commit 42f594292cfdd38b9da9ab2d53eb881b9cd335b0 Author: CentOS Sources Date: Tue May 17 04:47:12 2022 -0400 import sscg-3.0.0-4.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4798d97 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/sscg-3.0.0.tar.xz diff --git a/.sscg.metadata b/.sscg.metadata new file mode 100644 index 0000000..ba54818 --- /dev/null +++ b/.sscg.metadata @@ -0,0 +1 @@ +81e3b33e118edff96583314ceb4bfde9a1e6b45c SOURCES/sscg-3.0.0.tar.xz diff --git a/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch b/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch new file mode 100644 index 0000000..5ad7b9d --- /dev/null +++ b/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch @@ -0,0 +1,34 @@ +From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Sat, 7 Aug 2021 11:48:04 -0400 +Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC() + +This macro was dropped in OpenSSL 3.0 and has actually not been +providing a valid return code for some time. + +Related: rhbz#1964837 + +Signed-off-by: Stephen Gallagher +--- + include/sscg.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/include/sscg.h b/include/sscg.h +index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644 +--- a/include/sscg.h ++++ b/include/sscg.h +@@ -94,11 +94,10 @@ + if (_sslret != 1) \ + { \ + /* Get information about error from OpenSSL */ \ + unsigned long _ssl_error = ERR_get_error (); \ + if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \ +- (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) && \ + ((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \ + (ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \ + { \ + fprintf ( \ + stderr, \ +-- +2.33.0 + diff --git a/SOURCES/0002-Correct-certificate-lifetime-calculation.patch b/SOURCES/0002-Correct-certificate-lifetime-calculation.patch new file mode 100644 index 0000000..5a0b87b --- /dev/null +++ b/SOURCES/0002-Correct-certificate-lifetime-calculation.patch @@ -0,0 +1,46 @@ +From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001 +From: Allison Karlitskaya +Date: Tue, 26 Oct 2021 12:32:13 +0200 +Subject: [PATCH 2/2] Correct certificate lifetime calculation + +sscg allows passing the certificate lifetime, as a number of days, as a +commandline argument. It converts this value to seconds using the +formula + + days * 24 * 3650 + +which is incorrect. The correct value is 3600. + +This effectively adds an extra 20 minutes to the lifetime of the +certificate for each day as given on the commandline, and was enough to +cause some new integration tests in cockpit to fail. + +Interestingly, 3650 is the old default value for the number of days of +certificate validity (~10 years) so this probably slipped in as a sort +of muscle-memory-assisted typo. + +Let's just write `24 * 60 * 60` to make things clear. +--- + src/x509.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/x509.c b/src/x509.c +index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644 +--- a/src/x509.c ++++ b/src/x509.c +@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx, + X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr)); + } + + /* set time */ + X509_gmtime_adj (X509_get_notBefore (cert), 0); +- X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650); ++ X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60); + + /* set subject */ + subject = X509_NAME_dup (X509_REQ_get_subject_name (csr)); + sslret = X509_set_subject_name (cert, subject); + CHECK_SSL (sslret, X509_set_subject_name); +-- +2.33.0 + diff --git a/SPECS/sscg.spec b/SPECS/sscg.spec new file mode 100644 index 0000000..782aff0 --- /dev/null +++ b/SPECS/sscg.spec @@ -0,0 +1,301 @@ +%global provider github +%global provider_tld com +%global project sgallagher +%global repo sscg +# https://github.com/sgallagher/sscg +%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} +%global import_path %{provider_prefix} + + +Name: sscg +Version: 3.0.0 +Release: 4%{?dist} +Summary: Simple SSL certificate generator + +License: GPLv3+ with exceptions +URL: https://%{provider_prefix} +Source0: https://%{provider_prefix}/releases/download/%{repo}-%{version}/%{repo}-%{version}.tar.xz + +BuildRequires: gcc +BuildRequires: libtalloc-devel +BuildRequires: openssl-devel +BuildRequires: popt-devel +BuildRequires: libpath_utils-devel +BuildRequires: meson +BuildRequires: ninja-build +BuildRequires: help2man + + +Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch +Patch0002: 0002-Correct-certificate-lifetime-calculation.patch + + +%description +A utility to aid in the creation of more secure "self-signed" +certificates. The certificates created by this tool are generated in a +way so as to create a CA certificate that can be safely imported into a +client machine to trust the service certificate without needing to set +up a full PKI environment and without exposing the machine to a risk of +false signatures from the service certificate. + +%prep +%autosetup -p1 + + +%build +%meson +%meson_build + +%install +%meson_install + +%check +%meson_test -t 10 + +%files +%license COPYING +%doc README.md +%{_bindir}/%{name} +%{_mandir}/man8/%{name}.8* + +%changelog +* Fri Oct 29 2021 Stephen Gallagher - 3.0.0-4 +- Correct certificate lifetime calculation +- Resolves: rhbz#2017667 + +* Tue Aug 10 2021 Mohan Boddu - 3.0.0-3 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Sat Aug 07 2021 Stephen Gallagher - 3.0.0-2 +- Drop usage of removed macro ERR_GET_FUNC() +- Related: rhbz#1964837 + +* Wed Jul 21 2021 Stephen Gallagher - 3.0.0-1 +- Release 3.0.0 +- Support for OpenSSL 3.0 +- Support for outputting named Diffie-Hellman parameter groups +- Support for CentOS Stream 9 +- Resolves: rhbz#1984468 + +* Wed Jun 16 2021 Mohan Boddu - 2.6.2-8 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Wed May 26 2021 Stephen Gallagher - 2.6.2-7 +- OpenSSL 3.0 compatibility: fix RSA key-generation test +- Resolves: rhbz#1964837 + +* Fri Apr 16 2021 Mohan Boddu - 2.6.2-6 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Mar 17 2021 Stephen Gallagher - 2.6.2-5 +- Fixing incorrect license declaration + +* Wed Mar 17 2021 Stephen Gallagher - 2.6.2-4 +- Updating to rebuild against the latest glibc + +* Wed Jan 27 2021 Fedora Release Engineering - 2.6.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 2.6.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jun 23 2020 Stephen Gallagher - 2.6.2-1 +- Update to 2.6.2 +- Handle very short and very long passphrases properly (fixes rhbz#1850183) +- Drop upstreamed patch + +* Thu Apr 30 2020 Stephen Gallagher - 2.6.1-4 +- Rebuild with corrected ELN macro definitions + +* Thu Apr 30 2020 Stephen Gallagher - 2.6.1-3 +- Don't bother running clang-format in the RPM build +- Lengthen the test timeout so ARM tests pass + +* Fri Jan 31 2020 Fedora Release Engineering - 2.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jan 09 2020 Stephen Gallagher - 2.6.1-1 +- Bugfixes from upstream + +* Fri Dec 13 2019 Stephen Gallagher - 2.6.0-2 +- Fix incorrect help description for --client-key-file + +* Fri Dec 13 2019 Stephen Gallagher - 2.6.0-1 +- Update to 2.6.0 +- Can now generate an empty CRL file. +- Can now create and store a Diffie-Hellman parameters (dhparams) file. +- Support for setting a password on private keys. +- Support for generating a client authentication certificate and key. +- Better support for OpenSSL 1.0 + +* Sat Jul 27 2019 Fedora Release Engineering - 2.5.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 2.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Nov 28 2018 Stephen Gallagher - 2.5.1-1 +- Update to 2.5.1 +- Fixes discovered by automated testing. + +* Wed Nov 28 2018 Stephen Gallagher - 2.5.0-1 +- Update to 2.5.0 +- Auto-detect the hash algorithm to use by default. + +* Tue Nov 27 2018 Stephen Gallagher - 2.4.0-1 +- Update to 2.4.0 +- Autodetect the minimum key strength from the system security level. +- Disallow setting a key strength below the system minimum. + +- Drop upstreamed patches + +* Mon Sep 17 2018 Stephen Gallagher - 2.3.3-4 +- Add a manpage. + +* Sat Jul 14 2018 Fedora Release Engineering - 2.3.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 2.