import sscg-2.3.3-6.el8
This commit is contained in:
commit
330654936d
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
SOURCES/sscg-2.3.3-stripped.tar.xz
|
1
.sscg.metadata
Normal file
1
.sscg.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
6e880fc36f7d1ebf4a9668dbcb9276b3afcb2904 SOURCES/sscg-2.3.3-stripped.tar.xz
|
56
SOURCES/0001-Generate-manpage.patch
Normal file
56
SOURCES/0001-Generate-manpage.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
From 71e2451c6ba4d5f17de9e24687b66b93f2e58954 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Mon, 17 Sep 2018 09:58:25 -0400
|
||||||
|
Subject: [PATCH 1/4] Generate manpage
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
meson.build | 22 +++++++++++++++++++++-
|
||||||
|
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/meson.build b/meson.build
|
||||||
|
index e6f33475cce6891d17656bcd10e1afabd43bdc07..a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c 100644
|
||||||
|
--- a/meson.build
|
||||||
|
+++ b/meson.build
|
||||||
|
@@ -5,11 +5,11 @@ project('sscg', 'c',
|
||||||
|
'c_std=gnu99',
|
||||||
|
'warning_level=1',
|
||||||
|
'b_asneeded=true',
|
||||||
|
],
|
||||||
|
license : 'MIT',
|
||||||
|
- meson_version : '>=0.36.0')
|
||||||
|
+ meson_version : '>=0.40.0')
|
||||||
|
|
||||||
|
cc = meson.get_compiler('c')
|
||||||
|
test_cflags = [
|
||||||
|
'-Wpointer-arith',
|
||||||
|
'-Wmissing-declarations',
|
||||||
|
@@ -139,5 +139,25 @@ cdata.set('version', meson.project_version())
|
||||||
|
configure_file(
|
||||||
|
input : 'config.h.in',
|
||||||
|
output : 'config.h',
|
||||||
|
configuration : cdata)
|
||||||
|
|
||||||
|
+# Generate a manpage from the POPT documentation
|
||||||
|
+help2man = find_program('help2man')
|
||||||
|
+
|
||||||
|
+manpage = custom_target('manpage',
|
||||||
|
+ output : 'sscg.8',
|
||||||
|
+ capture : true,
|
||||||
|
+ command : [
|
||||||
|
+ help2man,
|
||||||
|
+ '-s', '8',
|
||||||
|
+ '-n', 'Tool for generating x.509 certificates',
|
||||||
|
+ '-N',
|
||||||
|
+ sscg,
|
||||||
|
+ ],
|
||||||
|
+ install : true,
|
||||||
|
+ build_by_default : true,
|
||||||
|
+ install_dir : join_paths(
|
||||||
|
+ get_option('prefix'),
|
||||||
|
+ get_option('mandir'),
|
||||||
|
+ 'man8'),
|
||||||
|
+)
|
||||||
|
--
|
||||||
|
2.19.1
|
||||||
|
|
@ -0,0 +1,249 @@
|
|||||||
|
From 942d9fa4f582a372af3d0bd499f073760dec2335 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Tue, 27 Nov 2018 13:24:37 -0500
|
||||||
|
Subject: [PATCH 2/4] Adjust defaults based on system security level
|
||||||
|
|
||||||
|
Also permit arbitrary keylengths.
|
||||||
|
|
||||||
|
Disallow keylengths smaller than the configured system minimum.
