From f8e196812cd4134f49f9ec82d50182fb68e0e5cb Mon Sep 17 00:00:00 2001 From: Michael Sweet Date: Tue, 30 Aug 2016 16:00:48 -0400 Subject: [PATCH] Support site CA cert ("/etc/cups/ssl/site.crt" for Linux, "site" cert on macOS) for validating printer certs. --- cups/tls-darwin.c | 42 ++++++++++++++++++++++++++++++++-- cups/tls-gnutls.c | 42 ++++++++++++++++++++++++++++++++-- locale/cups.pot | 54 ++++++++++++++++++++++++-------------------- locale/cups.strings | 1 + locale/cups_ca.po | 5 +++- locale/cups_cs.po | 5 +++- locale/cups_de.po | 5 +++- locale/cups_es.po | 5 +++- locale/cups_fr.po | 5 +++- locale/cups_it.po | 5 +++- locale/cups_ja.po | 5 +++- locale/cups_pt_BR.po | 5 +++- locale/cups_ru.po | 5 +++- 13 files changed, 146 insertions(+), 38 deletions(-) diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index 717471a7b..383a20e90 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -690,8 +690,46 @@ httpCredentialsGetTrust( } else if (!cg->trust_first) { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); - trust = HTTP_TRUST_INVALID; + /* + * See if we have a site CA certificate we can compare... + */ + + if (!httpLoadCredentials(NULL, &tcreds, "site")) + { + if (cupsArrayCount(credentials) != (cupsArrayCount(tcreds) + 1)) + { + /* + * Certificate isn't directly generated from the CA cert... + */ + + trust = HTTP_TRUST_INVALID; + } + else + { + /* + * Do a tail comparison of the two certificates... + */ + + http_credential_t *a, *b; /* Certificates */ + + for (a = (http_credential_t *)cupsArrayFirst(tcreds), b = (http_credential_t *)cupsArrayIndex(credentials, 1); + a && b; + a = (http_credential_t *)cupsArrayNext(tcreds), b = (http_credential_t *)cupsArrayNext(credentials)) + if (a->datalen != b->datalen || memcmp(a->data, b->data, a->datalen)) + break; + + if (a || b) + trust = HTTP_TRUST_INVALID; + } + + if (trust != HTTP_TRUST_OK) + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1); + } + else + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); + trust = HTTP_TRUST_INVALID; + } } if (trust == HTTP_TRUST_OK && !cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent())) diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index cb3865bb5..d5e639ea7 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -524,8 +524,46 @@ httpCredentialsGetTrust( } else if (!cg->trust_first) { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); - trust = HTTP_TRUST_INVALID; + /* + * See if we have a site CA certificate we can compare... + */ + + if (!httpLoadCredentials(NULL, &tcreds, "site")) + { + if (cupsArrayCount(credentials) != (cupsArrayCount(tcreds) + 1)) + { + /* + * Certificate isn't directly generated from the CA cert... + */ + + trust = HTTP_TRUST_INVALID; + } + else + { + /* + * Do a tail comparison of the two certificates... + */ + + http_credential_t *a, *b; /* Certificates */ + + for (a = (http_credential_t *)cupsArrayFirst(tcreds), b = (http_credential_t *)cupsArrayIndex(credentials, 1); + a && b; + a = (http_credential_t *)cupsArrayNext(tcreds), b = (http_credential_t *)cupsArrayNext(credentials)) + if (a->datalen != b->datalen || memcmp(a->data, b->data, a->datalen)) + break; + + if (a || b) + trust = HTTP_TRUST_INVALID; + } + + if (trust != HTTP_TRUST_OK) + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1); + } + else + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); + trust = HTTP_TRUST_INVALID; + } } if (trust == HTTP_TRUST_OK && !cg->expired_certs) diff --git a/locale/cups.pot b/locale/cups.pot index 2f0e471d2..00ab1d510 100644 --- a/locale/cups.pot +++ b/locale/cups.pot @@ -28,7 +28,7 @@ msgid "" msgstr "" "Project-Id-Version: CUPS 1.6\n" "Report-Msgid-Bugs-To: http://www.cups.org/str.php\n" -"POT-Creation-Date: 2016-08-25 09:50-0400\n" +"POT-Creation-Date: 2016-08-30 16:00-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -3750,7 +3750,11 @@ msgstr "" msgid "Created" msgstr "" -#: cups/tls-darwin.c:695 cups/tls-gnutls.c:539 +#: cups/tls-darwin.c:726 cups/tls-gnutls.c:560 +msgid "Credentials do not validate against site CA certificate." +msgstr "" + +#: cups/tls-darwin.c:737 cups/tls-gnutls.c:577 msgid "Credentials have expired." msgstr "" @@ -5155,11 +5159,11 @@ msgstr "" msgid "Never" msgstr "" -#: cups/tls-darwin.c:664 cups/tls-gnutls.c:502 +#: cups/tls-darwin.c:668 cups/tls-gnutls.c:502 msgid "New credentials are not valid for name." msgstr "" -#: cups/tls-darwin.c:654 cups/tls-gnutls.c:492 +#: cups/tls-darwin.c:658 cups/tls-gnutls.c:492 msgid "New credentials are older than stored credentials." msgstr "" @@ -5208,7 +5212,7 @@ msgstr "" msgid "No authentication information provided." msgstr "" -#: cups/tls-darwin.c:604 cups/tls-gnutls.c:439 +#: cups/tls-darwin.c:608 cups/tls-gnutls.c:439 msgid "No common name specified." msgstr "" @@ -5285,7 +5289,7 @@ msgstr "" msgid "No request-id" msgstr "" -#: cups/tls-darwin.c:684 cups/tls-gnutls.c:522 +#: cups/tls-darwin.c:688 cups/tls-gnutls.c:522 msgid "No stored credentials, not valid for name." msgstr "" @@ -5874,7 +5878,7 @@ msgstr "" msgid "Roll 9" msgstr "" -#: cups/adminutil.c:2083 +#: cups/adminutil.c:2100 #, c-format msgid "Running command: %s %s -N -A %s -c '%s'" msgstr "" @@ -5931,7 +5935,7 @@ msgstr "" msgid "Self Adhesive Film" msgstr "" -#: cups/tls-darwin.c:701 cups/tls-gnutls.c:546 +#: cups/tls-darwin.c:743 cups/tls-gnutls.c:584 msgid "Self-signed credentials are blocked." msgstr "" @@ -5971,7 +5975,7 @@ msgstr "" msgid "Server Stopped" msgstr "" -#: cups/tls-darwin.c:1133 cups/tls-gnutls.c:1225 +#: cups/tls-darwin.c:1183 cups/tls-gnutls.c:1263 msgid "Server credentials not set." msgstr "" @@ -6534,8 +6538,8 @@ msgstr "" msgid "Triple Wall Cardboard" msgstr "" -#: cups/tls-darwin.c:644 cups/tls-darwin.c:689 cups/tls-gnutls.c:482 -#: cups/tls-gnutls.c:527 +#: cups/tls-darwin.c:648 cups/tls-darwin.c:730 cups/tls-gnutls.c:482 +#: cups/tls-gnutls.c:564 msgid "Trust on first use is disabled." msgstr "" @@ -6697,7 +6701,7 @@ msgstr "" msgid "Unable to copy Windows 9x printer driver files (%d)." msgstr "" -#: cups/tls-darwin.c:610 cups/tls-gnutls.c:445 +#: cups/tls-darwin.c:614 cups/tls-gnutls.c:445 msgid "Unable to create credentials from array." msgstr "" @@ -6709,7 +6713,7 @@ msgstr "" msgid "Unable to create printer." msgstr "" -#: cups/tls-darwin.c:1394 cups/tls-gnutls.c:1413 +#: cups/tls-darwin.c:1444 cups/tls-gnutls.c:1451 msgid "Unable to create server credentials." msgstr "" @@ -6733,35 +6737,35 @@ msgstr "" msgid "Unable to edit cupsd.conf files larger than 1MB" msgstr "" -#: cups/tls-darwin.c:1561 +#: cups/tls-darwin.c:1611 msgid "Unable to establish a secure connection to host (certificate chain invalid)." msgstr "" -#: cups/tls-darwin.c:1551 +#: cups/tls-darwin.c:1601 msgid "Unable to establish a secure connection to host (certificate not yet valid)." msgstr "" -#: cups/tls-darwin.c:1546 +#: cups/tls-darwin.c:1596 msgid "Unable to establish a secure connection to host (expired certificate)." msgstr "" -#: cups/tls-darwin.c:1556 +#: cups/tls-darwin.c:1606 msgid "Unable to establish a secure connection to host (host name mismatch)." msgstr "" -#: cups/tls-darwin.c:1566 +#: cups/tls-darwin.c:1616 msgid "Unable to establish a secure connection to host (peer dropped connection before responding)." msgstr "" -#: cups/tls-darwin.c:1541 +#: cups/tls-darwin.c:1591 msgid "Unable to establish a secure connection to host (self-signed certificate)." msgstr "" -#: cups/tls-darwin.c:1536 +#: cups/tls-darwin.c:1586 msgid "Unable to establish a secure connection to host (untrusted certificate)." msgstr "" -#: cups/tls-darwin.c:1593 cups/tls-sspi.c:1277 cups/tls-sspi.c:1294 +#: cups/tls-darwin.c:1643 cups/tls-sspi.c:1277 cups/tls-sspi.c:1294 msgid "Unable to establish a secure connection to host." msgstr "" @@ -6773,7 +6777,7 @@ msgstr "" msgid "Unable to find printer." msgstr "" -#: cups/tls-darwin.c:1407 +#: cups/tls-darwin.c:1457 msgid "Unable to find server credentials." msgstr "" @@ -6898,7 +6902,7 @@ msgstr "" msgid "Unable to resolve printer-uri." msgstr "" -#: cups/adminutil.c:2119 +#: cups/adminutil.c:2136 #, c-format msgid "Unable to run \"%s\": %s" msgstr "" @@ -7026,7 +7030,7 @@ msgstr "" msgid "Unknown scheme in URI" msgstr "" -#: cups/http-addrlist.c:781 +#: cups/http-addrlist.c:783 msgid "Unknown service name." msgstr "" @@ -8327,7 +8331,7 @@ msgstr "" msgid "scheduler is running" msgstr "" -#: cups/adminutil.c:2190 +#: cups/adminutil.c:2207 #, c-format msgid "stat of %s failed: %s" msgstr "" diff --git a/locale/cups.strings b/locale/cups.strings index 61f2a9399..14c15d406 100644 --- a/locale/cups.strings +++ b/locale/cups.strings @@ -808,6 +808,7 @@ "Cotton Envelope" = "Cotton Envelope"; "Cover" = "Cover"; "Created" = "Created"; +"Credentials do not validate against site CA certificate." = "Credentials do not validate against site CA certificate."; "Credentials have expired." = "Credentials have