From 330654936de014aff36887a066466532404625d9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 7 May 2019 06:52:57 -0400 Subject: [PATCH] import sscg-2.3.3-6.el8 --- .gitignore | 1 + .sscg.metadata | 1 + SOURCES/0001-Generate-manpage.patch | 56 ++++ ...aults-based-on-system-security-level.patch | 249 ++++++++++++++++++ ...aults-based-on-system-security-level.patch | 137 ++++++++++ ...004-Properly-check-all-return-values.patch | 63 +++++ SPECS/sscg.spec | 226 ++++++++++++++++ 7 files changed, 733 insertions(+) create mode 100644 .gitignore create mode 100644 .sscg.metadata create mode 100644 SOURCES/0001-Generate-manpage.patch create mode 100644 SOURCES/0002-Adjust-defaults-based-on-system-security-level.patch create mode 100644 SOURCES/0003-Adjust-hash-defaults-based-on-system-security-level.patch create mode 100644 SOURCES/0004-Properly-check-all-return-values.patch create mode 100644 SPECS/sscg.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5f094c1 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/sscg-2.3.3-stripped.tar.xz diff --git a/.sscg.metadata b/.sscg.metadata new file mode 100644 index 0000000..7151dd4 --- /dev/null +++ b/.sscg.metadata @@ -0,0 +1 @@ +6e880fc36f7d1ebf4a9668dbcb9276b3afcb2904 SOURCES/sscg-2.3.3-stripped.tar.xz diff --git a/SOURCES/0001-Generate-manpage.patch b/SOURCES/0001-Generate-manpage.patch new file mode 100644 index 0000000..f19bc36 --- /dev/null +++ b/SOURCES/0001-Generate-manpage.patch @@ -0,0 +1,56 @@ +From 71e2451c6ba4d5f17de9e24687b66b93f2e58954 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Mon, 17 Sep 2018 09:58:25 -0400 +Subject: [PATCH 1/4] Generate manpage + +Signed-off-by: Stephen Gallagher +--- + meson.build | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index e6f33475cce6891d17656bcd10e1afabd43bdc07..a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c 100644 +--- a/meson.build ++++ b/meson.build +@@ -5,11 +5,11 @@ project('sscg', 'c', + 'c_std=gnu99', + 'warning_level=1', + 'b_asneeded=true', + ], + license : 'MIT', +- meson_version : '>=0.36.0') ++ meson_version : '>=0.40.0') + + cc = meson.get_compiler('c') + test_cflags = [ + '-Wpointer-arith', + '-Wmissing-declarations', +@@ -139,5 +139,25 @@ cdata.set('version', meson.project_version()) + configure_file( + input : 'config.h.in', + output : 'config.h', + configuration : cdata) + ++# Generate a manpage from the POPT documentation ++help2man = find_program('help2man') ++ ++manpage = custom_target('manpage', ++ output : 'sscg.8', ++ capture : true, ++ command : [ ++ help2man, ++ '-s', '8', ++ '-n', 'Tool for generating x.509 certificates', ++ '-N', ++ sscg, ++ ], ++ install : true, ++ build_by_default : true, ++ install_dir : join_paths( ++ get_option('prefix'), ++ get_option('mandir'), ++ 'man8'), ++) +-- +2.19.1 + diff --git a/SOURCES/0002-Adjust-defaults-based-on-system-security-level.patch b/SOURCES/0002-Adjust-defaults-based-on-system-security-level.patch new file mode 100644 index 0000000..7fe01d8 --- /dev/null +++ b/SOURCES/0002-Adjust-defaults-based-on-system-security-level.patch @@ -0,0 +1,249 @@ +From 942d9fa4f582a372af3d0bd499f073760dec2335 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 27 Nov 2018 13:24:37 -0500 +Subject: [PATCH 2/4] Adjust defaults based on system security level + +Also permit arbitrary keylengths. + +Disallow keylengths smaller than the configured system minimum. + +Resolves: rhbz#1653323 + +Signed-off-by: Stephen Gallagher +--- + config.h.in | 1 - + include/sscg.h | 1 + + meson.build | 10 ++++++-- + src/sscg.