|
||||||
|
|
||||||
|
Resolves: rhbz#1653323
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
config.h.in | 1 -
|
||||||
|
include/sscg.h | 1 +
|
||||||
|
meson.build | 10 ++++++--
|
||||||
|
src/sscg.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++----
|
||||||
|
4 files changed, 68 insertions(+), 8 deletions(-)
|
||||||
|
delete mode 100644 config.h.in
|
||||||
|
|
||||||
|
diff --git a/config.h.in b/config.h.in
|
||||||
|
deleted file mode 100644
|
||||||
|
index 6044a4355f6c8bfac8d36e533f48f395c597e5ac..0000000000000000000000000000000000000000
|
||||||
|
--- a/config.h.in
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1 +0,0 @@
|
||||||
|
-#define PACKAGE_VERSION "@version@"
|
||||||
|
diff --git a/include/sscg.h b/include/sscg.h
|
||||||
|
index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e376227eb7 100644
|
||||||
|
--- a/include/sscg.h
|
||||||
|
+++ b/include/sscg.h
|
||||||
|
@@ -137,10 +137,11 @@ struct sscg_options
|
||||||
|
const char *hostname;
|
||||||
|
char **subject_alt_names;
|
||||||
|
|
||||||
|
/* Encryption requirements */
|
||||||
|
int key_strength;
|
||||||
|
+ int minimum_key_strength;
|
||||||
|
const EVP_MD *hash_fn;
|
||||||
|
|
||||||
|
/* Output Files */
|
||||||
|
char *ca_file;
|
||||||
|
char *ca_key_file;
|
||||||
|
diff --git a/meson.build b/meson.build
|
||||||
|
index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa 100644
|
||||||
|
--- a/meson.build
|
||||||
|
+++ b/meson.build
|
||||||
|
@@ -32,10 +32,11 @@ foreach cflag: test_cflags
|
||||||
|
endif
|
||||||
|
endforeach
|
||||||
|
|
||||||
|
pkg = import('pkgconfig')
|
||||||
|
crypto = dependency('libcrypto')
|
||||||
|
+ssl = dependency('libssl')
|
||||||
|
path_utils = dependency('path_utils')
|
||||||
|
talloc = dependency('talloc')
|
||||||
|
|
||||||
|
popt = dependency(
|
||||||
|
'popt',
|
||||||
|
@@ -47,10 +48,14 @@ if popt.found()
|
||||||
|
else
|
||||||
|
popt = subproject('popt').get_variable('libpopt_a')
|
||||||
|
popt_incdirs = include_directories('subprojects/popt')
|
||||||
|
endif
|
||||||
|
|
||||||
|
+has_get_sec_level = cc.has_function(
|
||||||
|
+ 'SSL_CTX_get_security_level',
|
||||||
|
+ dependencies: [ ssl])
|
||||||
|
+
|
||||||
|
sscg_lib_srcs = [
|
||||||
|
'src/authority.c',
|
||||||
|
'src/bignum.c',
|
||||||
|
'src/key.c',
|
||||||
|
'src/service.c',
|
||||||
|
@@ -68,10 +73,11 @@ sscg_lib_hdrs = [
|
||||||
|
sscg_lib = static_library(
|
||||||
|
'sscg',
|
||||||
|
sources : sscg_lib_srcs,
|
||||||
|
dependencies : [
|
||||||
|
crypto,
|
