rpms/sscg
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI sscg-3.0.5-9.el10

Browse Source
This commit is contained in:
eabdullin 2025-05-14 17:37:15 +00:00
parent b17a98dca3
commit 097640ba44
9 changed files with 357 additions and 346 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sscg-3.0.0.tar.xz
sscg-3.0.5.tar.gz

1
.sscg.metadata
View File

@ -1 +0,0 @@
81e3b33e118edff96583314ceb4bfde9a1e6b45c SOURCES/sscg-3.0.0.tar.xz

205
0001-Extend-maximum-DNS-name-to-255.patch Normal file
View File

@ -0,0 +1,205 @@
From 750dee2eded3b1c16e0434fa387d35a869545d9e Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 15 Feb 2023 15:49:38 -0500
Subject: [PATCH 1/2] Extend maximum DNS name to 255
The hostname part is still restricted to 63 characters
See RFC 1035, section 2.3.4
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
include/sscg.h | 3 +++
src/arguments.c | 35 +++++++++++++++++++++++++++--------
src/authority.c | 26 +++++++++++++++++++++++---
src/cert.c | 5 +++++
src/x509.c | 6 +++---
5 files changed, 61 insertions(+), 14 deletions(-)
diff --git a/include/sscg.h b/include/sscg.h
index 0f35631018dc2745e986cd1e7e094e3e37be8e54..f0c6d93b871e4bd3f2c805be8dfa7485ec34746a 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -313,6 +313,9 @@ enum sscg_cert_type
#define SSCG_MIN_KEY_PASS_LEN 4
#define SSCG_MAX_KEY_PASS_LEN 1023
+/* RFC 1035, section 2.3.4 (Size Limits) */
+#define MAX_HOST_LEN 63
+#define MAX_FQDN_LEN 255
int
sscg_handle_arguments (TALLOC_CTX *mem_ctx,
diff --git a/src/arguments.c b/src/arguments.c
index 0b7a060d31bed97130c7cb9b7feacf0876e25c0d..2f412bee1bee9620f28b6e84aed4aef17aee3a6a 100644
--- a/src/arguments.c
+++ b/src/arguments.c
@@ -786,10 +786,19 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
}
CHECK_MEM (options->hostname);
- if (strnlen (options->hostname, MAXHOSTNAMELEN + 1) > MAXHOSTNAMELEN)
+ if (strnlen (options->hostname, MAX_FQDN_LEN + 1) > MAX_FQDN_LEN)
{
- fprintf (
- stderr, "Hostnames may not exceed %d characters\n", MAXHOSTNAMELEN);
+ fprintf (stderr, "FQDNs may not exceed %d characters\n", MAX_FQDN_LEN);
+ ret = EINVAL;
+ goto done;
+ }
+
+ if ((strchr (options->hostname, '.') - options->hostname) > MAX_HOST_LEN + 4)
+ {
+ fprintf (stderr,
+ "Hostnames may not exceed %d characters in Subject "
+ "Alternative Names\n",
+ MAX_HOST_LEN);
ret = EINVAL;
goto done;
}
@@ -798,25 +807,35 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
options struct. It's not the most efficient approach, but
it's only done one time, so there is no sense in optimizing
it. */
+ size_t i = 0;
if (alternative_names)
{
- size_t i = 0;
while (alternative_names[i] != NULL)
{
options->subject_alt_names = talloc_realloc (
- options, options->subject_alt_names, char *, i + 2);
+ options, options->subject_alt_names, char *, i + 1);
CHECK_MEM (options->subject_alt_names);
options->subject_alt_names[i] =
talloc_strdup (options->subject_alt_names, alternative_names[i]);
CHECK_MEM (options->subject_alt_names[i]);
-
- /* Add a NULL terminator to the end */
- options->subject_alt_names[i + 1] = NULL;
i++;
}
}
+ /*
+ The hostname must always be listed in SubjectAlternativeNames as well.
+ Note that the realloc also adds an extra entry for the NULL terminator
+ */
+ options->subject_alt_names =
+ talloc_realloc (options, options->subject_alt_names, char *, i + 2);
+ CHECK_MEM (options->subject_alt_names);
