diff --git a/certmonger-x509-req-to-x509.patch b/certmonger-x509-req-to-x509.patch index f550c56..2dfaf66 100644 --- a/certmonger-x509-req-to-x509.patch +++ b/certmonger-x509-req-to-x509.patch @@ -6,11 +6,17 @@ Date: Tue Nov 27 12:18:51 2012 -0500 check for errors from X509_REQ_to_X509() +commit 8a8a95489bb35271542999d07bdd62d7aca177ac +Author: Nalin Dahyabhai +Date: Tue Nov 27 18:32:06 2012 -0500 + + present failure to self-sign as rejection + diff --git a/src/submit-so.c b/src/submit-so.c index 7ad799e..39c3d33 100644 --- a/src/submit-so.c +++ b/src/submit-so.c -@@ -117,45 +117,51 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, +@@ -117,45 +117,52 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, cert = X509_REQ_to_X509(req, 0, pkey); @@ -88,6 +94,7 @@ index 7ad799e..39c3d33 100644 + cm_log(1, "Error building " + "certificate from " + "signing request.\n"); ++ status = 2; + } - /* finish up */ - X509_sign(cert, pkey, @@ -96,3 +103,17 @@ index 7ad799e..39c3d33 100644 } else { cm_log(1, "Error reading " "signing request.\n"); +@@ -260,7 +261,12 @@ static int + cm_submit_so_rejected(struct cm_store_entry *entry, + struct cm_submit_state *state) + { +- return -1; /* it never gets rejected */ ++ int status; ++ status = cm_subproc_get_exitstatus(entry, state->subproc); ++ if (!WIFEXITED(status) || (WEXITSTATUS(status) != 2)) { ++ return -1; /* it should never get rejected */ ++ } ++ return 0; + } + + /* Check if the CA was unreachable. */ diff --git a/certmonger.spec b/certmonger.spec index 3991203..4ca086d 100644 --- a/certmonger.spec +++ b/certmonger.spec @@ -206,6 +206,7 @@ exit 0 * Tue Nov 27 2012 Nalin Dahyabhai 0.61-3 - backport change from git to not choke if X509_REQ_to_X509() fails when we're self-signing using OpenSSL +- backport another change from git to represent this as a CA-rejected error * Mon Sep 24 2012 Nalin Dahyabhai 0.61-1 - fix a regression in reading old request tracking files where the