||||||
|
+ ssl,
|
||||||
|
talloc,
|
||||||
|
],
|
||||||
|
install : false,
|
||||||
|
pic : true,
|
||||||
|
)
|
||||||
|
@@ -133,13 +139,13 @@ init_bignum_test = executable(
|
||||||
|
install : false,
|
||||||
|
)
|
||||||
|
test('init_bignum_test', init_bignum_test)
|
||||||
|
|
||||||
|
cdata = configuration_data()
|
||||||
|
-cdata.set('version', meson.project_version())
|
||||||
|
+cdata.set_quoted('PACKAGE_VERSION', meson.project_version())
|
||||||
|
+cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level)
|
||||||
|
configure_file(
|
||||||
|
- input : 'config.h.in',
|
||||||
|
output : 'config.h',
|
||||||
|
configuration : cdata)
|
||||||
|
|
||||||
|
# Generate a manpage from the POPT documentation
|
||||||
|
help2man = find_program('help2man')
|
||||||
|
diff --git a/src/sscg.c b/src/sscg.c
|
||||||
|
index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b893300a4414cd 100644
|
||||||
|
--- a/src/sscg.c
|
||||||
|
+++ b/src/sscg.c
|
||||||
|
@@ -15,30 +15,80 @@
|
||||||
|
along with sscg. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Copyright 2017 by Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
*/
|
||||||
|
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <popt.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <talloc.h>
|
||||||
|
#include <path_utils.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
+#include <openssl/ssl.h>
|
||||||
|
#include <sys/param.h>
|
||||||
|
|
||||||
|
#include "config.h"
|
||||||
|
#include "include/sscg.h"
|
||||||
|
#include "include/authority.h"
|
||||||
|
#include "include/service.h"
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+get_security_level (void)
|
||||||
|
+{
|
||||||
|
+#ifdef HAVE_SSL_CTX_GET_SECURITY_LEVEL
|
||||||
|
+ SSL_CTX *ssl_ctx = SSL_CTX_new (TLS_method ());
|
||||||
|
+ int security_level = SSL_CTX_get_security_level (ssl_ctx);
|
||||||
|
+ SSL_CTX_free (ssl_ctx);
|
||||||
|
+ ssl_ctx = NULL;
|
||||||
|
+ return security_level;
|
||||||
|
+#else
|
||||||
|
+ return 0;
|
||||||
|
+#endif
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
set_default_options (struct sscg_options *opts)
|
||||||
|
{
|
||||||
|
+ int security_level = get_security_level ();
|
||||||
|
+
|
||||||
|
opts->lifetime = 3650;
|
||||||
|
- opts->key_strength = 2048;
|
||||||
|
+
|
||||||
|
+ /* Select the default key strength based on the system security level
|
||||||
|
+ * See:
|
||||||
|
+ * https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html
|
||||||
|
+ * for the specification of the minimums.
