From 29dbec123b28b0ae792cdc0ecb401093097881ed Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 29 Oct 2021 13:20:12 -0400 Subject: [PATCH] Correct certificate lifetime calculation Resolves: rhbz#2017667 Signed-off-by: Stephen Gallagher --- 0001-Drop-usage-of-ERR_GET_FUNC.patch | 8 ++-- ...ect-certificate-lifetime-calculation.patch | 46 +++++++++++++++++++ sscg.spec | 7 ++- 3 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 0002-Correct-certificate-lifetime-calculation.patch diff --git a/0001-Drop-usage-of-ERR_GET_FUNC.patch b/0001-Drop-usage-of-ERR_GET_FUNC.patch index 97adf7c..5ad7b9d 100644 --- a/0001-Drop-usage-of-ERR_GET_FUNC.patch +++ b/0001-Drop-usage-of-ERR_GET_FUNC.patch @@ -1,7 +1,7 @@ -From 60377ad4a6a6ef2012d502f118fedb425f4a11af Mon Sep 17 00:00:00 2001 +From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Sat, 7 Aug 2021 11:48:04 -0400 -Subject: [PATCH] Drop usage of ERR_GET_FUNC() +Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC() This macro was dropped in OpenSSL 3.0 and has actually not been providing a valid return code for some time. @@ -14,7 +14,7 @@ Signed-off-by: Stephen Gallagher 1 file changed, 1 deletion(-) diff --git a/include/sscg.h b/include/sscg.h -index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc7e4ba2cc 100644 +index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644 --- a/include/sscg.h +++ b/include/sscg.h @@ -94,11 +94,10 @@ @@ -30,5 +30,5 @@ index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc fprintf ( \ stderr, \ -- -2.31.1 +2.33.0 diff --git a/0002-Correct-certificate-lifetime-calculation.patch b/0002-Correct-certificate-lifetime-calculation.patch new file mode 100644 index 0000000..5a0b87b --- /dev/null +++ b/0002-Correct-certificate-lifetime-calculation.patch @@ -0,0 +1,46 @@ +From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001 +From: Allison Karlitskaya +Date: Tue, 26 Oct 2021 12:32:13 +0200 +Subject: [PATCH 2/2] Correct certificate lifetime calculation + +sscg allows passing the certificate lifetime, as a number of days, as a +commandline argument. It converts this value to seconds using the +formula + + days * 24 * 3650 + +which is incorrect. The correct value is 3600. + +This effectively adds an extra 20 minutes to the lifetime of the +certificate for each day as given on the commandline, and was enough to +cause some new integration tests in cockpit to fail. + +Interestingly, 3650 is the old default value for the number of days of +certificate validity (~10 years) so this probably slipped in as a sort +of muscle-memory-assisted typo. + +Let's just write `24 * 60 * 60` to make things clear. +--- + src/x509.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/x509.c b/src/x509.c +index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644 +--- a/src/x509.c ++++ b/src/x509.c +@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx, + X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr)); + } + + /* set time */ + X509_gmtime_adj (X509_get_notBefore (cert), 0); +- X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650); ++ X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60); + + /* set subject */ + subject = X509_NAME_dup (X509_REQ_get_subject_name (csr)); + sslret = X509_set_subject_name (cert, subject); + CHECK_SSL (sslret, X509_set_subject_name); +-- +2.33.0 + diff --git a/sscg.spec b/sscg.spec index 7e738bd..782aff0 100644 --- a/sscg.spec +++ b/sscg.spec @@ -9,7 +9,7 @@ Name: sscg Version: 3.0.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Simple SSL certificate generator License: GPLv3+ with exceptions @@ -27,6 +27,7 @@ BuildRequires: help2man Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch +Patch0002: 0002-Correct-certificate-lifetime-calculation.patch %description @@ -58,6 +59,10 @@ false signatures from the service certificate. %{_mandir}/man8/%{name}.8* %changelog +* Fri Oct 29 2021 Stephen Gallagher - 3.0.0-4 +- Correct certificate lifetime calculation +- Resolves: rhbz#2017667 + * Tue Aug 10 2021 Mohan Boddu - 3.0.0-3 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688