From 52d608c4cba64fadba556e4ff36cdaadafbb1b71 Mon Sep 17 00:00:00 2001
From: Vitezslav Crhonek <vcrhonek@redhat.com>
Date: Tue, 7 Oct 2025 12:07:26 +0200
Subject: [PATCH] Update OpenSSL certificates set up

Resolves: RHEL-118293
---
 sblim-sfcb-1.4.9-ssl-certs-gen-changes.patch | 71 ++++++++++++++++++++
 sblim-sfcb.spec                              |  6 ++
 2 files changed, 77 insertions(+)
 create mode 100644 sblim-sfcb-1.4.9-ssl-certs-gen-changes.patch

diff --git a/sblim-sfcb-1.4.9-ssl-certs-gen-changes.patch b/sblim-sfcb-1.4.9-ssl-certs-gen-changes.patch
new file mode 100644
index 0000000..b8e7653
--- /dev/null
+++ b/sblim-sfcb-1.4.9-ssl-certs-gen-changes.patch
@@ -0,0 +1,71 @@
+diff -up sblim-sfcb-1.4.9/genSslCert.sh.orig sblim-sfcb-1.4.9/genSslCert.sh
+--- sblim-sfcb-1.4.9/genSslCert.sh.orig	2014-11-25 02:43:10.000000000 +0100
++++ sblim-sfcb-1.4.9/genSslCert.sh	2025-10-07 11:23:59.201504832 +0200
+@@ -4,6 +4,44 @@ HOSTNAME=`uname -n`
+ DO_SERVER=yes
+ DO_CLIENT=yes
+ DIR=`mktemp -d /var/tmp/sfcb.XXXXXX` || exit 1
++DAYS=365
++# Get minimum RSA key length at current security level
++# This workarounds openssl not enforcing min. key length enforced by current security level
++KEYSIZE=`grep min_rsa_size /etc/crypto-policies/state/CURRENT.pol 2>/dev/null | cut -d ' ' -f 3`
++if [ -z "$KEYSIZE" ]; then
++    KEYSIZE=2048  # fallback to safe default
++fi
++
++function create_ssl_cnf()
++{
++cat > $DIR/ssl.cnf <<EOF
++[req]
++distinguished_name=user_dn
++prompt=no
++
++[user_dn]
++CN=$HOSTNAME
++emailAddress=root@$HOSTNAME
++EOF
++}
++
++function selfsign_sscg()
++{
++    sscg --quiet \
++         --lifetime "${DAYS}" \
++         --cert-key-file "${DIR}"/key.pem \
++         --cert-file "${DIR}"/cert.pem \
++         --ca-file "${DIR}"/ca.crt \
++         --hostname "${HOSTNAME}" \
++         --email root@"{$HOSTNAME}"
++}
++
++function selfsign_openssl()
++{
++    openssl req -x509 -days $DAYS -newkey rsa:$KEYSIZE \
++       -nodes -config $DIR/ssl.cnf   \
++       -keyout $DIR/key.pem -out $DIR/cert.pem
++}
+ 
+ trap "rm -rf $DIR" exit
+ 
+@@ -28,19 +66,10 @@ then
+     exit 0
+ fi
+ 
+-cat > $DIR/ssl.cnf <<EOF
+-[req]
+-distinguished_name=user_dn
+-prompt=no
+-
+-[user_dn]
+-CN=$HOSTNAME
+-emailAddress=root@$HOSTNAME
+-EOF
++create_ssl_cnf
+ 
+-openssl req -x509 -days 365 -newkey rsa:2048 \
+-   -nodes -config $DIR/ssl.cnf   \
+-   -keyout $DIR/key.pem -out $DIR/cert.pem
++# If sscg fails, try openssl
++selfsign_sscg || selfsign_openssl
+ 
+ chmod 700 $DIR/*.pem
+ 
diff --git a/sblim-sfcb.spec b/sblim-sfcb.spec
index 10e2fdd..b79a92f 100644
--- a/sblim-sfcb.spec
+++ b/sblim-sfcb.spec
@@ -43,6 +43,9 @@ Patch9: sblim-sfcb-1.4.9-fix-ppc-optimization-level.patch
 # Patch10: fixes docdir name and removes install of COPYING with license
 #   which is included through %%license
 Patch10: sblim-sfcb-1.4.9-docdir-license.patch
+# Patch11: use sscg to generate cert, openssl as fallback, obtain correct
+#   key length based upon crypto policy level
+Patch11: sblim-sfcb-1.4.9-ssl-certs-gen-changes.patch
 Provides: cim-server = 0
 Requires: cim-schema
 Requires: sblim-sfcCommon
@@ -84,6 +87,7 @@ Programming Interface (CMPI).
 %patch -P8 -p1 -b .fix-null-content-type-crash
 %patch -P9 -p1 -b .fix-ppc-optimization-level
 %patch -P10 -p1 -b .docdir-license
+%patch -P11 -p1 -b .ssl-certs-gen-changes
 
 # Create a sysusers.d config file
 cat >sblim-sfcb.sysusers.conf <<EOF
@@ -154,6 +158,8 @@ fi
 
 %changelog
 * Tue Sep 30 2025 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-26
+- Update OpenSSL certificates set up
+  Resolves: RHEL-118293
 - Eliminate use of obsolete %patchN syntax
   Related: RHEL-91101
 - Add sysusers.d config file to allow rpm to create users/groups automatically