|
||||||
|
+ */
|
||||||
|
+ switch (security_level)
|
||||||
|
+ {
|
||||||
|
+ case 0:
|
||||||
|
+ case 1:
|
||||||
|
+ case 2:
|
||||||
|
+ /* Security level 2 and below permits lower key-strengths, but SSCG
|
||||||
|
+ * will set a minimum of 2048 bits
|
||||||
|
+ */
|
||||||
|
+ opts->key_strength = 2048;
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ case 3: opts->key_strength = 3072; break;
|
||||||
|
+
|
||||||
|
+ case 4: opts->key_strength = 7680; break;
|
||||||
|
+
|
||||||
|
+ default:
|
||||||
|
+ /* Unknown security level. Default to the highest we know about */
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ "Unknown system security level %d. Defaulting to highest-known "
|
||||||
|
+ "level.\n",
|
||||||
|
+ security_level);
|
||||||
|
+ /* Fall through */
|
||||||
|
+
|
||||||
|
+ case 5: opts->key_strength = 15360; break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ opts->minimum_key_strength = opts->key_strength;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
print_options (struct sscg_options *opts)
|
||||||
|
@@ -115,10 +165,11 @@ main (int argc, const char **argv)
|
||||||
|
{
|
||||||
|
int ret, sret, opt;
|
||||||
|
size_t i;
|
||||||
|
poptContext pc;
|
||||||
|
struct sscg_options *options;
|
||||||
|
+ char *minimum_key_strength_help = NULL;
|
||||||
|
|
||||||
|
char *country = NULL;
|
||||||
|
char *state = NULL;
|
||||||
|
char *locality = NULL;
|
||||||
|
char *organization = NULL;
|
||||||
|
@@ -170,10 +221,13 @@ main (int argc, const char **argv)
|
||||||
|
|
||||||
|
ret = set_default_options (options);
|
||||||
|
if (ret != EOK)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
+ minimum_key_strength_help =
|
||||||
|
+ talloc_asprintf (main_ctx, "%d or larger", options->minimum_key_strength);
|
||||||
|
+
|
||||||
|
options->verbosity = SSCG_DEFAULT;
|
||||||
|
struct poptOption long_options[] = {
|
||||||
|
POPT_AUTOHELP{ "quiet",
|
||||||
|
'q',
|
||||||
|
POPT_ARG_VAL,
|
||||||
|
@@ -291,11 +345,11 @@ main (int argc, const char **argv)
|
||||||
|
'\0',
|
||||||
|
POPT_ARG_INT | POPT_ARGFLAG_SHOW_DEFAULT,
|
||||||
|
&options->key_strength,
|
||||||
|
0,
|
||||||
|
_ ("Strength of the certificate private keys in bits."),
|
||||||
|
- _ ("{512,1024,2048,4096}") },
|
||||||
|
+ minimum_key_strength_help },
|
||||||
|
{
|
||||||
|
"hash-alg",
|
||||||
|
'\0',
|
||||||
|
POPT_ARG_STRING,
|
||||||
|
&hash_alg,
|
||||||
|
@@ -527,15 +581,15 @@ main (int argc, const char **argv)
|
||||||
|
options->subject_alt_names[i + 1] = NULL;
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (options->key_strength != 512 && options->key_strength != 1024 &&
|
||||||
|
- options->key_strength != 2048 && options->key_strength != 4096)
|
||||||
|
+ if (options->key_strength < options->minimum_key_strength)
|
||||||
|
{
|
||||||
|
fprintf (stderr,
|
||||||
|
- "Key strength must be one of {512, 1024, 2048, 4096}.\n");
|
||||||
|
+ "Key strength must be at least %d bits.\n",
|
||||||
|
+ options->minimum_key_strength);
|
||||||
|
ret = EINVAL;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!hash_alg)
|
||||||
|
--
|
||||||
|
2.19.1
|
||||||
|
|
@ -0,0 +1,137 @@
|
|||||||
|
From 298015e8a7cf35cc0de581203b44826d2ae1d406 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Wed, 28 Nov 2018 08:00:08 -0500
|
||||||
|
Subject: [PATCH 3/4] Adjust hash defaults based on system security level
|
||||||
|
|
||||||
|
Unlike the key-strength, this does not set a minimum level because
|
||||||
|
it's not a simple calculation. We will have to rely on libcrypto
|
||||||
|
rejecting any explicitly-set algorithms as a violation of policy.
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
include/sscg.h | 1 +
|
||||||
|
src/sscg.c | 40 +++++++++++++++++++++-------------------
|
||||||
|
2 files changed, 22 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/include/sscg.h b/include/sscg.h
|
||||||
|
index 3e97cfe49a5cd8fc734ecf43a94156e376227eb7..fc90b81a0060af28529f3be6922b1b1501559300 100644
|
||||||
|
--- a/include/sscg.h
|
||||||
|
+++ b/include/sscg.h
|
||||||
|
@@ -138,10 +138,11 @@ struct sscg_options
|
||||||
|
char **subject_alt_names;
|
||||||
|
|
||||||
|
/* Encryption requirements */
|
||||||
|
int key_strength;
|
||||||
|
int minimum_key_strength;
|
||||||
|
+ char *hash_alg;
|
||||||
|
const EVP_MD *hash_fn;
|
||||||
|
|
||||||
|
/* Output Files */
|
||||||
|
char *ca_file;
|
||||||
|
char *ca_key_file;
|
||||||
|
diff --git a/src/sscg.c b/src/sscg.c
|
||||||
|
index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a83281e37e 100644
|
||||||
|
--- a/src/sscg.c
|
||||||
|
+++ b/src/sscg.c
|
||||||
|
@@ -64,28 +64,38 @@ set_default_options (struct sscg_options *opts)
|
||||||
|
{
|
||||||
|
case 0:
|
||||||
|
case 1:
|
||||||
|
case 2:
|
||||||
|
/* Security level 2 and below permits lower key-strengths, but SSCG
|
||||||
|
- * will set a minimum of 2048 bits
|
||||||
|
+ * will set a minimum of 2048 bits and the sha256 hash algorithm.