expired."; "Custom" = "Custom"; "CustominCutInterval" = "CustominCutInterval"; diff --git a/locale/cups_ca.po b/locale/cups_ca.po index 0c43c9e1f..4d5d18bde 100644 --- a/locale/cups_ca.po +++ b/locale/cups_ca.po @@ -32,7 +32,7 @@ msgid "" msgstr "" "Project-Id-Version: CUPS 1.4.6\n" "Report-Msgid-Bugs-To: http://www.cups.org/str.php\n" -"POT-Creation-Date: 2016-08-25 09:50-0400\n" +"POT-Creation-Date: 2016-08-30 16:00-0400\n" "PO-Revision-Date: 2012-09-29 11:21+0200\n" "Last-Translator: Àngel Mompó \n" "Language-Team: Catalan \n" @@ -3086,6 +3086,9 @@ msgstr "" msgid "Created" msgstr "Creat" +msgid "Credentials do not validate against site CA certificate." +msgstr "" + msgid "Credentials have expired." msgstr "" diff --git a/locale/cups_cs.po b/locale/cups_cs.po index 3709c7e77..889c3d59f 100644 --- a/locale/cups_cs.po +++ b/locale/cups_cs.po @@ -29,7 +29,7 @@ msgid "" msgstr "" "Project-Id-Version: CUPS 1.6\n" "Report-Msgid-Bugs-To: http://www.cups.org/str.php\n" -"POT-Creation-Date: 2016-08-25 09:50-0400\n" +"POT-Creation-Date: 2016-08-30 16:00-0400\n" "PO-Revision-Date: 2012-09-14 10:26+0100\n" "Last-Translator: Jan Bartos \n" "Language-Team: Czech\n" @@ -2890,6 +2890,9 @@ msgstr "" msgid "Created" msgstr "Vytvořeno" +msgid "Credentials do not validate against site CA certificate." +msgstr "" + msgid "Credentials have expired." msgstr "" diff --git a/locale/cups_de.po b/locale/cups_de.po index 83c601192..928f8f967 100644 --- a/locale/cups_de.po +++ b/locale/cups_de.po @@ -29,7 +29,7 @@ msgid "" msgstr "" "Project-Id-Version: CUPS 2.0\n" "Report-Msgid-Bugs-To: http://www.cups.org/str.php\n" -"POT-Creation-Date: 2016-08-25 09:50-0400\n" +"POT-Creation-Date: 2016-08-30 16:00-0400\n" "PO-Revision-Date: 2016-04-22 12:25+0100\n" "Last-Translator: Joachim Schwender \n" "Language-Team: LANGUAGE \n" @@ -2957,6 +2957,9 @@ msgstr "" msgid "Created" msgstr "Erstellt" +msgid "Credentials do not validate against site CA certificate." +msgstr "" + msgid "Credentials have expired." msgstr "" diff --git a/locale/cups_es.po b/locale/cups_es.po index 205b6535a..44ffaf201 100644 --- a/locale/cups_es.po +++ b/locale/cups_es.po @@ -16,7 +16,7 @@ msgid "" msgstr "" "Project-Id-Version: CUPS 2.2\n" "Report-Msgid-Bugs-To: http://www.cups.org/str.php\n" -"POT-Creation-Date: 2016-08-25 09:50-0400\n" +"POT-Creation-Date: 2016-08-30 16:00-0400\n" "PO-Revision-Date: 2016-06-26 21:17+0100\n" "Last-Translator: Juan Pablo González Riopedre \n" "Language-Team: Spanish\n" @@ -3161,6 +3161,9 @@ msgstr "Carátula" msgid "Created" msgstr "Creado" +msgid "Credentials do not validate against site CA certificate." +msgstr "" + msgid "Credentials have expired." msgstr "" diff --git a/locale/cups_fr.po b/locale/cups_fr.po index 568e89243..40ac9eb27 100644 --- a/locale/cups_fr.po +++ b/locale/cups_fr.po @@ -29,7 +29,7 @@ msgid "" msgstr "" "Project-Id-Version: CUPS 1.6\n" "Report-Msgid-Bugs-To: http://www.cups.org/str.php\n" -"POT-Creation-Date: 2016-08-25 09:50-0400\n" +"POT-Creation-Date: 2016-08-30 