Allow certificate validation with SHA-1 signatures.
Resolves: RHEL-28344
This commit is contained in:
		
							parent
							
								
									2c5539f849
								
							
						
					
					
						commit
						33fbcb0f34
					
				| @ -53,7 +53,7 @@ | |||||||
| 
 | 
 | ||||||
| Name:           dotnet%{dotnetver} | Name:           dotnet%{dotnetver} | ||||||
| Version:        %{sdk_rpm_version} | Version:        %{sdk_rpm_version} | ||||||
| Release:        2%{?dist} | Release:        3%{?dist} | ||||||
| Summary:        .NET Runtime and SDK | Summary:        .NET Runtime and SDK | ||||||
| License:        0BSD AND Apache-2.0 AND (Apache-2.0 WITH LLVM-exception) AND APSL-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSL-1.0 AND bzip2-1.0.6 AND CC0-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-PDDC AND CNRI-Python AND EPL-1.0 AND GPL-2.0-only AND (GPL-2.0-only WITH GCC-exception-2.0) AND GPL-2.0-or-later AND GPL-3.0-only AND ICU AND ISC AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-Fedora-Public-Domain AND LicenseRef-ISO-8879 AND MIT AND MIT-Wu AND MS-PL AND MS-RL AND NCSA AND OFL-1.1 AND OpenSSL AND Unicode-DFS-2015 AND Unicode-DFS-2016 AND W3C-19980720 AND X11 AND Zlib | License:        0BSD AND Apache-2.0 AND (Apache-2.0 WITH LLVM-exception) AND APSL-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSL-1.0 AND bzip2-1.0.6 AND CC0-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-PDDC AND CNRI-Python AND EPL-1.0 AND GPL-2.0-only AND (GPL-2.0-only WITH GCC-exception-2.0) AND GPL-2.0-or-later AND GPL-3.0-only AND ICU AND ISC AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-Fedora-Public-Domain AND LicenseRef-ISO-8879 AND MIT AND MIT-Wu AND MS-PL AND MS-RL AND NCSA AND OFL-1.1 AND OpenSSL AND Unicode-DFS-2015 AND Unicode-DFS-2016 AND W3C-19980720 AND X11 AND Zlib | ||||||
| 
 | 
 | ||||||
| @ -89,6 +89,11 @@ Patch2:         vstest-intent-net8.0.patch | |||||||
| Patch3:         runtime-re-enable-implicit-rejection.patch | Patch3:         runtime-re-enable-implicit-rejection.patch | ||||||
| # https://github.com/dotnet/msbuild/pull/9449 | # https://github.com/dotnet/msbuild/pull/9449 | ||||||
| Patch4:         msbuild-9449-exec-stop-setting-a-locale.patch | Patch4:         msbuild-9449-exec-stop-setting-a-locale.patch | ||||||
|  | # We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed. | ||||||
|  | # A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message | ||||||
|  | # digests used for the signature are not treated as fatal errors. | ||||||
|  | # https://issues.redhat.com/browse/RHEL-25254 | ||||||
|  | Patch5:         runtime-openssl-sha1.patch | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| ExclusiveArch:  aarch64 ppc64le s390x x86_64 | ExclusiveArch:  aarch64 ppc64le s390x x86_64 | ||||||
| @ -707,6 +712,12 @@ export COMPlus_LTTng=0 | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Sun Mar 31 2024 Tom Deseyn <tom.deseyn@gmail.com> - 8.0.103-3 | ||||||
|  | - We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed. | ||||||
|  |   A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message | ||||||
|  |   digests used for the signature are not treated as fatal errors. | ||||||
|  | - Resolves: RHEL-28344 | ||||||
|  | 
 | ||||||
| * Tue Mar 19 2024 Omair Majid <omajid@redhat.com> - 8.0.103-2 | * Tue Mar 19 2024 Omair Majid <omajid@redhat.com> - 8.0.103-2 | ||||||
| - Update to .NET SDK 8.0.103 and Runtime 8.0.3 | - Update to .NET SDK 8.0.103 and Runtime 8.0.3 | ||||||
| - Resolves: RHEL-27553 | - Resolves: RHEL-27553 | ||||||
|  | |||||||
							
								
								
									
										34
									
								
								runtime-openssl-sha1.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								runtime-openssl-sha1.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,34 @@ | |||||||
|  | From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Tom Deseyn <tom.deseyn@gmail.com> | ||||||
|  | Date: Wed, 28 Feb 2024 14:08:15 +0100 | ||||||
|  | Subject: [PATCH] Allow certificate validation with SHA-1 signatures. | ||||||
|  | 
 | ||||||
|  | RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate | ||||||
|  | validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag | ||||||
|  | with a chain where the last certificate uses a SHA-1 signature. | ||||||
|  | 
 | ||||||
|  | This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default | ||||||
|  | OpenSSL behavior for certificate validation. | ||||||
|  | ---
 | ||||||
|  |  .../libs/System.Security.Cryptography.Native/pal_x509.c      | 5 ----- | ||||||
|  |  1 file changed, 5 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
 | ||||||
|  | index 04c6ba06cd..2cd3413dae 100644
 | ||||||
|  | --- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
 | ||||||
|  | +++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
 | ||||||
|  | @@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5
 | ||||||
|  |   | ||||||
|  |      int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore); | ||||||
|  |   | ||||||
|  | -    if (val != 0)
 | ||||||
|  | -    {
 | ||||||
|  | -        X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE);
 | ||||||
|  | -    }
 | ||||||
|  | -
 | ||||||
|  |      return val; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -- 
 | ||||||
|  | 2.43.2 | ||||||
|  | 
 | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user