|
||||||
|
*/
|
||||||
|
+ opts->hash_alg = talloc_strdup (opts, "sha256");
|
||||||
|
opts->key_strength = 2048;
|
||||||
|
break;
|
||||||
|
|
||||||
|
- case 3: opts->key_strength = 3072; break;
|
||||||
|
+ case 3:
|
||||||
|
+ opts->hash_alg = talloc_strdup (opts, "sha256");
|
||||||
|
+ opts->key_strength = 3072;
|
||||||
|
+ break;
|
||||||
|
|
||||||
|
- case 4: opts->key_strength = 7680; break;
|
||||||
|
+ case 4:
|
||||||
|
+ opts->hash_alg = talloc_strdup (opts, "sha384");
|
||||||
|
+ opts->key_strength = 7680;
|
||||||
|
+ break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
/* Unknown security level. Default to the highest we know about */
|
||||||
|
fprintf (stderr,
|
||||||
|
"Unknown system security level %d. Defaulting to highest-known "
|
||||||
|
"level.\n",
|
||||||
|
security_level);
|
||||||
|
/* Fall through */
|
||||||
|
|
||||||
|
- case 5: opts->key_strength = 15360; break;
|
||||||
|
+ case 5:
|
||||||
|
+ opts->hash_alg = talloc_strdup (opts, "sha512");
|
||||||
|
+ opts->key_strength = 15360;
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
|
||||||
|
opts->minimum_key_strength = opts->key_strength;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -175,11 +185,10 @@ main (int argc, const char **argv)
|
||||||
|
char *organization = NULL;
|
||||||
|
char *organizational_unit = NULL;
|
||||||
|
char *email = NULL;
|
||||||
|
char *hostname = NULL;
|
||||||
|
char *packagename;
|
||||||
|
- char *hash_alg = NULL;
|
||||||
|
char **alternative_names = NULL;
|
||||||
|
|
||||||
|
char *ca_file = NULL;
|
||||||
|
char *ca_key_file = NULL;
|
||||||
|
char *cert_file = NULL;
|
||||||
|
@@ -349,14 +358,14 @@ main (int argc, const char **argv)
|
||||||
|
_ ("Strength of the certificate private keys in bits."),
|
||||||
|
minimum_key_strength_help },
|
||||||
|
{
|
||||||
|
"hash-alg",
|
||||||
|
'\0',
|
||||||
|
- POPT_ARG_STRING,
|
||||||
|
- &hash_alg,
|
||||||
|
+ POPT_ARG_STRING | POPT_ARGFLAG_SHOW_DEFAULT,
|
||||||
|
+ &options->hash_alg,
|
||||||
|
0,
|
||||||
|
- _ ("Hashing algorithm to use for signing. (default: sha256)"),
|
||||||
|
+ _ ("Hashing algorithm to use for signing."),
|
||||||
|
_ ("{sha256,sha384,sha512}"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ca-file",
|
||||||
|
'\0',
|
||||||
|
@@ -590,21 +599,14 @@ main (int argc, const char **argv)
|
||||||
|
options->minimum_key_strength);
|
||||||
|
ret = EINVAL;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!hash_alg)
|
||||||
|
- {
|
||||||
|
- /* Default to SHA256 */
|
||||||
|
- options->hash_fn = EVP_sha256 ();
|
||||||
|
- }
|
||||||
|
- else
|
||||||
|
- {
|
||||||
|
- /* TODO: restrict this to approved hashes.
|
||||||
|
- * For now, we'll only list SHA[256|384|512] in the help */
|
||||||
|
- options->hash_fn = EVP_get_digestbyname (hash_alg);
|
||||||
|
- }
|
||||||
|