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Feb 02 2018 Stephen Gallagher - 2.3.3-1 +- Update to 2.3.3 +- Do not overwrite destination files without --force + +* Thu Jan 25 2018 Stephen Gallagher - 2.3.2-1 +- Update to 2.3.2 +- Properly support hostnames up to 64 characters +- Resolves: rhbz#1535537 + +* Tue Jan 02 2018 Stephen Gallagher - 2.3.1-2 +- Skip tests on 32-bit ARM for now + +* Tue Jan 02 2018 Stephen Gallagher - 2.3.1-1 +- Update to 2.3.1 +- Bundle popt 1.16 on older releases like EPEL. + +* Mon Dec 18 2017 Stephen Gallagher - 2.3.0-1 +- Update to 2.3.0 +- Switch to meson build system +- Add support for non-DNS subjectAlternativeName values (issue #4) + +* Thu Sep 21 2017 Stephen Gallagher - 2.2.0-1 +- Reorder combined PEM file +- Resolves: RHBZ#1494208 + +* Wed Sep 20 2017 Stephen Gallagher - 2.1.0-1 +- Add --email argument for setting emailAddress in the issuer + +* Thu Aug 03 2017 Fedora Release Engineering - 2.0.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.0.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Apr 03 2017 Stephen Gallagher - 2.0.4-2 +- Bump release to perform taskotron tests + +* Tue Mar 21 2017 Stephen Gallagher - 2.0.4-1 +- Update to 2.0.4 +- Addresses a potential race-condition when the key and certificate share the + same file. + +* Wed Mar 08 2017 Stephen Gallagher - 2.0.3-1 +- Update to 2.0.3 +- Adds support for setting the file mode on the output certificates + and keys. + +* Fri Mar 03 2017 Stephen Gallagher - 2.0.2-1 +- Update to 2.0.2 +- Always run with umask(077) + +* Fri Mar 03 2017 Stephen Gallagher - 2.0.1-1 +- Update to 2.0.1 +- Fix an issue with passing certificate lifetime explicitly + +* Thu Feb 16 2017 Stephen Gallagher - 2.0.0-1 +- Update to 2.0.0 + +* Thu Feb 16 2017 Stephen Gallagher - 1.1.0-6 +- Exclude PPC64 from the build since it doesn't support linking to OpenSSL + +* Sat Feb 11 2017 Fedora Release Engineering - 1.1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Nov 23 2016 Stephen Gallagher - 1.1.0-4 +- Use compat-openssl10-devel on F26+ + +* Thu Jul 21 2016 Fedora Release Engineering - 1.1.0-3 +- https://fedoraproject.org/wiki/Changes/golang1.7 + +* Tue May 31 2016 Stephen Gallagher - 1.1.0-2 +- Debundle spacelog + +* Wed May 25 2016 Stephen Gallagher - 1.1.0-1 +- Update to 1.1.0 +- Add support for signing service keys with an existing CA + +* Wed May 25 2016 Stephen Gallagher - 1.0.4-1 +- Add support for exporting the CA private key +- Fix incorrect output from -version +- Add README.md + +* Tue May 24 2016 Stephen Gallagher - 1.0.3-1 +- Only sign certificates after all extensions have been added + +* Mon May 23 2016 Stephen Gallagher - 1.0.2-1 +- Generate x509v3 certificates + +* Mon May 23 2016 Stephen Gallagher - 1.0.1-1 +- Fix issue with temporary file creation + +* Mon May 23 2016 Stephen Gallagher - 1.0.0-1 +- New upstream release 1.0.0 +- Rewritten in Go +- Runtime depends only on OpenSSL, no more Python +- Support for writing certificate and key in a single file + +* Wed May 18 2016 Stephen Gallagher - 0.4.1-4 +- Add requirement on python-setuptools + +* Fri Feb 05 2016 Fedora Release Engineering - 0.4.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 0.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Fri Jun 19 2015 Fedora Release Engineering - 0.4.1-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Mar 30 2015 Stephen Gallagher 0.4.1-1 +- Change default CA location to match service certificate +- Improve error handling + +* Tue Mar 24 2015 Stephen Gallagher 0.4.0-1 +- Spec file cleanups +- PEP8 Cleanups +- Make location arguments optional + +* Mon Mar 23 2015 Stephen Gallagher 0.3.0-1 +- Rename to sscg +- Only build with default python interpreter + +* Tue Mar 17 2015 Stephen Gallagher 0.2.1-1 +- Include the LICENSE file in the tarball + +* Tue Mar 17 2015 Stephen Gallagher 0.2-2 +- Include the license in the build RPMs + +* Tue Mar 17 2015 Stephen Gallagher 0.2-1 +- Add support for namedConstraints +- Add support for subjectAltNames +- Fix packaging issues from Fedora package review + +* Mon Mar 16 2015 Stephen Gallagher 0.1-2 +- Update BuildRequires + +* Mon Mar 16 2015 Stephen Gallagher 0.1-1 +- First packaging +