16:00-0400\n" "PO-Revision-Date: 2012-12-12 11:12+0100\n" "Last-Translator: denis meramdjougoma \n" "Language-Team: LANGUAGE \n" @@ -2890,6 +2890,9 @@ msgstr "" msgid "Created" msgstr "Créé" +msgid "Credentials do not validate against site CA certificate." +msgstr "" + msgid "Credentials have expired." msgstr "" diff --git a/locale/cups_it.po b/locale/cups_it.po index 244208c20..5f055b183 100644 --- a/locale/cups_it.po +++ b/locale/cups_it.po @@ -29,7 +29,7 @@ msgid "" msgstr "" "Project-Id-Version: CUPS 1.6\n" "Report-Msgid-Bugs-To: http://www.cups.org/str.php\n" -"POT-Creation-Date: 2016-08-25 09:50-0400\n" +"POT-Creation-Date: 2016-08-30 16:00-0400\n" "PO-Revision-Date: 2013-07-14 12:00+0200\n" "Last-Translator: Giovanni Scafora \n" "Language-Team: Arch Linux Italian Team \n" @@ -3160,6 +3160,9 @@ msgstr "" msgid "Created" msgstr "Creato" +msgid "Credentials do not validate against site CA certificate." +msgstr "" + msgid "Credentials have expired." msgstr "" diff --git a/locale/cups_ja.po b/locale/cups_ja.po index 7ee964a31..1ae7aed94 100644 --- a/locale/cups_ja.po +++ b/locale/cups_ja.po @@ -28,7 +28,7 @@ msgid "" msgstr "" "Project-Id-Version: CUPS 2.0\n" "Report-Msgid-Bugs-To: http://www.cups.org/str.php\n" -"POT-Creation-Date: 2016-08-25 09:50-0400\n" +"POT-Creation-Date: 2016-08-30 16:00-0400\n" "PO-Revision-Date: 2014-11-15 19:27+0900\n" "Last-Translator: OPFC TRANSCUPS \n" "Language-Team: OPFC TRANSCUPS \n" @@ -3119,6 +3119,9 @@ msgstr "" msgid "Created" msgstr "ジョブ作成" +msgid "Credentials do not validate against site CA certificate." +msgstr "" + msgid "Credentials have expired." msgstr "" diff --git a/locale/cups_pt_BR.po b/locale/cups_pt_BR.po index 4e9e5ec1c..bfd303018 100644 --- a/locale/cups_pt_BR.po +++ b/locale/cups_pt_BR.po @@ -40,7 +40,7 @@ msgid "" msgstr "" "Project-Id-Version: CUPS 2.1.2\n" "Report-Msgid-Bugs-To: http://www.cups.org/str.php\n" -"POT-Creation-Date: 2016-08-25 09:50-0400\n" +"POT-Creation-Date: 2016-08-30 16:00-0400\n" "PO-Revision-Date: 2016-01-31 16:45-0200\n" "Last-Translator: Rafael Fontenelle \n" "Language-Team: Brazilian Portuguese \n" @@ -3161,6 +3161,9 @@ msgstr "" msgid "Created" msgstr "Criada" +msgid "Credentials do not validate against site CA certificate." +msgstr "" + msgid "Credentials have expired." msgstr "" diff --git a/locale/cups_ru.po b/locale/cups_ru.po index e0de8bfad..130945f50 100644 --- a/locale/cups_ru.po +++ b/locale/cups_ru.po @@ -2,7 +2,7 @@ msgid "" msgstr "" "Project-Id-Version: CUPS 2.0\n" "Report-Msgid-Bugs-To: http://www.cups.org/str.php\n" -"POT-Creation-Date: 2016-08-25 09:50-0400\n" +"POT-Creation-Date: 2016-08-30 16:00-0400\n" "PO-Revision-Date: 2015-01-28 12:00-0800\n" "Last-Translator: Aleksandr Proklov\n" "Language-Team: PuppyRus Linux Team\n" @@ -3093,6 +3093,9 @@ msgstr "" msgid "Created" msgstr "Создано" +msgid "Credentials do not validate against site CA certificate." +msgstr "" + msgid "Credentials have expired." msgstr "" -- 2.39.2