+ /* TODO: restrict this to approved hashes.
|
||||||
|
+ * For now, we'll only list SHA[256|384|512] in the help */
|
||||||
|
+ options->hash_fn = EVP_get_digestbyname (options->hash_alg);
|
||||||
|
+
|
||||||
|
if (!options->hash_fn)
|
||||||
|
{
|
||||||
|
fprintf (stderr, "Unsupported hashing algorithm.");
|
||||||
|
ret = EINVAL;
|
||||||
|
goto done;
|
||||||
|
--
|
||||||
|
2.19.1
|
||||||
|
|
63
SOURCES/0004-Properly-check-all-return-values.patch
Normal file
63
SOURCES/0004-Properly-check-all-return-values.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 9e4497d1dd2a337be1f69e0cfb24ce8080690ccf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Wed, 28 Nov 2018 09:16:29 -0500
|
||||||
|
Subject: [PATCH 4/4] Properly check all return values
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/authority.c | 1 +
|
||||||
|
src/service.c | 1 +
|
||||||
|
src/x509.c | 1 +
|
||||||
|
3 files changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/authority.c b/src/authority.c
|
||||||
|
index b735868416b7fb5d016f0854baf0f27cd5f98b26..4e0dccc6c1210beffb38acd9f7dfb6108ca4a4ad 100644
|
||||||
|
--- a/src/authority.c
|
||||||
|
+++ b/src/authority.c
|
||||||
|
@@ -178,10 +178,11 @@ create_private_CA (TALLOC_CTX *mem_ctx,
|
||||||
|
}
|
||||||
|
sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
|
||||||
|
|
||||||
|
/* Finalize the CSR */
|
||||||
|
ret = sscg_x509v3_csr_finalize (ca_certinfo, pkey, csr);
|
||||||
|
+ CHECK_OK (ret);
|
||||||
|
|
||||||
|
if (options->verbosity >= SSCG_DEBUG)
|
||||||
|
{
|
||||||
|
fprintf (stderr, "DEBUG: Writing CA CSR to ./debug-ca.csr\n");
|
||||||
|
BIO *ca_csr_out = BIO_new_file ("./debug-ca.csr", "w");
|
||||||
|
diff --git a/src/service.c b/src/service.c
|
||||||
|
index b292e94063f032fd3c34a8134702063ea46bfa0c..34c976dbe905528000b181c24d1fa95da3cd1377 100644
|
||||||
|
--- a/src/service.c
|
||||||
|
+++ b/src/service.c
|
||||||
|
@@ -124,10 +124,11 @@ create_service_cert (TALLOC_CTX *mem_ctx,
|
||||||
|
ret = sscg_x509v3_csr_new (tmp_ctx, svc_certinfo, pkey, &csr);
|
||||||
|
CHECK_OK (ret);
|
||||||
|
|
||||||
|
/* Finalize the CSR */
|
||||||
|
ret = sscg_x509v3_csr_finalize (svc_certinfo, pkey, csr);
|
||||||
|
+ CHECK_OK (ret);
|
||||||
|
|
||||||
|
if (options->verbosity >= SSCG_DEBUG)
|
||||||
|
{
|
||||||
|
fprintf (stderr,
|
||||||
|
"DEBUG: Writing service certificate CSR to ./debug-svc.csr\n");
|
||||||
|
diff --git a/src/x509.c b/src/x509.c
|
||||||
|
index 6d152fc969d745cc5cf085116c8688866f9d6ab4..18f0627bc64e7cb503a9e81c36dbe726186d1144 100644
|
||||||
|
--- a/src/x509.c
|
||||||
|
+++ b/src/x509.c
|
||||||
|
@@ -39,10 +39,11 @@ sscg_generate_serial (TALLOC_CTX *mem_ctx, struct sscg_bignum **serial)
|
||||||
|
{
|
||||||
|
return ENOMEM;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = sscg_init_bignum (tmp_ctx, 0, &bn);
|
||||||
|
+ CHECK_OK (ret);
