07
Permit setting Certificate trust & query Certificate trust
Add support for the SSL version range API
Add ssl_version_range.py, missed it in previous commit.
Added tag PYNSS_RELEASE_0_16_0 for changeset 288f6ba8cd71
Add SSLCipherSuiteInfo, SSLChannelInfo classes.
Added tag PYNSS_RELEASE_0_16_0 for changeset 58faa8ba467a
Added tag PYNSS_RELEASE_0_16_0 for changeset e07c4d352c1d
Fix doc typos
Added tag PYNSS_RELEASE_0_16_0 for changeset 07759f773c0b
add py_shared_doc.h to MANIFEST
Timo Aaltonen (3):
Merge branch 'upstream'
update the changelog
releasing package python-nss version 0.16.0-1
---
.hgtags | 8
debian/changelog | 6
doc/ChangeLog | 203 +++
doc/examples/cert_trust.py | 165 ++
doc/examples/ssl_example.py | 43
doc/examples/ssl_version_range.py | 122 +
doc/examples/verify_server.py | 44
setup.py | 2
src/SECerrs.h | 12
src/SSLerrs.h | 29
src/__init__.py | 14
src/py_nspr_common.h | 153 ++
src/py_nss.c | 486 +++++--
src/py_nss.h | 44
src/py_shared_doc.h | 43
src/py_ssl.c | 2359 ++++++++++++++++++++++++++++++++++----
src/py_ssl.h | 25
test/test_client_server.py | 9
18 files changed, 3319 insertions(+), 448 deletions(-)
---
From ftpmaster at ftp-master.debian.org Sun Aug 16 18:35:34 2015
From: ftpmaster at ftp-master.debian.org (Debian FTP Masters)
Date: Sun, 16 Aug 2015 18:35:34 +0000
Subject: [Pkg-freeipa-devel] Processing of python-nss_0.16.0-1_amd64.changes
Message-ID:
python-nss_0.16.0-1_amd64.changes uploaded successfully to localhost
along with the files:
python-nss_0.16.0-1.dsc
python-nss_0.16.0.orig.tar.bz2
python-nss_0.16.0-1.debian.tar.xz
python-nss_0.16.0-1_amd64.deb
Greetings,
Your Debian queue daemon (running on host franck.debian.org)
From ftpmaster at ftp-master.debian.org Sun Aug 16 19:07:06 2015
From: ftpmaster at ftp-master.debian.org (Debian FTP Masters)
Date: Sun, 16 Aug 2015 19:07:06 +0000
Subject: [Pkg-freeipa-devel] python-nss_0.16.0-1_amd64.changes ACCEPTED into
unstable
Message-ID:
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 16 Aug 2015 11:18:20 +0300
Source: python-nss
Binary: python-nss
Architecture: source amd64
Version: 0.16.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team
Changed-By: Timo Aaltonen
Description:
python-nss - Python bindings for Network Security Services (NSS)
Changes:
python-nss (0.16.0-1) unstable; urgency=medium
.
* New upstream release.
Checksums-Sha1:
0a7c8498d6692ccfc843b880eaf27a1669baf58b 2019 python-nss_0.16.0-1.dsc
f1f760f478bb784472675e77a433a01bb3da050f 208535 python-nss_0.16.0.orig.tar.bz2
2b605a7b8fd6cbce1e7f38cfce41f9cf31577b3c 2484 python-nss_0.16.0-1.debian.tar.xz
8f352a75dcd1f8a93fd7223cab1632f66a7f0e9c 197076 python-nss_0.16.0-1_amd64.deb
Checksums-Sha256:
c49ab82d98bc12c21168e953ec5392b0bc6699f9158cbaaed882d67b4ebc3d76 2019 python-nss_0.16.0-1.dsc
cecd3a33c4cb4ab0f5a3c303a733b2eb62a3760b500e6b411313ab3b30f8e575 208535 python-nss_0.16.0.orig.tar.bz2
c8a0cfe1859cc3802362d01bf11fb08f9b55212f1f90528127f9b869f0e93d81 2484 python-nss_0.16.0-1.debian.tar.xz
7fd8422fccd47806fec1e950a25a384a659c64ce9bc6fd6cbe387b7e9591d6d7 197076 python-nss_0.16.0-1_amd64.deb
Files:
4d40054190ad7b0ede62b405db8e76bc 2019 python extra python-nss_0.16.0-1.dsc
4fb3c230c7ea0b0ea860f713145c4422 208535 python extra python-nss_0.16.0.orig.tar.bz2
c2ba8ac7a3e361046a793aa99a919367 2484 python extra python-nss_0.16.0-1.debian.tar.xz
28e74981d8664b7f3202313df018d3ce 197076 python extra python-nss_0.16.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJV0NczAAoJEMtwMWWoiYTcX50P/2J3wgFLfFAmjrWqzcQ/4jGP
j46bt7ZC3qYMs+w/ZWSeIow/8aoQU7m2sNgfYD26+TcKY0SZ9E7Z24SGgr8deacC
jlYSN4WSMCYkRO9D2V/koR+TOd0xahFcvo816uUnNaZEALdtTVIBmhqSQ5BKysOs
KSQDLo3Qu/Hizm0irKTJZu29IZl20s4Wn2PlU1yZbOESA2aWX02a7EdnS8y8BsFw
adJ8l+bOPEMDm1FZchHt+dGoAjwj/ynZvkAIaKGrJ1iVoMhwyer4CS71PD3IU+qW
