Ensure 'critical' basicConstraint for CA cert

Resolves: RHEL-88119 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2025-04-22 15:11:36 -04:00 · 2025-04-22 15:11:36 -04:00 · 835f9d3c4c
commit 835f9d3c4c
parent 4434aa2471
2 changed files with 35 additions and 1 deletions
--- a/0007-Ensure-critical-basicConstraint-for-CA-cert.patch
+++ b/0007-Ensure-critical-basicConstraint-for-CA-cert.patch
@ -0,0 +1,29 @@
+From 499ce83c85d14dd8cbc52f6431e775f1d00578d6 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 22 Apr 2025 13:09:32 -0400
+Subject: [PATCH 7/7] Ensure 'critical' basicConstraint for CA cert
+
+Fixes: https://github.com/sgallagher/sscg/issues/74
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/authority.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/authority.c b/src/authority.c
+index af60e1a93023c32e3fdf6da920fba4464256ed81..044c62f5192e75a9f7d3f49616f852a97da7505a 100644
+--- a/src/authority.c
+++ b/src/authority.c
+@@ -89,7 +89,8 @@ create_private_CA (TALLOC_CTX *mem_ctx,
+   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
+ 
+   /* Mark it as a CA */
+-  ex = X509V3_EXT_conf_nid (NULL, NULL, NID_basic_constraints, "CA:TRUE");
+  ex = X509V3_EXT_conf_nid (
+    NULL, NULL, NID_basic_constraints, "critical,CA:TRUE");
+   CHECK_MEM (ex);
+   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
+ 
+-- 
+2.49.0
+
--- a/sscg.spec
+++ b/sscg.spec
@ -9,7 +9,7 @@

 Name:           sscg
 Version:        3.0.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Simple SSL certificate generator

 License:        GPLv3+ with exceptions
@ -32,6 +32,7 @@ Patch: 0003-Truncate-IP-address-in-SAN.patch
 Patch: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
 Patch: 0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
 Patch: 0006-x509-Use-proper-version-for-CSR.patch
+Patch: 0007-Ensure-critical-basicConstraint-for-CA-cert.patch

 %description
 A utility to aid in the creation of more secure "self-signed"
@ -62,6 +63,10 @@ false signatures from the service certificate.
 %{_mandir}/man8/%{name}.8*

 %changelog
+* Tue Apr 22 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-9
+- Ensure 'critical' basicConstraint for CA cert
+- Resolves: RHEL-88119
+
 * Wed Apr 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-8
 - x509: Use proper version for CSR
 - Resolves: RHEL-85851