|
||||||
|
|
||||||
|
/* We'll create a random number of sizeof(unsigned long) - 1 bits
|
||||||
|
to use as the serial. We use unsigned long to ensure that it
|
||||||
|
could be printed by BN_get_word() later. We omit the last bit
|
||||||
|
in order to ensure that we can't randomly get 0xffffffffL, which
|
||||||
|
--
|
||||||
|
2.19.1
|
||||||
|
|
226
SPECS/sscg.spec
Normal file
226
SPECS/sscg.spec
Normal file
@ -0,0 +1,226 @@
|
|||||||
|
%global provider github
|
||||||
|
%global provider_tld com
|
||||||
|
%global project sgallagher
|
||||||
|
%global repo sscg
|
||||||
|
# https://github.com/sgallagher/sscg
|
||||||
|
%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
|
||||||
|
%global import_path %{provider_prefix}
|
||||||
|
|
||||||
|
|
||||||
|
Name: sscg
|
||||||
|
Version: 2.3.3
|
||||||
|
Release: 6%{?dist}
|
||||||
|
Summary: Simple SSL certificate generator
|
||||||
|
|
||||||
|
License: BSD
|
||||||
|
URL: https://%{provider_prefix}
|
||||||
|
|
||||||
|
# Run ./sscg-strip.sh to produce a tarball with the bundled popt library
|
||||||
|
# stripped out to reduce license issues.
|
||||||
|
Source0: https://%{provider_prefix}/releases/download/%{repo}-%{version}/%{repo}-%{version}-stripped.tar.xz
|
||||||
|
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: libtalloc-devel
|
||||||
|
BuildRequires: openssl-devel
|
||||||
|
BuildRequires: popt-devel
|
||||||
|
BuildRequires: libpath_utils-devel
|
||||||
|
BuildRequires: meson
|
||||||
|
BuildRequires: ninja-build
|
||||||
|
BuildRequires: help2man
|
||||||
|
|
||||||
|
# Patches
|
||||||
|
Patch0001: 0001-Generate-manpage.patch
|
||||||
|
Patch0002: 0002-Adjust-defaults-based-on-system-security-level.patch
|
||||||
|
Patch0003: 0003-Adjust-hash-defaults-based-on-system-security-level.patch
|
||||||
|
Patch0004: 0004-Properly-check-all-return-values.patch
|
||||||
|
|
||||||
|
%description
|
||||||
|
A utility to aid in the creation of more secure "self-signed"
|
||||||
|
certificates. The certificates created by this tool are generated in a
|
||||||
|
way so as to create a CA certificate that can be safely imported into a
|
||||||
|
client machine to trust the service certificate without needing to set
|
||||||
|
up a full PKI environment and without exposing the machine to a risk of
|
||||||
|
false signatures from the service certificate.
|
||||||
|
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
|
||||||
|
%build
|
||||||
|
%meson
|
||||||
|
%meson_build
|
||||||
|
|
||||||
|
%install
|
||||||
|
%meson_install
|
||||||
|
|
||||||
|
%check
|
||||||
|
|
||||||
|
%ifnarch %{arm}
|
||||||
|
%meson_test
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%files
|
||||||
|
%license COPYING
|
||||||
|
%doc README.md
|
||||||
|
%{_bindir}/%{name}
|
||||||
|
%{_mandir}/man8/%{name}.8*
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
|
||||||
|
- Fixes for issues detected by automated testing.
|
||||||
|
- Resolves: rhbz#1653323
|
||||||
|
|
||||||
|
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-5
|
||||||
|
- Autodetect the minimum key strength from the system security level.
|
||||||
|
- Autodetect the hash algorithm to use from the system security level.
|
||||||
|
- Disallow setting a key strength below the system minimum.
|
||||||
|
- Resolves: rhbz#1653323
|
||||||
|
|
||||||
|
* Mon Sep 17 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-4
|
||||||
|
- Add a manpage for sscg.
|
||||||
|
|
||||||
|
* Thu Jul 05 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-3
|
||||||
|
- Strip out bundled popt since RHEL 8 has a new-enough version.
|
||||||
|
|
||||||
|
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Feb 02 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-1
|
||||||
|
- Update to 2.3.3
|
||||||
|
- Do not overwrite destination files without --force
|
||||||
|
|
||||||
|
* Thu Jan 25 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.2-1
|
||||||
|
- Update to 2.3.2
|
||||||
|
- Properly support hostnames up to 64 characters
|
||||||
|
- Resolves: rhbz#1535537
|
||||||
|
|
||||||
|
* Tue Jan 02 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.1-2
|
||||||
|
- Skip tests on 32-bit ARM for now
|
||||||
|
|
||||||
|
* Tue Jan 02 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.1-1
|
||||||
|
- Update to 2.3.1
|
||||||
|
- Bundle popt 1.16 on older releases like EPEL.
|
||||||
|
|
||||||
|
* Mon Dec 18 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.3.0-1
|
||||||
|
- Update to 2.3.0
|
||||||
|
- Switch to meson build system
|
||||||
|
- Add support for non-DNS subjectAlternativeName values (issue #4)
|
||||||
|
|
||||||
|
* Thu Sep 21 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.2.0-1
|
||||||
|
- Reorder combined PEM file
|
||||||
|
- Resolves: RHBZ#1494208
|
||||||
|
|
||||||
|
* Wed Sep 20 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.1.0-1
|
||||||
|
- Add --email argument for setting emailAddress in the issuer
|
||||||
|
|
||||||
|
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.4-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.4-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Apr 03 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.4-2
|
||||||
|
- Bump release to perform taskotron tests
|
||||||
|
|
||||||
|
* Tue Mar 21 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.4-1
|
||||||
|
- Update to 2.0.4
|
||||||
|
- Addresses a potential race-condition when the key and certificate share the
|
||||||
|
same file.
|
||||||
|
|
||||||
|
* Wed Mar 08 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.3-1
|
||||||
|
- Update to 2.0.3
|
||||||
|
- Adds support for setting the file mode on the output certificates
|
||||||
|
and keys.
