import sscg-3.0.0-4.el9

SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch

@@ -1,7 +1,7 @@
-From 60377ad4a6a6ef2012d502f118fedb425f4a11af Mon Sep 17 00:00:00 2001
+From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Sat, 7 Aug 2021 11:48:04 -0400
-Subject: [PATCH] Drop usage of ERR_GET_FUNC()
+Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC()
 
 This macro was dropped in OpenSSL 3.0 and has actually not been
 providing a valid return code for some time.
@@ -14,7 +14,7 @@ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
  1 file changed, 1 deletion(-)
 
 diff --git a/include/sscg.h b/include/sscg.h
-index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc7e4ba2cc 100644
+index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644
 --- a/include/sscg.h
 +++ b/include/sscg.h
 @@ -94,11 +94,10 @@
@@ -30,5 +30,5 @@ index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc
                fprintf (                                                       \
                  stderr,                                                       \
 -- 
-2.31.1
+2.33.0
 

SOURCES/0002-Correct-certificate-lifetime-calculation.patch

@@ -0,0 +1,46 @@
+From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
+From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
+Date: Tue, 26 Oct 2021 12:32:13 +0200
+Subject: [PATCH 2/2] Correct certificate lifetime calculation
+
+sscg allows passing the certificate lifetime, as a number of days, as a
+commandline argument.  It converts this value to seconds using the
+formula
+
+  days * 24 * 3650
+
+which is incorrect.  The correct value is 3600.
+
+This effectively adds an extra 20 minutes to the lifetime of the
+certificate for each day as given on the commandline, and was enough to
+cause some new integration tests in cockpit to fail.
+
+Interestingly, 3650 is the old default value for the number of days of
+certificate validity (~10 years) so this probably slipped in as a sort
+of muscle-memory-assisted typo.
+
+Let's just write `24 * 60 * 60` to make things clear.
+---
+ src/x509.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/x509.c b/src/x509.c
+index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
+--- a/src/x509.c
++++ b/src/x509.c
+@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
+       X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
+     }
+ 
+   /* set time */
+   X509_gmtime_adj (X509_get_notBefore (cert), 0);
+-  X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650);
++  X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60);
+ 
+   /* set subject */
+   subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
+   sslret = X509_set_subject_name (cert, subject);
+   CHECK_SSL (sslret, X509_set_subject_name);
+-- 
+2.33.0
+

SPECS/sscg.spec

@@ -9,7 +9,7 @@
 
 Name:           sscg
 Version:        3.0.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Simple SSL certificate generator
 
 License:        GPLv3+ with exceptions
@@ -27,6 +27,7 @@ BuildRequires:  help2man
 
 
 Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
+Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
 
 
 %description
@@ -58,6 +59,10 @@ false signatures from the service certificate.
 %{_mandir}/man8/%{name}.8*
 
 %changelog
+* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
+- Correct certificate lifetime calculation
+- Resolves: rhbz#2017667
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.0-3
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688