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++---- + 4 files changed, 68 insertions(+), 8 deletions(-) + delete mode 100644 config.h.in + +diff --git a/config.h.in b/config.h.in +deleted file mode 100644 +index 6044a4355f6c8bfac8d36e533f48f395c597e5ac..0000000000000000000000000000000000000000 +--- a/config.h.in ++++ /dev/null +@@ -1 +0,0 @@ +-#define PACKAGE_VERSION "@version@" +diff --git a/include/sscg.h b/include/sscg.h +index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e376227eb7 100644 +--- a/include/sscg.h ++++ b/include/sscg.h +@@ -137,10 +137,11 @@ struct sscg_options + const char *hostname; + char **subject_alt_names; + + /* Encryption requirements */ + int key_strength; ++ int minimum_key_strength; + const EVP_MD *hash_fn; + + /* Output Files */ + char *ca_file; + char *ca_key_file; +diff --git a/meson.build b/meson.build +index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa 100644 +--- a/meson.build ++++ b/meson.build +@@ -32,10 +32,11 @@ foreach cflag: test_cflags + endif + endforeach + + pkg = import('pkgconfig') + crypto = dependency('libcrypto') ++ssl = dependency('libssl') + path_utils = dependency('path_utils') + talloc = dependency('talloc') + + popt = dependency( + 'popt', +@@ -47,10 +48,14 @@ if popt.found() + else + popt = subproject('popt').get_variable('libpopt_a') + popt_incdirs = include_directories('subprojects/popt') + endif + ++has_get_sec_level = cc.has_function( ++ 'SSL_CTX_get_security_level', ++ dependencies: [ ssl]) ++ + sscg_lib_srcs = [ + 'src/authority.c', + 'src/bignum.c', + 'src/key.c', + 'src/service.c', +@@ -68,10 +73,11 @@ sscg_lib_hdrs = [ + sscg_lib = static_library( + 'sscg', + sources : sscg_lib_srcs, + dependencies : [ + crypto, ++ ssl, + talloc, + ], + install : false, + pic : true, + ) +@@ -133,13 +139,13 @@ init_bignum_test = executable( + install : false, + ) + test('init_bignum_test', init_bignum_test) + + cdata = configuration_data() +-cdata.set('version', meson.project_version()) ++cdata.set_quoted('PACKAGE_VERSION', meson.project_version()) ++cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level) + configure_file( +- input : 'config.h.in', + output : 'config.h', + configuration : cdata) + + # Generate a manpage from the POPT documentation + help2man = find_program('help2man') +diff --git a/src/sscg.c b/src/sscg.c +index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b893300a4414cd 100644 +--- a/src/sscg.c ++++ b/src/sscg.c +@@ -15,30 +15,80 @@ + along with sscg. If not, see . + + Copyright 2017 by Stephen Gallagher + */ + ++#define _GNU_SOURCE + #include + #include + #include + #include + #include + #include + #include + #include ++#include + #include + + #include "config.h" + #include "include/sscg.h" + #include "include/authority.h" + #include "include/service.h" + ++static int ++get_security_level (void) ++{ ++#ifdef HAVE_SSL_CTX_GET_SECURITY_LEVEL ++ SSL_CTX *ssl_ctx = SSL_CTX_new (TLS_method ()); ++ int security_level = SSL_CTX_get_security_level (ssl_ctx); ++ SSL_CTX_free (ssl_ctx); ++ ssl_ctx = NULL; ++ return security_level; ++#else ++ return 0; ++#endif ++} ++ + static int + set_default_options (struct sscg_options *opts) + { ++ int security_level = get_security_level (); ++ + opts->lifetime = 3650; +- opts->key_strength = 2048; ++ ++ /* Select the default key strength based on the system security level ++ * See: ++ * https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html ++ * for the specification of the minimums. ++ */ ++ switch (security_level) ++ { ++ case 0: ++ case 1: ++ case 2: ++ /* Security level 2 and below permits lower key-strengths, but SSCG ++ * will set a minimum of 2048 bits ++ */ ++ opts->key_strength = 2048; ++ break; ++ ++ case 3: opts->key_strength = 3072; break; ++ ++ case 4: opts->key_strength = 7680; break; ++ ++ default: ++ /* Unknown security level. Default to the highest we know about */ ++ fprintf (stderr, ++ "Unknown system security level %d. Defaulting to highest-known " ++ "level.