+ options->subject_alt_names[i] =
+ talloc_strdup (options->subject_alt_names, options->hostname);
+ CHECK_MEM (options->subject_alt_names[i]);
+ /* Add a NULL terminator to the end */
+ options->subject_alt_names[i + 1] = NULL;
+
if (options->key_strength < options->minimum_key_strength)
{
fprintf (stderr,
diff --git a/src/authority.c b/src/authority.c
index 4efaa9e730964b9762b59d0e6698c1623901ccfe..f509fd4316c3b7b230f99de6464491c319fc5d45 100644
--- a/src/authority.c
+++ b/src/authority.c
@@ -56,6 +56,7 @@ create_private_CA (TALLOC_CTX *mem_ctx,
char *name_constraint;
char *san;
char *tmp;
+ char *dot;
tmp_ctx = talloc_new (NULL);
CHECK_MEM (tmp_ctx);
@@ -89,6 +90,26 @@ create_private_CA (TALLOC_CTX *mem_ctx,
ca_certinfo->cn = talloc_strdup (ca_certinfo, options->hostname);
CHECK_MEM (ca_certinfo->cn);
+ /* Truncate the CN at the first dot */
+ if ((dot = strchr (ca_certinfo->cn, '.')))
+ *dot = '\0';
+
+ if (options->subject_alt_names)
+ {
+ for (i = 0; options->subject_alt_names[i]; i++)
+ {
+ ca_certinfo->subject_alt_names = talloc_realloc (
+ ca_certinfo, ca_certinfo->subject_alt_names, char *, i + 2);
+ CHECK_MEM (ca_certinfo->subject_alt_names);
+
+ ca_certinfo->subject_alt_names[i] = talloc_strdup (
+ ca_certinfo->subject_alt_names, options->subject_alt_names[i]);
+ CHECK_MEM (ca_certinfo->subject_alt_names[i]);
+
+ /* Add a NULL terminator to the end */
+ ca_certinfo->subject_alt_names[i + 1] = NULL;
+ }
+ }
/* Make this a CA certificate */
@@ -106,10 +127,9 @@ create_private_CA (TALLOC_CTX *mem_ctx,
CHECK_MEM (ex);
sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
- /* Restrict signing to the hostname and subjectAltNames of the
- service certificate */
+ /* Restrict signing to the CN and subjectAltNames of the service certificate */
name_constraint =
- talloc_asprintf (tmp_ctx, "permitted;DNS:%s", options->hostname);
+ talloc_asprintf (tmp_ctx, "permitted;DNS:%s", ca_certinfo->cn);
CHECK_MEM (name_constraint);
if (options->subject_alt_names)
diff --git a/src/cert.c b/src/cert.c
index 99d9109f5981ef408aeb7d05a8327e1a38d5700a..e36de71e7ca9b34f87734542d5646b466cd61d4c 100644
--- a/src/cert.c
+++ b/src/cert.c
@@ -31,6 +31,7 @@
*/
+#include <string.h>
#include "include/sscg.h"
#include "include/cert.h"
#include "include/x509.h"
@@ -52,6 +53,7 @@ create_cert (TALLOC_CTX *mem_ctx,
struct sscg_x509_req *csr;
struct sscg_evp_pkey *pkey;
struct sscg_x509_cert *cert;
+ char *dot;
X509_EXTENSION *ex = NULL;
EXTENDED_KEY_USAGE *extended;
TALLOC_CTX *tmp_ctx = NULL;
@@ -87,6 +89,9 @@ create_cert (TALLOC_CTX *mem_ctx,
certinfo->cn = talloc_strdup (certinfo, options->hostname);
CHECK_MEM (certinfo->cn);
+ /* Truncate the CN at the first dot */
+ if ((dot = strchr (certinfo->cn, '.')))
+ *dot = '\0';
if (options->subject_alt_names)
{
diff --git a/src/x509.c b/src/x509.c
index 4f3f11cd3411f00cf6de3a72ba897adc97944e35..9f6f21b49c2dd70629fed67d327027374eb21b15 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -290,12 +290,12 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
}
CHECK_MEM (san);
- if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
+ if (strnlen (san, MAX_FQDN_LEN + 5) > MAX_FQDN_LEN + 4)
{
fprintf (stderr,
- "Hostnames may not exceed %d characters in Subject "
+ "FQDNs may not exceed %d characters in Subject "
"Alternative Names\n",
- MAXHOSTNAMELEN);
+ MAX_FQDN_LEN);
ret = EINVAL;
goto done;
}
--
2.41.0

