rpms/sscg
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS sscg-3.0.0-10.el9

Browse Source
This commit is contained in:
eabdullin 2025-09-15 12:49:47 +00:00
parent 7853f5caad
commit f89e360b80
9 changed files with 1212 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch
View File

@ -1,7 +1,7 @@
From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001
From 67ef8f036f7324fe37bc7a7e31a38e7088d21df2 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Sat, 7 Aug 2021 11:48:04 -0400
Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC()
Subject: [PATCH 1/6] Drop usage of ERR_GET_FUNC()
This macro was dropped in OpenSSL 3.0 and has actually not been
providing a valid return code for some time.
@ -17,9 +17,7 @@ diff --git a/include/sscg.h b/include/sscg.h
index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -94,11 +94,10 @@
if (_sslret != 1) \
{ \
@@ -96,7 +96,6 @@
/* Get information about error from OpenSSL */ \
unsigned long _ssl_error = ERR_get_error (); \
if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \
@ -27,8 +25,6 @@ index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24
((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \
(ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \
{ \
fprintf ( \
stderr, \
--
2.33.0
2.49.0

12
SOURCES/0002-Correct-certificate-lifetime-calculation.patch
View File

@ -1,7 +1,7 @@
From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
From 5852d74f338bb6de3f303275aa73024f082b47bf Mon Sep 17 00:00:00 2001
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Date: Tue, 26 Oct 2021 12:32:13 +0200
Subject: [PATCH 2/2] Correct certificate lifetime calculation
Subject: [PATCH 2/6] Correct certificate lifetime calculation
sscg allows passing the certificate lifetime, as a number of days, as a
commandline argument. It converts this value to seconds using the
@ -28,9 +28,7 @@ diff --git a/src/x509.c b/src/x509.c
index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
}
@@ -418,7 +418,7 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
/* set time */
X509_gmtime_adj (X509_get_notBefore (cert), 0);
@ -39,8 +37,6 @@ index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e84
/* set subject */
subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
sslret = X509_set_subject_name (cert, subject);
CHECK_SSL (sslret, X509_set_subject_name);
--
2.33.0
2.49.0

24
SOURCES/0003-Truncate-IP-address-in-SAN.patch
View File

@ -1,7 +1,7 @@
From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
From c633de3d77987cef5b652c861aa646774c6f1167 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 8 Mar 2022 16:33:35 -0500
Subject: [PATCH] Truncate IP address in SAN
Subject: [PATCH 3/6] Truncate IP address in SAN
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
but in OpenSSL 3.0 it is rejected as an invalid input.
@ -15,9 +15,7 @@ diff --git a/src/x509.c b/src/x509.c
index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
size_t i;
X509_NAME *subject;
@@ -133,6 +133,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
char *alt_name = NULL;
char *tmp = NULL;
char *san = NULL;
@ -25,11 +23,7 @@ index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e
TALLOC_CTX *tmp_ctx;
X509_EXTENSION *ex = NULL;
struct sscg_x509_req *csr;
/* Make sure we have a key available */
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
}
@@ -267,6 +268,12 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
else
{
san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
@ -42,11 +36,7 @@ index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e
}
CHECK_MEM (san);
if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
{
@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
alt_name = tmp;
}
@@ -289,7 +296,13 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
}
ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
@ -61,8 +51,6 @@ index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e
sk_X509_EXTENSION_push (certinfo->extensions, ex);
/* Set the public key for the certificate */
sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
--
2.35.1
2.49.0

6
SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
View File

@ -1,7 +1,7 @@
From 282f819bc39c9557ee34f73c6f6623182f680792 Mon Sep 17 00:00:00 2001
From 259c4c83307273551fd267585ec8854896a168bd Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 16 Nov 2022 15:27:58 -0500
Subject: [PATCH] dhparams: don't fail if default file can't be created
Subject: [PATCH 4/6] dhparams: don't fail if default file can't be created
Resolves: rhbz#2143206
@ -135,5 +135,5 @@ index 1bf8019c2dda136abe56acd101dfe8ad0b3d725d..dcff4cd2b8dfd2e11c8612d36ecc94b1
sscg_io_utils_finalize_output_files (options->streams);
--
2.38.1
2.49.0