\n", ++ security_level); ++ /* Fall through */ ++ ++ case 5: opts->key_strength = 15360; break; ++ } ++ ++ opts->minimum_key_strength = opts->key_strength; + return 0; + } + + static void + print_options (struct sscg_options *opts) +@@ -115,10 +165,11 @@ main (int argc, const char **argv) + { + int ret, sret, opt; + size_t i; + poptContext pc; + struct sscg_options *options; ++ char *minimum_key_strength_help = NULL; + + char *country = NULL; + char *state = NULL; + char *locality = NULL; + char *organization = NULL; +@@ -170,10 +221,13 @@ main (int argc, const char **argv) + + ret = set_default_options (options); + if (ret != EOK) + goto done; + ++ minimum_key_strength_help = ++ talloc_asprintf (main_ctx, "%d or larger", options->minimum_key_strength); ++ + options->verbosity = SSCG_DEFAULT; + struct poptOption long_options[] = { + POPT_AUTOHELP{ "quiet", + 'q', + POPT_ARG_VAL, +@@ -291,11 +345,11 @@ main (int argc, const char **argv) + '\0', + POPT_ARG_INT | POPT_ARGFLAG_SHOW_DEFAULT, + &options->key_strength, + 0, + _ ("Strength of the certificate private keys in bits."), +- _ ("{512,1024,2048,4096}") }, ++ minimum_key_strength_help }, + { + "hash-alg", + '\0', + POPT_ARG_STRING, + &hash_alg, +@@ -527,15 +581,15 @@ main (int argc, const char **argv) + options->subject_alt_names[i + 1] = NULL; + i++; + } + } + +- if (options->key_strength != 512 && options->key_strength != 1024 && +- options->key_strength != 2048 && options->key_strength != 4096) ++ if (options->key_strength < options->minimum_key_strength) + { + fprintf (stderr, +- "Key strength must be one of {512, 1024, 2048, 4096}.\n"); ++ "Key strength must be at least %d bits.\n", ++ options->minimum_key_strength); + ret = EINVAL; + goto done; + } + + if (!hash_alg) +-- +2.19.1 + diff --git a/SOURCES/0003-Adjust-hash-defaults-based-on-system-security-level.patch b/SOURCES/0003-Adjust-hash-defaults-based-on-system-security-level.patch new file mode 100644 index 0000000..d3d1aee --- /dev/null +++ b/SOURCES/0003-Adjust-hash-defaults-based-on-system-security-level.patch @@ -0,0 +1,137 @@ +From 298015e8a7cf35cc0de581203b44826d2ae1d406 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Wed, 28 Nov 2018 08:00:08 -0500 +Subject: [PATCH 3/4] Adjust hash defaults based on system security level + +Unlike the key-strength, this does not set a minimum level because +it's not a simple calculation. We will have to rely on libcrypto +rejecting any explicitly-set algorithms as a violation of policy. + +Signed-off-by: Stephen Gallagher +--- + include/sscg.h | 1 + + src/sscg.c | 40 +++++++++++++++++++++------------------- + 2 files changed, 22 insertions(+), 19 deletions(-) + +diff --git a/include/sscg.h b/include/sscg.h +index 3e97cfe49a5cd8fc734ecf43a94156e376227eb7..fc90b81a0060af28529f3be6922b1b1501559300 100644 +--- a/include/sscg.h ++++ b/include/sscg.h +@@ -138,10 +138,11 @@ struct sscg_options + char **subject_alt_names; + + /* Encryption requirements */ + int key_strength; + int minimum_key_strength; ++ char *hash_alg; + const EVP_MD *hash_fn; + + /* Output Files */ + char *ca_file; + char *ca_key_file; +diff --git a/src/sscg.c b/src/sscg.c +index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a83281e37e 100644 +--- a/src/sscg.c ++++ b/src/sscg.c +@@ -64,28 +64,38 @@ set_default_options (struct sscg_options *opts) + { + case 0: + case 1: + case 2: + /* Security level 2 and below permits lower key-strengths, but SSCG +- * will set a minimum of 2048 bits ++ * will set a minimum of 2048 bits and the sha256 hash algorithm. + */ ++ opts->hash_alg = talloc_strdup (opts, "sha256"); + opts->key_strength = 2048; + break; + +- case 3: opts->key_strength = 3072; break; ++ case 3: ++ opts->hash_alg = talloc_strdup (opts, "sha256"); ++ opts->key_strength = 3072; ++ break; + +- case 4: opts->key_strength = 7680; break; ++ case 4: ++ opts->hash_alg = talloc_strdup (opts, "sha384"); ++ opts->key_strength = 7680; ++ break; + + default: + /* Unknown security level. Default to the highest we know about */ + fprintf (stderr, + "Unknown system security level %d. Defaulting to highest-known " + "level.