34
SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch
View File

@ -1,34 +0,0 @@
From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Sat, 7 Aug 2021 11:48:04 -0400
Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC()
This macro was dropped in OpenSSL 3.0 and has actually not been
providing a valid return code for some time.
Related: rhbz#1964837
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
include/sscg.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/sscg.h b/include/sscg.h
index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -94,11 +94,10 @@
if (_sslret != 1) \
{ \
/* Get information about error from OpenSSL */ \
unsigned long _ssl_error = ERR_get_error (); \
if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \
- (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) && \
((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \
(ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \
{ \
fprintf ( \
stderr, \
--
2.33.0

46
SOURCES/0002-Correct-certificate-lifetime-calculation.patch
View File

@ -1,46 +0,0 @@
From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Date: Tue, 26 Oct 2021 12:32:13 +0200
Subject: [PATCH 2/2] Correct certificate lifetime calculation
sscg allows passing the certificate lifetime, as a number of days, as a
commandline argument. It converts this value to seconds using the
formula
days * 24 * 3650
which is incorrect. The correct value is 3600.
This effectively adds an extra 20 minutes to the lifetime of the
certificate for each day as given on the commandline, and was enough to
cause some new integration tests in cockpit to fail.
Interestingly, 3650 is the old default value for the number of days of
certificate validity (~10 years) so this probably slipped in as a sort
of muscle-memory-assisted typo.
Let's just write `24 * 60 * 60` to make things clear.
---
src/x509.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/x509.c b/src/x509.c
index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
}
/* set time */
X509_gmtime_adj (X509_get_notBefore (cert), 0);
- X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650);
+ X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60);
/* set subject */
subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
sslret = X509_set_subject_name (cert, subject);
CHECK_SSL (sslret, X509_set_subject_name);
--
2.33.0

68
SOURCES/0003-Truncate-IP-address-in-SAN.patch
View File

@ -1,68 +0,0 @@
From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 8 Mar 2022 16:33:35 -0500
Subject: [PATCH] Truncate IP address in SAN
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
but in OpenSSL 3.0 it is rejected as an invalid input.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/x509.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/x509.c b/src/x509.c
index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
size_t i;
X509_NAME *subject;
char *alt_name = NULL;
char *tmp = NULL;
char *san = NULL;
+ char *slash = NULL;
TALLOC_CTX *tmp_ctx;
X509_EXTENSION *ex = NULL;
struct sscg_x509_req *csr;
/* Make sure we have a key available */
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
}
else
{
san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
+ /* SAN IP addresses cannot include the subnet mask */
+ if ((slash = strchr (san, '/')))
+ {
+ /* Truncate at the slash */
+ *slash = '\0';
+ }
}
CHECK_MEM (san);
if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
{
@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
alt_name = tmp;
}
}
ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
- CHECK_MEM (ex);
+ if (!ex)
+ {
+ ret = EINVAL;
+ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
+ goto done;
+ }
+
sk_X509_EXTENSION_push (certinfo->extensions, ex);
/* Set the public key for the certificate */
sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
--
2.35.1

