rpms
/
sscg
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import sscg-2.3.3-10.el8

This commit is contained in:
CentOS Sources 2020-01-21 14:20:03 -05:00 committed by Stepan Oksanichenko
parent af73352779
commit fa7ae85ce3
10 changed files with 3263 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
SOURCES/0001-Generate-manpage.patch
View File

@ -1,7 +1,7 @@
From 71e2451c6ba4d5f17de9e24687b66b93f2e58954 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 17 Sep 2018 09:58:25 -0400
Subject: [PATCH 1/4] Generate manpage
Subject: [PATCH 1/6] Generate manpage
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
@ -12,9 +12,7 @@ diff --git a/meson.build b/meson.build
index e6f33475cce6891d17656bcd10e1afabd43bdc07..a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c 100644
--- a/meson.build
+++ b/meson.build
@@ -5,11 +5,11 @@ project('sscg', 'c',
'c_std=gnu99',
'warning_level=1',
@@ -7,7 +7,7 @@ project('sscg', 'c',
'b_asneeded=true',
],
license : 'MIT',
@ -23,11 +21,7 @@ index e6f33475cce6891d17656bcd10e1afabd43bdc07..a2ca4ba1472bfff61fbbd30ba1ddc7ec
cc = meson.get_compiler('c')
test_cflags = [
'-Wpointer-arith',
'-Wmissing-declarations',
@@ -139,5 +139,25 @@ cdata.set('version', meson.project_version())
configure_file(
input : 'config.h.in',
@@ -141,3 +141,23 @@ configure_file(
output : 'config.h',
configuration : cdata)
@ -52,5 +46,5 @@ index e6f33475cce6891d17656bcd10e1afabd43bdc07..a2ca4ba1472bfff61fbbd30ba1ddc7ec
+ 'man8'),
+)
--
2.19.1
2.23.0

69
SOURCES/0002-Adjust-defaults-based-on-system-security-level.patch
View File

@ -1,7 +1,7 @@
From 942d9fa4f582a372af3d0bd499f073760dec2335 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 27 Nov 2018 13:24:37 -0500
Subject: [PATCH 2/4] Adjust defaults based on system security level
Subject: [PATCH 2/6] Adjust defaults based on system security level
Also permit arbitrary keylengths.
@ -29,9 +29,7 @@ diff --git a/include/sscg.h b/include/sscg.h
index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e376227eb7 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -137,10 +137,11 @@ struct sscg_options
const char *hostname;
char **subject_alt_names;
@@ -139,6 +139,7 @@ struct sscg_options
/* Encryption requirements */
int key_strength;
@ -39,15 +37,11 @@ index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e3
const EVP_MD *hash_fn;
/* Output Files */
char *ca_file;
char *ca_key_file;
diff --git a/meson.build b/meson.build
index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa 100644
--- a/meson.build
+++ b/meson.build
@@ -32,10 +32,11 @@ foreach cflag: test_cflags
endif
endforeach
@@ -34,6 +34,7 @@ endforeach
pkg = import('pkgconfig')
crypto = dependency('libcrypto')
@ -55,11 +49,7 @@ index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba588
path_utils = dependency('path_utils')
talloc = dependency('talloc')
popt = dependency(
'popt',
@@ -47,10 +48,14 @@ if popt.found()
else
popt = subproject('popt').get_variable('libpopt_a')
@@ -49,6 +50,10 @@ else
popt_incdirs = include_directories('subprojects/popt')
endif
@ -70,11 +60,7 @@ index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba588
sscg_lib_srcs = [
'src/authority.c',
'src/bignum.c',
'src/key.c',
'src/service.c',
@@ -68,10 +73,11 @@ sscg_lib_hdrs = [
sscg_lib = static_library(
'sscg',
@@ -70,6 +75,7 @@ sscg_lib = static_library(
sources : sscg_lib_srcs,
dependencies : [
crypto,
@ -82,11 +68,7 @@ index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba588
talloc,
],
install : false,
pic : true,
)
@@ -133,13 +139,13 @@ init_bignum_test = executable(
install : false,
)
@@ -135,9 +141,9 @@ init_bignum_test = executable(
test('init_bignum_test', init_bignum_test)
cdata = configuration_data()
@ -98,15 +80,11 @@ index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba588
output : 'config.h',
configuration : cdata)
# Generate a manpage from the POPT documentation
help2man = find_program('help2man')
diff --git a/src/sscg.c b/src/sscg.c
index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b893300a4414cd 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -15,30 +15,80 @@
along with sscg. If not, see <http://www.gnu.org/licenses/>.
@@ -17,6 +17,7 @@
Copyright 2017 by Stephen Gallagher <sgallagh@redhat.com>
*/
@ -114,8 +92,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
#include <popt.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <talloc.h>
@@ -25,6 +26,7 @@
#include <path_utils.h>
#include <unistd.h>
#include <openssl/evp.h>
@ -123,7 +100,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
#include <sys/param.h>
#include "config.h"
#include "include/sscg.h"
@@ -32,11 +34,59 @@
#include "include/authority.h"
#include "include/service.h"
@ -184,11 +161,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
return 0;
}
static void
print_options (struct sscg_options *opts)
@@ -115,10 +165,11 @@ main (int argc, const char **argv)
{
int ret, sret, opt;
@@ -117,6 +167,7 @@ main (int argc, const char **argv)
size_t i;
poptContext pc;
struct sscg_options *options;
@ -196,11 +169,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
char *country = NULL;
char *state = NULL;
char *locality = NULL;
char *organization = NULL;
@@ -170,10 +221,13 @@ main (int argc, const char **argv)
ret = set_default_options (options);
@@ -172,6 +223,9 @@ main (int argc, const char **argv)
if (ret != EOK)
goto done;
@ -210,11 +179,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
options->verbosity = SSCG_DEFAULT;
struct poptOption long_options[] = {
POPT_AUTOHELP{ "quiet",
'q',
POPT_ARG_VAL,
@@ -291,11 +345,11 @@ main (int argc, const char **argv)
'\0',
POPT_ARG_INT | POPT_ARGFLAG_SHOW_DEFAULT,
@@ -293,7 +347,7 @@ main (int argc, const char **argv)
&options->key_strength,
0,
_ ("Strength of the certificate private keys in bits."),
@ -223,11 +188,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
{
"hash-alg",
'\0',
POPT_ARG_STRING,
&hash_alg,
@@ -527,15 +581,15 @@ main (int argc, const char **argv)
options->subject_alt_names[i + 1] = NULL;
i++;
@@ -529,11 +583,11 @@ main (int argc, const char **argv)
}
}
@ -242,8 +203,6 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
ret = EINVAL;
goto done;
}
if (!hash_alg)
--
2.19.1
2.23.0

