x509: Use proper version for CSR

RFC 2986 only defines a single version for CSRs: X509_VERSION_1 (0). OpenSSL starting with 3.4 rejects everything else. Use X509_VERSION_1 as version for X509_REQ_set_version. Resolves: RHEL-85814 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2025-04-02 20:52:28 -04:00 · 2025-04-02 20:52:28 -04:00 · e754c2e164
commit e754c2e164
parent 1c9e5bc4a1
4 changed files with 43 additions and 7 deletions
--- a/0001-Extend-maximum-DNS-name-to-255.patch
+++ b/0001-Extend-maximum-DNS-name-to-255.patch
@ -1,7 +1,7 @@
-From 750dee2eded3b1c16e0434fa387d35a869545d9e Mon Sep 17 00:00:00 2001
+From d3a4452d7cc78589fb6077e98b228e09e9e76e3f Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Wed, 15 Feb 2023 15:49:38 -0500
-Subject: [PATCH 1/2] Extend maximum DNS name to 255
+Subject: [PATCH 1/3] Extend maximum DNS name to 255
 The hostname part is still restricted to 63 characters
@ -201,5 +201,5 @@ index 4f3f11cd3411f00cf6de3a72ba897adc97944e35..9f6f21b49c2dd70629fed67d32702737
               goto done;
             }
 -- 
-2.41.0
+2.49.0
--- a/0002-Update-README.md-with-latest-usage-information.patch
+++ b/0002-Update-README.md-with-latest-usage-information.patch
@ -1,7 +1,7 @@
-From ff2cf0e789cb62c1efbb95ee3f6ccd1958a9d10e Mon Sep 17 00:00:00 2001
+From 14df7d212d020f247587e2d850ec27dbd16add38 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Fri, 1 Sep 2023 08:19:01 -0400
-Subject: [PATCH 2/2] Update README.md with latest usage information
+Subject: [PATCH 2/3] Update README.md with latest usage information
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
 ---
@ -105,5 +105,5 @@ index d15c3d955d03026e8a68c04870a5f97a20eb03d9..4d57138895443f228212a6c772093504
 Help options:
 -- 
-2.41.0
+2.49.0
--- a/0003-x509-Use-proper-version-for-CSR.patch
+++ b/0003-x509-Use-proper-version-for-CSR.patch
@ -0,0 +1,31 @@
 From 70b0a4742a67616a5223a0cdc2067effccf081e9 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
 Date: Sat, 19 Oct 2024 15:43:20 +0200
 Subject: [PATCH 3/3] x509: Use proper version for CSR.
 RFC 2986 only defines a single version for CSRs: X509_VERSION_1 (0).
 OpenSSL starting with 3.4 rejects everything else.
 Use X509_VERSION_1 as version for X509_REQ_set_version.
 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
 ---
 src/x509.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/x509.c b/src/x509.c
 index 9f6f21b49c2dd70629fed67d327027374eb21b15..503b7b1b51ed45909104d1b5e593129ee9e8dee2 100644
 --- a/src/x509.c
 +++ b/src/x509.c
@@ -169,7 +169,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
   talloc_set_destructor ((TALLOC_CTX *)csr, _sscg_csr_destructor);
   /* We will generate only x509v3 certificates */
 -  sslret = X509_REQ_set_version (csr->x509_req, 2);
 +  sslret = X509_REQ_set_version (csr->x509_req, X509_VERSION_1);
   CHECK_SSL (sslret, X509_REQ_set_version);
   subject = X509_REQ_get_subject_name (csr->x509_req);
 -- 
 2.49.0
--- a/sscg.spec
+++ b/sscg.spec
@ -18,7 +18,12 @@ URL:            https://%{provider_prefix}
 Source0:        sscg-3.0.5.tar.gz
 # Extend maximum DNS name to 255
 # Author: Stephen Gallagher <sgallagh@redhat.com>
-Patch1:         0001-Extend-maximum-DNS-name-to-255.patch
+Patch:          0001-Extend-maximum-DNS-name-to-255.patch
 # Update the README documentation
 Patch:          0002-Update-README.md-with-latest-usage-information.patch
 # Set Certificate Signing Request version to 1 instead of 3(which doesn't exist)
 Patch:          0003-x509-Use-proper-version-for-CSR.patch
 BuildRequires:  gcc
 BuildRequires:  libtalloc-devel
 BuildRequires:  openssl