139
SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
View File

@ -1,139 +0,0 @@
From 282f819bc39c9557ee34f73c6f6623182f680792 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 16 Nov 2022 15:27:58 -0500
Subject: [PATCH] dhparams: don't fail if default file can't be created
Resolves: rhbz#2143206
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/arguments.c | 1 -
src/io_utils.c | 12 +++++++++++
src/sscg.c | 55 +++++++++++++++++++++++++++++++++----------------
3 files changed, 49 insertions(+), 19 deletions(-)
diff --git a/src/arguments.c b/src/arguments.c
index 7b9da14a732875b0f33a12e22a97d51a78216839..770d834aacc05d6d92cc0c855852eadb88f8c9bc 100644
--- a/src/arguments.c
+++ b/src/arguments.c
@@ -69,7 +69,6 @@ set_default_options (struct sscg_options *opts)
opts->lifetime = 398;
- opts->dhparams_file = talloc_strdup (opts, "dhparams.pem");
opts->dhparams_group = talloc_strdup (opts, "ffdhe4096");
opts->dhparams_generator = 2;
diff --git a/src/io_utils.c b/src/io_utils.c
index 1b8bc41c3849acbe4657ae14dfe55e3010957129..5d34327bdbe450add5326ac20c337c9399b471dc 100644
--- a/src/io_utils.c
+++ b/src/io_utils.c
@@ -544,6 +544,18 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite)
{
SSCG_LOG (SSCG_DEBUG, "Opening %s\n", stream->path);
stream->bio = BIO_new_file (stream->path, create_mode);
+ if (!stream->bio)
+ {
+ fprintf (stderr,
+ "Could not write to %s. Check directory permissions.\n",
+ stream->path);
+
+ /* The dhparams file is special, it will be handled later */
+ if (i != SSCG_FILE_TYPE_DHPARAMS)
+ {
+ continue;
+ }
+ }
CHECK_BIO (stream->bio, stream->path);
}
diff --git a/src/sscg.c b/src/sscg.c
index 1bf8019c2dda136abe56acd101dfe8ad0b3d725d..dcff4cd2b8dfd2e11c8612d36ecc94b175e9dc26 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -93,6 +93,7 @@ main (int argc, const char **argv)
int ret, sret;
struct sscg_options *options;
bool build_client_cert = false;
+ char *dhparams_file = NULL;
struct sscg_x509_cert *cacert;
struct sscg_evp_pkey *cakey;
@@ -182,9 +183,19 @@ main (int argc, const char **argv)
options->crl_mode);
CHECK_OK (ret);
+ if (options->dhparams_file)
+ {
+ dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
+ }
+ else
+ {
+ dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem");
+ }
+ CHECK_MEM (dhparams_file);
+
ret = sscg_io_utils_add_output_file (options->streams,
SSCG_FILE_TYPE_DHPARAMS,
- options->dhparams_file,
+ dhparams_file,
options->dhparams_mode);
CHECK_OK (ret);
@@ -281,28 +292,36 @@ main (int argc, const char **argv)
/* Create DH parameters file */
- bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS);
- if (options->dhparams_prime_len > 0)
+ if ((bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS)))
{
- ret = create_dhparams (options->verbosity,
- options->dhparams_prime_len,
- options->dhparams_generator,
- &dhparams);
- CHECK_OK (ret);
+ if (options->dhparams_prime_len > 0)
+ {
+ ret = create_dhparams (options->verbosity,
+ options->dhparams_prime_len,
+ options->dhparams_generator,
+ &dhparams);
+ CHECK_OK (ret);
+ }
+ else
+ {
+ ret = get_params_by_named_group (options->dhparams_group, &dhparams);
+ CHECK_OK (ret);
+ }
+
+ /* Export the DH parameters to the file */
+ sret = PEM_write_bio_Parameters (bp, dhparams);
+ CHECK_SSL (sret, PEM_write_bio_Parameters ());
+ ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
+ EVP_PKEY_free (dhparams);
}
- else
+ else if (options->dhparams_file)
{
- ret = get_params_by_named_group (options->dhparams_group, &dhparams);
- CHECK_OK (ret);
+ /* A filename was explicitly passed, but it couldn't be created */
+ ret = EPERM;
+ fprintf (stderr, "Could not write to %s: ", options->dhparams_file);
+ goto done;
}
- /* Export the DH parameters to the file */
- sret = PEM_write_bio_Parameters (bp, dhparams);
- CHECK_SSL (sret, PEM_write_bio_Parameters ());
- ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
- EVP_PKEY_free (dhparams);
-
-
/* Set the final file permissions */
sscg_io_utils_finalize_output_files (options->streams);
--
2.38.1

