rpms/sscg
6
0
Fork 0
Code Issues Pull Requests Releases Activity

x509: Use proper version for CSR

Browse Source 
RFC 2986 only defines a single version for CSRs: X509_VERSION_1 (0).
OpenSSL starting with 3.4 rejects everything else.

Use X509_VERSION_1 as version for X509_REQ_set_version.

Resolves: RHEL-85814

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
This commit is contained in:
Stephen Gallagher 2025-04-02 20:52:28 -04:00
parent 1c9e5bc4a1
commit e754c2e164
4 changed files with 43 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
0001-Extend-maximum-DNS-name-to-255.patch
View File

@ -1,7 +1,7 @@
From 750dee2eded3b1c16e0434fa387d35a869545d9e Mon Sep 17 00:00:00 2001
From d3a4452d7cc78589fb6077e98b228e09e9e76e3f Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 15 Feb 2023 15:49:38 -0500
Subject: [PATCH 1/2] Extend maximum DNS name to 255
Subject: [PATCH 1/3] Extend maximum DNS name to 255
The hostname part is still restricted to 63 characters
@ -201,5 +201,5 @@ index 4f3f11cd3411f00cf6de3a72ba897adc97944e35..9f6f21b49c2dd70629fed67d32702737
goto done;
}
--
2.41.0
2.49.0

6
0002-Update-README.md-with-latest-usage-information.patch
View File

@ -1,7 +1,7 @@
From ff2cf0e789cb62c1efbb95ee3f6ccd1958a9d10e Mon Sep 17 00:00:00 2001
From 14df7d212d020f247587e2d850ec27dbd16add38 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 1 Sep 2023 08:19:01 -0400
Subject: [PATCH 2/2] Update README.md with latest usage information
Subject: [PATCH 2/3] Update README.md with latest usage information
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
@ -105,5 +105,5 @@ index d15c3d955d03026e8a68c04870a5f97a20eb03d9..4d57138895443f228212a6c772093504
Help options:
--
2.41.0
2.49.0

31
0003-x509-Use-proper-version-for-CSR.patch Normal file
View File

@ -0,0 +1,31 @@
From 70b0a4742a67616a5223a0cdc2067effccf081e9 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Sat, 19 Oct 2024 15:43:20 +0200
Subject: [PATCH 3/3] x509: Use proper version for CSR.
RFC 2986 only defines a single version for CSRs: X509_VERSION_1 (0).
OpenSSL starting with 3.4 rejects everything else.
Use X509_VERSION_1 as version for X509_REQ_set_version.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
src/x509.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/x509.c b/src/x509.c
index 9f6f21b49c2dd70629fed67d327027374eb21b15..503b7b1b51ed45909104d1b5e593129ee9e8dee2 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -169,7 +169,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
talloc_set_destructor ((TALLOC_CTX *)csr, _sscg_csr_destructor);
/* We will generate only x509v3 certificates */
- sslret = X509_REQ_set_version (csr->x509_req, 2);
+ sslret = X509_REQ_set_version (csr->x509_req, X509_VERSION_1);
CHECK_SSL (sslret, X509_REQ_set_version);
subject = X509_REQ_get_subject_name (csr->x509_req);
--
2.49.0

7
sscg.spec
View File

@ -18,7 +18,12 @@ URL: https://%{provider_prefix}
Source0: sscg-3.0.5.tar.gz
# Extend maximum DNS name to 255
# Author: Stephen Gallagher <sgallagh@redhat.com>
Patch1: 0001-Extend-maximum-DNS-name-to-255.patch
Patch: 0001-Extend-maximum-DNS-name-to-255.patch
# Update the README documentation
Patch: 0002-Update-README.md-with-latest-usage-information.patch
# Set Certificate Signing Request version to 1 instead of 3(which doesn't exist)
Patch: 0003-x509-Use-proper-version-for-CSR.patch
BuildRequires: gcc
BuildRequires: libtalloc-devel
BuildRequires: openssl