iMwnbX/5MBNRfVWs1DyAaQEO3iOpUiqPkeaeixbQzet/ZAMd0AJuJV4Rypinl92F
kK4Ho96WxGM7iAJAuVTIyuStD6GnKme5gt/IwgHZlHYHLNobpMmRb7q1w7FWF1Xl
KlIGifCfKz46vaZcj5+ye/DcwqvVLvP31qSBY4Zbd7a1Jl25HAQyuc9uvv8c+ylq
eeNHttwz36xNinnDx/3YLd/dW49r5UdXtaT18PU90RmgFZGgQRPNN6Ip2n5Va94W
kplfGXR/+IiYIAl6JIGziTXLEpdJu7ZCg0wNimyBiTd6VxLsRLDRtPbuuJu9o7cI
bjyVCISUD0vfk1RjPpFXZf1h3s1NMagpwRdG+cqdtzm4B9vWr3R9zJFc44hN/rRk
ccm9W2kpAsWnGJWjn/zo
=vOi3
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
From tjaalton at moszumanska.debian.org Mon Aug 17 07:23:30 2015
From: tjaalton at moszumanska.debian.org (Timo Aaltonen)
Date: Mon, 17 Aug 2015 07:23:30 +0000
Subject: [Pkg-freeipa-devel] tomcatjss: Changes to 'master'
Message-ID:
build.xml | 4 +-
debian/changelog | 7 ++++
debian/patches/add-dummy-getprotocol.diff | 31 ---------------------
debian/patches/series | 1
src/org/apache/tomcat/util/net/jss/JSSSupport.java | 4 ++
tomcatjss.spec | 8 ++++-
6 files changed, 20 insertions(+), 35 deletions(-)
New commits:
commit 5e21dba1c84d59a30105d79345a937defae6c783
Author: Timo Aaltonen
Date: Mon Aug 17 10:23:20 2015 +0300
releasing package tomcatjss version 7.1.3-1
diff --git a/debian/changelog b/debian/changelog
index c57c1b2..888db07 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,9 @@
-tomcatjss (7.1.3-1) UNRELEASED; urgency=medium
+tomcatjss (7.1.3-1) unstable; urgency=medium
* New upstream release.
* add-dummy-getprotocol.diff: Removed, upstream.
- -- Timo Aaltonen Mon, 17 Aug 2015 08:43:19 +0300
+ -- Timo Aaltonen Mon, 17 Aug 2015 08:45:11 +0300
tomcatjss (7.1.2-1) unstable; urgency=medium
commit 0c4f4371acbc7b396f378e01816f7076aeb7710b
Author: Timo Aaltonen
Date: Mon Aug 17 08:45:04 2015 +0300
new upstream, remove patch
diff --git a/debian/changelog b/debian/changelog
index 67513a5..c57c1b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+tomcatjss (7.1.3-1) UNRELEASED; urgency=medium
+
+ * New upstream release.
+ * add-dummy-getprotocol.diff: Removed, upstream.
+
+ -- Timo Aaltonen Mon, 17 Aug 2015 08:43:19 +0300
+
tomcatjss (7.1.2-1) unstable; urgency=medium
* New upstream release
diff --git a/debian/patches/add-dummy-getprotocol.diff b/debian/patches/add-dummy-getprotocol.diff
deleted file mode 100644
index a7c9620..0000000
--- a/debian/patches/add-dummy-getprotocol.diff
+++ /dev/null
@@ -1,31 +0,0 @@
-From 4bd20b44e0fa191c059f6b311663e7f8b396a5cb Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata"
-Date: Wed, 22 Jul 2015 15:17:04 +0200
-Subject: [PATCH] Added JSSSupport.getProtocol().
-
-A dummy getProtocol() has been added to JSSSupport in order
-to build with newer Tomcat.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1245786
----
- src/org/apache/tomcat/util/net/jss/JSSSupport.java | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/org/apache/tomcat/util/net/jss/JSSSupport.java b/src/org/apache/tomcat/util/net/jss/JSSSupport.java
-index e243ca134852cefe7e8353d9b92eb5915004b0e8..4c04034d25396c3f6f3641b2844adb70d6c89100 100755
---- a/src/org/apache/tomcat/util/net/jss/JSSSupport.java
-+++ b/src/org/apache/tomcat/util/net/jss/JSSSupport.java
-@@ -97,6 +97,10 @@ class JSSSupport implements SSLSupport {
- return null;
- }
-
-+ public String getProtocol() throws IOException {
-+ return null;
-+ }
-+
- public String getSessionId() throws IOException {
- return null;
- }
---
-2.4.6
-
diff --git a/debian/patches/series b/debian/patches/series
index 8104d92..6116b9d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
fix-build.diff
-add-dummy-getprotocol.diff
commit fe66739e5485875cc68ba178bff855656adc72cb
Author: Timo Aaltonen
Date: Mon Aug 17 08:41:46 2015 +0300
Imported Upstream version 7.1.3
diff --git a/build.xml b/build.xml
index eaa3bda..4bd13ec 100755
--- a/build.xml
+++ b/build.xml
@@ -37,8 +37,8 @@
-
-
+
+