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (sscg-3.0.5.tar.gz) = da4db537096608683726084ea342cf3e06ec25da16c4475a29e83a466486a4ace8b58253520034eb263d8cefde14e21f3fe69d23fa75686cab5e3a7f8e170442

207
SPECS/sscg.spec → sscg.spec
View File

@ -1,3 +1,13 @@
## START: Set by rpmautospec
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 9;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
%global provider github
%global provider_tld com
%global project sgallagher
@ -6,18 +16,22 @@
%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
%global import_path %{provider_prefix}
%{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs}
Name: sscg
Version: 3.0.0
Release: 7%{?dist}
Version: 3.0.5
Release: %autorelease
Summary: Simple SSL certificate generator
License: GPLv3+ with exceptions
License: GPL-3.0-or-later WITH cryptsetup-OpenSSL-exception
URL: https://%{provider_prefix}
Source0: https://%{provider_prefix}/releases/download/%{repo}-%{version}/%{repo}-%{version}.tar.xz
Source0: sscg-3.0.5.tar.gz
# Extend maximum DNS name to 255
# Author: Stephen Gallagher <sgallagh@redhat.com>
Patch1: 0001-Extend-maximum-DNS-name-to-255.patch
BuildRequires: gcc
BuildRequires: libtalloc-devel
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: popt-devel
BuildRequires: libpath_utils-devel
@ -26,12 +40,6 @@ BuildRequires: ninja-build
BuildRequires: help2man
Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
Patch0003: 0003-Truncate-IP-address-in-SAN.patch
Patch0004: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
%description
A utility to aid in the creation of more secure "self-signed"
certificates. The certificates created by this tool are generated in a
@ -41,7 +49,7 @@ up a full PKI environment and without exposing the machine to a risk of
false signatures from the service certificate.
%prep
%autosetup -p1
%autosetup -p1 -n sscg-3.0.5
%build
@ -61,69 +69,152 @@ false signatures from the service certificate.
%{_mandir}/man8/%{name}.8*
%changelog
* Thu Dec 08 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-7
- Correctly apply the patch for default dhparams
- Resolves: rhbz#2143206
## START: Generated by rpmautospec
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.0.5-9
- Bump release for October 2024 mass rebuild:
* Mon Nov 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
- Don't fail if default dhparams file can't be created
- Resolves: rhbz#2143206
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.0.5-8
- Bump release for June 2024 mass rebuild
* Thu Jul 14 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
- Rebase to sscg 3.0.0
- Resolves: rhbz#2107369
- Resolves: rhbz#2091525
* Fri Jun 21 2024 Branislav Náter <bnater@redhat.com> - 3.0.5-7
- Adding gating rules for RHEL
* Thu Jun 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-15
- Fix certificate lifetime calculation
- Resolves: rhbz#2091525
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-14
- Properly handling reading long passphrase files.
* Thu Nov 16 2023 Joe Orton <jorton@redhat.com> - 3.0.5-5
- SPDX migration
* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-13
- Fix missing error check for --*-key-passfile
* Fri Sep 01 2023 Stephen Gallagher <sgallagh@redhat.com> - 3.0.5-4
- Update README.md with latest usage
* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-12
- Improve validation of command-line arguments
- Resolves: rhbz#1784441
- Resolves: rhbz#1784443
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jan 07 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-11
- Further improve --client-key-file help message
- Resolves: rhbz#1720667
* Wed Jul 19 2023 Stephen Gallagher <sgallagh@redhat.com> - 3.0.5-2
- Extend maximum DNS name to 256
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-10
- Fix incorrect help message
- Resolves: rhbz#1720667
* Tue Jun 20 2023 Stephen Gallagher <sgallagh@redhat.com> - 3.0.5-1
- Release 3.0.5
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-9
- Fix null-dereference and memory leak issues with client certs
- Resolves: rhbz#1720667
* Thu Jun 08 2023 Stephen Gallagher <sgallagh@redhat.com> - 3.0.3-4
- [packit] 3.0.4 upstream release
* Wed Dec 11 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-8