6
SOURCES/0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
View File

@ -1,7 +1,7 @@
From e65a507c487a37dd5a8c90b7dbd1ff3274146239 Mon Sep 17 00:00:00 2001
From 7abb9f7f929eb85fa3ab66a150978bbc5e198e5c Mon Sep 17 00:00:00 2001
From: Simon Chopin <simon.chopin@canonical.com>
Date: Mon, 13 Dec 2021 15:20:55 +0100
Subject: [PATCH 5/5] dhparams: Fix the FIPS_mode() call for OpenSSL 3.0
Subject: [PATCH 5/6] dhparams: Fix the FIPS_mode() call for OpenSSL 3.0
This function has been removed from OpenSSL 3.0, replaced by
EVP_default_properties_is_fips_enabled().
@ -28,5 +28,5 @@ index 5c50128970d48790df910b9f9531e61e1d4c5758..61fd57aeedca47fba49f75d356cd5f42
i = 0;
while (dh_nonfips_groups[i])
--
2.31.1
2.49.0

31
SOURCES/0006-x509-Use-proper-version-for-CSR.patch Normal file
View File

@ -0,0 +1,31 @@
From 6b48b480d57f75fc93ea646fbe6a457c4afd319f Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Sat, 19 Oct 2024 15:43:20 +0200
Subject: [PATCH 6/6] x509: Use proper version for CSR.
RFC 2986 only defines a single version for CSRs: X509_VERSION_1 (0).
OpenSSL starting with 3.4 rejects everything else.
Use X509_VERSION_1 as version for X509_REQ_set_version.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
src/x509.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/x509.c b/src/x509.c
index e828ec725b23d7ea79393151e7bb436e2f61bdb8..22f8163ec5a6b20bcb16177edf8088cf148a8661 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -156,7 +156,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
talloc_set_destructor ((TALLOC_CTX *)csr, _sscg_csr_destructor);
/* We will generate only x509v3 certificates */
- sslret = X509_REQ_set_version (csr->x509_req, 2);
+ sslret = X509_REQ_set_version (csr->x509_req, X509_VERSION_1);
CHECK_SSL (sslret, X509_REQ_set_version);
subject = X509_REQ_get_subject_name (csr->x509_req);
--
2.49.0

29
SOURCES/0007-Ensure-critical-basicConstraint-for-CA-cert.patch Normal file
View File

@ -0,0 +1,29 @@
From 499ce83c85d14dd8cbc52f6431e775f1d00578d6 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 22 Apr 2025 13:09:32 -0400
Subject: [PATCH 7/7] Ensure 'critical' basicConstraint for CA cert
Fixes: https://github.com/sgallagher/sscg/issues/74
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/authority.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/authority.c b/src/authority.c
index af60e1a93023c32e3fdf6da920fba4464256ed81..044c62f5192e75a9f7d3f49616f852a97da7505a 100644
--- a/src/authority.c
+++ b/src/authority.c
@@ -89,7 +89,8 @@ create_private_CA (TALLOC_CTX *mem_ctx,
sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
/* Mark it as a CA */
- ex = X509V3_EXT_conf_nid (NULL, NULL, NID_basic_constraints, "CA:TRUE");
+ ex = X509V3_EXT_conf_nid (
+ NULL, NULL, NID_basic_constraints, "critical,CA:TRUE");
CHECK_MEM (ex);
sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
--
2.49.0

1115
SOURCES/0008-Fix-IP-address-handling-in-CA-certificate-SAN-constr.patch Normal file
View File

File diff suppressed because it is too large Load Diff

19
SPECS/sscg.spec
View File

@ -9,7 +9,7 @@
Name: sscg
Version: 3.0.0
Release: 7%{?dist}
Release: 10%{?dist}
Summary: Simple SSL certificate generator
License: GPLv3+ with exceptions
@ -31,6 +31,9 @@ Patch: 0002-Correct-certificate-lifetime-calculation.patch
Patch: 0003-Truncate-IP-address-in-SAN.patch
Patch: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
Patch: 0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
Patch: 0006-x509-Use-proper-version-for-CSR.patch
Patch: 0007-Ensure-critical-basicConstraint-for-CA-cert.patch
Patch: 0008-Fix-IP-address-handling-in-CA-certificate-SAN-constr.patch
%description
A utility to aid in the creation of more secure "self-signed"
@ -61,7 +64,19 @@ false signatures from the service certificate.
%{_mandir}/man8/%{name}.8*
%changelog
* Fri Dec 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
* Mon Aug 11 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-10
- Fix IP address handling in CA certificate SAN constraints
- Resolves: RHEL-107289
* Tue Apr 22 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-9
- Ensure 'critical' basicConstraint for CA cert
- Resolves: RHEL-88119
* Wed Apr 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-8
- x509: Use proper version for CSR
- Resolves: RHEL-85851
* Fri Dec 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-7
- Use EVP_default_properties_is_fips_enabled() on OpenSSL 3.0
- Related: rhbz#2083879