\n", + security_level); + /* Fall through */ + +- case 5: opts->key_strength = 15360; break; ++ case 5: ++ opts->hash_alg = talloc_strdup (opts, "sha512"); ++ opts->key_strength = 15360; ++ break; + } + + opts->minimum_key_strength = opts->key_strength; + return 0; + } +@@ -175,11 +185,10 @@ main (int argc, const char **argv) + char *organization = NULL; + char *organizational_unit = NULL; + char *email = NULL; + char *hostname = NULL; + char *packagename; +- char *hash_alg = NULL; + char **alternative_names = NULL; + + char *ca_file = NULL; + char *ca_key_file = NULL; + char *cert_file = NULL; +@@ -349,14 +358,14 @@ main (int argc, const char **argv) + _ ("Strength of the certificate private keys in bits."), + minimum_key_strength_help }, + { + "hash-alg", + '\0', +- POPT_ARG_STRING, +- &hash_alg, ++ POPT_ARG_STRING | POPT_ARGFLAG_SHOW_DEFAULT, ++ &options->hash_alg, + 0, +- _ ("Hashing algorithm to use for signing. (default: sha256)"), ++ _ ("Hashing algorithm to use for signing."), + _ ("{sha256,sha384,sha512}"), + }, + { + "ca-file", + '\0', +@@ -590,21 +599,14 @@ main (int argc, const char **argv) + options->minimum_key_strength); + ret = EINVAL; + goto done; + } + +- if (!hash_alg) +- { +- /* Default to SHA256 */ +- options->hash_fn = EVP_sha256 (); +- } +- else +- { +- /* TODO: restrict this to approved hashes. +- * For now, we'll only list SHA[256|384|512] in the help */ +- options->hash_fn = EVP_get_digestbyname (hash_alg); +- } ++ /* TODO: restrict this to approved hashes. ++ * For now, we'll only list SHA[256|384|512] in the help */ ++ options->hash_fn = EVP_get_digestbyname (options->hash_alg); ++ + if (!options->hash_fn) + { + fprintf (stderr, "Unsupported hashing algorithm."); + ret = EINVAL; + goto done; +-- +2.19.1 + diff --git a/SOURCES/0004-Properly-check-all-return-values.patch b/SOURCES/0004-Properly-check-all-return-values.patch new file mode 100644 index 0000000..e4c367a --- /dev/null +++ b/SOURCES/0004-Properly-check-all-return-values.patch @@ -0,0 +1,63 @@ +From 9e4497d1dd2a337be1f69e0cfb24ce8080690ccf Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Wed, 28 Nov 2018 09:16:29 -0500 +Subject: [PATCH 4/4] Properly check all return values + +Signed-off-by: Stephen Gallagher +--- + src/authority.c | 1 + + src/service.c | 1 + + src/x509.c | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/src/authority.c b/src/authority.c +index b735868416b7fb5d016f0854baf0f27cd5f98b26..4e0dccc6c1210beffb38acd9f7dfb6108ca4a4ad 100644 +--- a/src/authority.c ++++ b/src/authority.c +@@ -178,10 +178,11 @@ create_private_CA (TALLOC_CTX *mem_ctx, + } + sk_X509_EXTENSION_push (ca_certinfo->extensions, ex); + + /* Finalize the CSR */ + ret = sscg_x509v3_csr_finalize (ca_certinfo, pkey, csr); ++ CHECK_OK (ret); + + if (options->verbosity >= SSCG_DEBUG) + { + fprintf (stderr, "DEBUG: Writing CA CSR to ./debug-ca.csr\n"); + BIO *ca_csr_out = BIO_new_file ("./debug-ca.csr", "w"); +diff --git a/src/service.c b/src/service.c +index b292e94063f032fd3c34a8134702063ea46bfa0c..34c976dbe905528000b181c24d1fa95da3cd1377 100644 +--- a/src/service.c ++++ b/src/service.c +@@ -124,10 +124,11 @@ create_service_cert (TALLOC_CTX *mem_ctx, + ret = sscg_x509v3_csr_new (tmp_ctx, svc_certinfo, pkey, &csr); + CHECK_OK (ret); + + /* Finalize the CSR */ + ret = sscg_x509v3_csr_finalize (svc_certinfo, pkey, csr); ++ CHECK_OK (ret); + + if (options->verbosity >= SSCG_DEBUG) + { + fprintf (stderr, + "DEBUG: Writing service certificate CSR to ./debug-svc.csr\n"); +diff --git a/src/x509.c b/src/x509.c +index 6d152fc969d745cc5cf085116c8688866f9d6ab4..18f0627bc64e7cb503a9e81c36dbe726186d1144 100644 +--- a/src/x509.c ++++ b/src/x509.c +@@ -39,10 +39,11 @@ sscg_generate_serial (TALLOC_CTX *mem_ctx, struct sscg_bignum **serial) + { + return ENOMEM; + } + + ret = sscg_init_bignum (tmp_ctx, 0, &bn); ++ CHECK_OK (ret); + + /* We'll create a random number of sizeof(unsigned long) - 1 bits + to use as the serial. We use unsigned long to ensure that it + could be printed by BN_get_word() later. We omit the last bit + in order to ensure that we can't randomly get 0xffffffffL, which +-- +2.19.1 + diff --git a/SPECS/sscg.spec b/SPECS/sscg.spec new file mode 100644 index 0000000..12b96cf --- /dev/null +++ b/SPECS/sscg.spec @@ -0,0 +1,226 @@ +%global provider github +%global provider_tld com +%global project sgallagher +%global repo sscg +# https://github.com/sgallagher/sscg +%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} +%global import_path %{provider_prefix} + + +Name: sscg +Version: 2.3.3 +Release: 6%{?dist} +Summary: Simple SSL certificate generator + +License: BSD +URL: https://%{provider_prefix} + +# Run ./sscg-strip.sh to produce a tarball with the bundled popt library +# stripped out to reduce license issues. +Source0: https://%{provider_prefix}/releases/download/%{repo}-%{version}/%{repo}-%{version}-stripped.tar.xz + +BuildRequires: gcc +BuildRequires: libtalloc-devel +BuildRequires: openssl-devel +BuildRequires: popt-devel +BuildRequires: libpath_utils-devel +BuildRequires: meson +BuildRequires: ninja-build +BuildRequires: help2man + +# Patches +Patch0001: 0001-Generate-manpage.patch +Patch0002: 0002-Adjust-defaults-based-on-system-security-level.patch +Patch0003: 0003-Adjust-hash-defaults-based-on-system-security-level.patch +Patch0004: 0004-Properly-check-all-return-values.patch + +%description +A utility to aid in the creation of more secure "self-signed" +certificates. The certificates created by this tool are generated in a +way so as to create a CA certificate that can be safely imported into a +client machine to trust the service certificate without needing to set +up a full PKI environment and without exposing the machine to a risk of +false signatures from the service certificate. + + +%prep +%autosetup -p1 + + +%build +%meson +%meson_build + +%install +%meson_install + +%check + +%ifnarch %{arm} +%meson_test +%endif + +%files +%license COPYING +%doc README.md +%{_bindir}/%{name} +%{_mandir}/man8/%{name}.8* + +%changelog +* Wed Nov 28 2018 Stephen Gallagher - 2.3.3-6 +- Fixes for issues detected by automated testing. +- Resolves: rhbz#1653323 + +* Wed Nov 28 2018 Stephen Gallagher - 2.3.3-5 +- Autodetect the minimum key strength from the system security level. +- Autodetect the hash algorithm to use from the system security level. +- Disallow setting a key strength below the system minimum. +- Resolves: rhbz#1653323 + +* Mon Sep 17 2018 Stephen Gallagher - 2.3.3-4 +- Add a manpage for sscg. + +* Thu Jul 05 2018 Stephen Gallagher - 2.3.3-3 +- Strip out bundled popt since RHEL 8 has a new-enough version. + +* Fri Feb 09 2018 Fedora Release Engineering - 2.