- Add support for generating client authentication certificates
- Resolves: rhbz#1720667
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Nov 01 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-7
- Add support for password-protecting the private key files
- Resolves: rhbz#1717880
* Mon Jan 16 2023 Stephen Gallagher <sgallagh@redhat.com> - 3.0.3-2
- Add missing BR: openssl
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
- Fixes for issues detected by automated testing.
- Resolves: rhbz#1653323
* Mon Jan 16 2023 Stephen Gallagher <sgallagh@redhat.com> - 3.0.3-1
- Release 3.0.3
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-5
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.2-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Apr 20 2022 Branislav Náter <bnater@redhat.com> - 3.0.2-8
- Adding fmf metadata
* Wed Apr 20 2022 Branislav Náter <bnater@redhat.com> - 3.0.2-7
- Adding tmt test plans and gating configuration
* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.2-3
- Truncate IP address in SAN
* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.2-2
- Remove old packit data
* Mon Feb 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.2-1
- [packit] 3.0.2 upstream release
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Oct 29 2021 Packit Service <user-cont-team+packit-service@redhat.com> - 3.0.1-1
- [packit] 3.0.1 upstream release
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-5
- Rebuilt with OpenSSL 3.0.0
* Sat Aug 07 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
- Drop usage of ERR_GET_FUNC()
* Sat Aug 07 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-3
- Enable autorelease and autochangelog
* Wed Jul 21 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-1
- Release 3.0.0
- Support for OpenSSL 3.0
- Support for outputting named Diffie-Hellman parameter groups
- Support for CentOS Stream 9
* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-5
- Fixing incorrect license declaration
* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-4
- Updating to rebuild against the latest glibc
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 23 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-1
- Update to 2.6.2
- Handle very short and very long passphrases properly (fixes rhbz#1850183)
- Drop upstreamed patch
* Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-4
- Rebuild with corrected ELN macro definitions
* Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-3
- Don't bother running clang-format in the RPM build
- Lengthen the test timeout so ARM tests pass
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-1
- Bugfixes from upstream
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-2
- Fix incorrect help description for --client-key-file
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-1
- Update to 2.6.0
- Can now generate an empty CRL file.
- Can now create and store a Diffie-Hellman parameters (dhparams) file.
- Support for setting a password on private keys.
- Support for generating a client authentication certificate and key.
- Better support for OpenSSL 1.0
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.1-1
- Update to 2.5.1
- Fixes discovered by automated testing.
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.0-1
- Update to 2.5.0
- Auto-detect the hash algorithm to use by default.
* Tue Nov 27 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.4.0-1
- Update to 2.4.0
- Autodetect the minimum key strength from the system security level.
- Autodetect the hash algorithm to use from the system security level.
- Disallow setting a key strength below the system minimum.
- Resolves: rhbz#1653323
- Drop upstreamed patches
* Mon Sep 17 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-4
- Add a manpage for sscg.
- Add a manpage.
* Thu Jul 05 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-3
- Strip out bundled popt since RHEL 8 has a new-enough version.
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
@ -266,3 +357,5 @@ false signatures from the service certificate.
* Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-1
- First packaging
## END: Generated by rpmautospec