|
||||||
|
|
||||||
|
* Fri Mar 03 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.2-1
|
||||||
|
- Update to 2.0.2
|
||||||
|
- Always run with umask(077)
|
||||||
|
|
||||||
|
* Fri Mar 03 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.1-1
|
||||||
|
- Update to 2.0.1
|
||||||
|
- Fix an issue with passing certificate lifetime explicitly
|
||||||
|
|
||||||
|
* Thu Feb 16 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.0-1
|
||||||
|
- Update to 2.0.0
|
||||||
|
|
||||||
|
* Thu Feb 16 2017 Stephen Gallagher <sgallagh@redhat.com> - 1.1.0-6
|
||||||
|
- Exclude PPC64 from the build since it doesn't support linking to OpenSSL
|
||||||
|
|
||||||
|
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Nov 23 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.1.0-4
|
||||||
|
- Use compat-openssl10-devel on F26+
|
||||||
|
|
||||||
|
* Thu Jul 21 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.0-3
|
||||||
|
- https://fedoraproject.org/wiki/Changes/golang1.7
|
||||||
|
|
||||||
|
* Tue May 31 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.1.0-2
|
||||||
|
- Debundle spacelog
|
||||||
|
|
||||||
|
* Wed May 25 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.1.0-1
|
||||||
|
- Update to 1.1.0
|
||||||
|
- Add support for signing service keys with an existing CA
|
||||||
|
|
||||||
|
* Wed May 25 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.0.4-1
|
||||||
|
- Add support for exporting the CA private key
|
||||||
|
- Fix incorrect output from -version
|
||||||
|
- Add README.md
|
||||||
|
|
||||||
|
* Tue May 24 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.0.3-1
|
||||||
|
- Only sign certificates after all extensions have been added
|
||||||
|
|
||||||
|
* Mon May 23 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.0.2-1
|
||||||
|
- Generate x509v3 certificates
|
||||||
|
|
||||||
|
* Mon May 23 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.0.1-1
|
||||||
|
- Fix issue with temporary file creation
|
||||||
|
|
||||||
|
* Mon May 23 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.0.0-1
|
||||||
|
- New upstream release 1.0.0
|
||||||
|
- Rewritten in Go
|
||||||
|
- Runtime depends only on OpenSSL, no more Python
|
||||||
|
- Support for writing certificate and key in a single file
|
||||||
|
|
||||||
|
* Wed May 18 2016 Stephen Gallagher <sgallagh@redhat.com> - 0.4.1-4
|
||||||
|
- Add requirement on python-setuptools
|
||||||
|
|
||||||
|
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
|
||||||
|
|
||||||
|
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-1
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Mar 30 2015 Stephen Gallagher <sgallagh@redhat.com> 0.4.1-1
|
||||||
|
- Change default CA location to match service certificate
|
||||||
|
- Improve error handling
|
||||||
|
|
||||||
|
* Tue Mar 24 2015 Stephen Gallagher <sgallagh@redhat.com> 0.4.0-1
|
||||||
|
- Spec file cleanups
|
||||||
|
- PEP8 Cleanups
|
||||||
|
- Make location arguments optional
|
||||||
|
|
||||||
|
* Mon Mar 23 2015 Stephen Gallagher <sgallagh@redhat.com> 0.3.0-1
|
||||||
|
- Rename to sscg
|
||||||
|
- Only build with default python interpreter
|
||||||
|
|
||||||
|
* Tue Mar 17 2015 Stephen Gallagher <sgallagh@redhat.com> 0.2.1-1
|
||||||
|
- Include the LICENSE file in the tarball
|
||||||
|
|
||||||
|
* Tue Mar 17 2015 Stephen Gallagher <sgallagh@redhat.com> 0.2-2
|
||||||
|
- Include the license in the build RPMs
|
||||||
|
|
||||||
|
* Tue Mar 17 2015 Stephen Gallagher <sgallagh@redhat.com> 0.2-1
|
||||||
|
- Add support for namedConstraints
|
||||||
|
- Add support for subjectAltNames
|
||||||
|
- Fix packaging issues from Fedora package review
|
||||||
|
|
||||||
|
* Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-2
|
||||||
|
- Update BuildRequires
|
||||||
|
|
||||||
|
* Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-1
|
||||||
|
- First packaging
|
Loading…
Reference in New Issue
Block a user