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Feb 02 2018 Stephen Gallagher - 2.3.3-1 +- Update to 2.3.3 +- Do not overwrite destination files without --force + +* Thu Jan 25 2018 Stephen Gallagher - 2.3.2-1 +- Update to 2.3.2 +- Properly support hostnames up to 64 characters +- Resolves: rhbz#1535537 + +* Tue Jan 02 2018 Stephen Gallagher - 2.3.1-2 +- Skip tests on 32-bit ARM for now + +* Tue Jan 02 2018 Stephen Gallagher - 2.3.1-1 +- Update to 2.3.1 +- Bundle popt 1.16 on older releases like EPEL. + +* Mon Dec 18 2017 Stephen Gallagher - 2.3.0-1 +- Update to 2.3.0 +- Switch to meson build system +- Add support for non-DNS subjectAlternativeName values (issue #4) + +* Thu Sep 21 2017 Stephen Gallagher - 2.2.0-1 +- Reorder combined PEM file +- Resolves: RHBZ#1494208 + +* Wed Sep 20 2017 Stephen Gallagher - 2.1.0-1 +- Add --email argument for setting emailAddress in the issuer + +* Thu Aug 03 2017 Fedora Release Engineering - 2.0.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.0.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Apr 03 2017 Stephen Gallagher - 2.0.4-2 +- Bump release to perform taskotron tests + +* Tue Mar 21 2017 Stephen Gallagher - 2.0.4-1 +- Update to 2.0.4 +- Addresses a potential race-condition when the key and certificate share the + same file. + +* Wed Mar 08 2017 Stephen Gallagher - 2.0.3-1 +- Update to 2.0.3 +- Adds support for setting the file mode on the output certificates + and keys. + +* Fri Mar 03 2017 Stephen Gallagher - 2.0.2-1 +- Update to 2.0.2 +- Always run with umask(077) + +* Fri Mar 03 2017 Stephen Gallagher - 2.0.1-1 +- Update to 2.0.1 +- Fix an issue with passing certificate lifetime explicitly + +* Thu Feb 16 2017 Stephen Gallagher - 2.0.0-1 +- Update to 2.0.0 + +* Thu Feb 16 2017 Stephen Gallagher - 1.1.0-6 +- Exclude PPC64 from the build since it doesn't support linking to OpenSSL + +* Sat Feb 11 2017 Fedora Release Engineering - 1.1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Nov 23 2016 Stephen Gallagher - 1.1.0-4 +- Use compat-openssl10-devel on F26+ + +* Thu Jul 21 2016 Fedora Release Engineering - 1.1.0-3 +- https://fedoraproject.org/wiki/Changes/golang1.7 + +* Tue May 31 2016 Stephen Gallagher - 1.1.0-2 +- Debundle spacelog + +* Wed May 25 2016 Stephen Gallagher - 1.1.0-1 +- Update to 1.1.0 +- Add support for signing service keys with an existing CA + +* Wed May 25 2016 Stephen Gallagher - 1.0.4-1 +- Add support for exporting the CA private key +- Fix incorrect output from -version +- Add README.md + +* Tue May 24 2016 Stephen Gallagher - 1.0.3-1 +- Only sign certificates after all extensions have been added + +* Mon May 23 2016 Stephen Gallagher - 1.0.2-1 +- Generate x509v3 certificates + +* Mon May 23 2016 Stephen Gallagher - 1.0.1-1 +- Fix issue with temporary file creation + +* Mon May 23 2016 Stephen Gallagher - 1.0.0-1 +- New upstream release 1.0.0 +- Rewritten in Go +- Runtime depends only on OpenSSL, no more Python +- Support for writing certificate and key in a single file + +* Wed May 18 2016 Stephen Gallagher - 0.4.1-4 +- Add requirement on python-setuptools + +* Fri Feb 05 2016 Fedora Release Engineering - 0.4.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 0.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Fri Jun 19 2015 Fedora Release Engineering - 0.4.1-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Mar 30 2015 Stephen Gallagher 0.4.1-1 +- Change default CA location to match service certificate +- Improve error handling + +* Tue Mar 24 2015 Stephen Gallagher 0.4.0-1 +- Spec file cleanups +- PEP8 Cleanups +- Make location arguments optional + +* Mon Mar 23 2015 Stephen Gallagher 0.3.0-1 +- Rename to sscg +- Only build with default python interpreter + +* Tue Mar 17 2015 Stephen Gallagher 0.2.1-1 +- Include the LICENSE file in the tarball + +* Tue Mar 17 2015 Stephen Gallagher 0.2-2 +- Include the license in the build RPMs + +* Tue Mar 17 2015 Stephen Gallagher 0.2-1 +- Add support for namedConstraints +- Add support for subjectAltNames +- Fix packaging issues from Fedora package review + +* Mon Mar 16 2015 Stephen Gallagher 0.1-2 +- Update BuildRequires + +* Mon Mar 16 2015 Stephen Gallagher 0.1-1 +- First packaging