forked from rpms/openssl
add script for renewal of a self-signed cert by Philip Prindeville (#871566)
- allow X509_issuer_and_serial_hash() produce correct result in the FIPS mode (#881336)
This commit is contained in:
parent
07ac3d216e
commit
c67ea975b9
11
openssl-1.0.1c-issuer-hash.patch
Normal file
11
openssl-1.0.1c-issuer-hash.patch
Normal file
@ -0,0 +1,11 @@
|
||||
diff -up openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1c/crypto/x509/x509_cmp.c
|
||||
--- openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash 2011-06-22 04:18:06.000000000 +0200
|
||||
+++ openssl-1.0.1c/crypto/x509/x509_cmp.c 2012-12-21 17:18:38.101308997 +0100
|
||||
@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
|
||||
char *f;
|
||||
|
||||
EVP_MD_CTX_init(&ctx);
|
||||
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
|
||||
ret=strlen(f);
|
||||
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
|
11
openssl.spec
11
openssl.spec
@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
|
||||
Name: openssl
|
||||
Version: 1.0.1c
|
||||
# Do not forget to bump SHLIB_VERSION on version upgrades
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -31,6 +31,7 @@ Source: openssl-%{version}-usa.tar.xz
|
||||
Source1: hobble-openssl
|
||||
Source2: Makefile.certificate
|
||||
Source6: make-dummy-cert
|
||||
Source7: renew-dummy-cert
|
||||
Source8: openssl-thread-test.c
|
||||
Source9: opensslconf-new.h
|
||||
Source10: opensslconf-new-warning.h
|
||||
@ -46,6 +47,7 @@ Patch8: openssl-1.0.1c-perlfind.patch
|
||||
Patch9: openssl-1.0.1c-aliasing.patch
|
||||
# Bug fixes
|
||||
Patch23: openssl-1.0.1c-default-paths.patch
|
||||
Patch24: openssl-1.0.1c-issuer-hash.patch
|
||||
# Functionality changes
|
||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||
Patch34: openssl-0.9.6-x509.patch
|
||||
@ -151,6 +153,7 @@ from other formats to the formats used by the OpenSSL toolkit.
|
||||
%patch9 -p1 -b .aliasing
|
||||
|
||||
%patch23 -p1 -b .default-paths
|
||||
%patch24 -p1 -b .issuer-hash
|
||||
|
||||
%patch33 -p1 -b .ca-dir
|
||||
%patch34 -p1 -b .x509
|
||||
@ -300,6 +303,7 @@ done
|
||||
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
|
||||
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile
|
||||
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert
|
||||
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/renew-dummy-cert
|
||||
|
||||
# Make sure we actually include the headers we built against.
|
||||
for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do
|
||||
@ -431,6 +435,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Fri Dec 21 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-11
|
||||
- add script for renewal of a self-signed cert by Philip Prindeville (#871566)
|
||||
- allow X509_issuer_and_serial_hash() produce correct result in
|
||||
the FIPS mode (#881336)
|
||||
|
||||
* Thu Dec 6 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-10
|
||||
- do not load default verify paths if CApath or CAfile specified (#884305)
|
||||
|
||||
|
42
renew-dummy-cert
Executable file
42
renew-dummy-cert
Executable file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
echo $"Usage: `basename $0` filename" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PEM=$1
|
||||
REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
NEW=${PEM}_
|
||||
|
||||
trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
|
||||
|
||||
if [ ! -f $PEM ]; then
|
||||
echo "$PEM: file not found" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial | cut -d= -f2)
|
||||
let SERIAL++
|
||||
|
||||
umask 077
|
||||
|
||||
OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
|
||||
|
||||
openssl rsa -inform pem -in $PEM -out $KEY
|
||||
openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
|
||||
openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \
|
||||
-extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
|
||||
|
||||
(cat $KEY ; echo "" ; cat $CRT) > $NEW
|
||||
|
||||
chown $OWNER $NEW
|
||||
|
||||
mv -f $NEW $PEM
|
||||
|
||||
rm -f $REQ $KEY $CRT
|
||||
|
||||
exit 0
|
||||
|
Loading…
Reference in New Issue
Block a user