Give warning on not supported hash for RSA keys

Resolves: #2069877
2022-06-29 08:56:02 +02:00 · 2022-06-29 08:56:02 +02:00 · a654ea1b9c
commit a654ea1b9c
parent 5a103aa493
3 changed files with 44 additions and 29 deletions
--- a/0001-Give-error-message-for-failed-PGP-key-import.patch
+++ b/0001-Give-error-message-for-failed-PGP-key-import.patch
@ -1,25 +0,0 @@
-From b105f03f956e6e1523df2ac3fffc86b924fd6e1b Mon Sep 17 00:00:00 2001
-From: Florian Festi <ffesti@redhat.com>
-Date: Thu, 16 Jun 2022 14:29:01 +0200
-Subject: [PATCH] Give error message for failed PGP key import
-
-due to missing SHA1 support
---
- rpmio/rpmpgp.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
-index d0688ebe9..71f8ed192 100644
--- a/rpmio/rpmpgp.c
-+++ b/rpmio/rpmpgp.c
-@@ -860,6 +860,7 @@ int pgpPubkeyFingerprint(const uint8_t *h, size_t hlen,
- 		*fplen = dlen;
- 	    } else {
- 		free(d);
-+		rpmlog(RPMLOG_ERR, _("Failed calculating fingerprint of public key. SHA1 not supported.\n"));
- 	    }
- 	}
- 
-- 
-2.36.1
-
--- a/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch
+++ b/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch
@ -0,0 +1,40 @@
+From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Tue, 28 Jun 2022 12:50:54 +0200
+Subject: [PATCH] Give warning on not supported hash for RSA keys
+
+This can happen when old keys are used on systems that have disabled SHA1
+e.g. for FIPS requirements.
+
+This is less than ideal but there is currently no way to pass a meaningful
+error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key
+or NULL.
+
+See rhbz#2069877
+---
+ rpmio/digest_openssl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c
+index a28a13acc..2ec5140f1 100644
+--- a/rpmio/digest_openssl.c
+++ b/rpmio/digest_openssl.c
+@@ -4,6 +4,7 @@
+ #include <openssl/rsa.h>
+ #include <openssl/dsa.h>
+ #include <rpm/rpmpgp.h>
+#include <rpm/rpmlog.h>
+ 
+ #include "rpmio/digest.h"
+ 
+@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig,
+ 
+     ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo));
+     if (ret < 0) {
+	rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo));
+         rc = 1;
+         goto done;
+     }
+-- 
+2.36.1
+
--- a/rpm.spec
+++ b/rpm.spec
@ -32,7 +32,7 @@

 %global rpmver 4.16.1.3
 #global snapver rc1
-%global rel 13
+%global rel 14
 %global sover 9

 %global srcver %{rpmver}%{?snapver:-%{snapver}}
@ -87,7 +87,7 @@ Patch113: rpm-4.16.1.3-fix-spurious-transfiletriggerpostun-execution.patch
 Patch906: rpm-4.7.1-geode-i686.patch
 # Probably to be upstreamed in slightly different form
 Patch907: rpm-4.15.x-ldflags.patch
-Patch908: 0001-Give-error-message-for-failed-PGP-key-import.patch
+Patch908: 0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch

 # Not yet (all) upstream, debugedit DWARF5
 # https://code.wildebeest.org/git/user/mjw/rpm/log/?h=gcc-dwarf5-4.16.1.2
@ -612,8 +612,8 @@ fi
 %doc doc/librpm/html/*

 %changelog
-* Thu Jun 16 2022 Florian Festi <ffesti@redhat.com> - 4.16.1.3-13
- Error message for failed key import (#2069877)
+* Tue Jun 28 2022 Florian Festi <ffesti@redhat.com> - 4.16.1.3-14
+- Warning for failed key import (#2069877)

 * Tue Apr 05 2022 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-12
 - Fix minor ABI regression in rpmcli.h (#2037352)