38
SOURCES/0003-Adjust-hash-defaults-based-on-system-security-level.patch
View File

@ -1,7 +1,7 @@
From 298015e8a7cf35cc0de581203b44826d2ae1d406 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 28 Nov 2018 08:00:08 -0500
Subject: [PATCH 3/4] Adjust hash defaults based on system security level
Subject: [PATCH 3/6] Adjust hash defaults based on system security level
Unlike the key-strength, this does not set a minimum level because
it's not a simple calculation. We will have to rely on libcrypto
@ -17,9 +17,7 @@ diff --git a/include/sscg.h b/include/sscg.h
index 3e97cfe49a5cd8fc734ecf43a94156e376227eb7..fc90b81a0060af28529f3be6922b1b1501559300 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -138,10 +138,11 @@ struct sscg_options
char **subject_alt_names;
@@ -140,6 +140,7 @@ struct sscg_options
/* Encryption requirements */
int key_strength;
int minimum_key_strength;
@ -27,15 +25,11 @@ index 3e97cfe49a5cd8fc734ecf43a94156e376227eb7..fc90b81a0060af28529f3be6922b1b15
const EVP_MD *hash_fn;
/* Output Files */
char *ca_file;
char *ca_key_file;
diff --git a/src/sscg.c b/src/sscg.c
index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a83281e37e 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -64,28 +64,38 @@ set_default_options (struct sscg_options *opts)
{
case 0:
@@ -66,14 +66,21 @@ set_default_options (struct sscg_options *opts)
case 1:
case 2:
/* Security level 2 and below permits lower key-strengths, but SSCG
@ -60,9 +54,7 @@ index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a8
default:
/* Unknown security level. Default to the highest we know about */
fprintf (stderr,
"Unknown system security level %d. Defaulting to highest-known "
"level.\n",
@@ -83,7 +90,10 @@ set_default_options (struct sscg_options *opts)
security_level);
/* Fall through */
@ -74,11 +66,7 @@ index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a8
}
opts->minimum_key_strength = opts->key_strength;
return 0;
}
@@ -175,11 +185,10 @@ main (int argc, const char **argv)
char *organization = NULL;
char *organizational_unit = NULL;
@@ -177,7 +187,6 @@ main (int argc, const char **argv)
char *email = NULL;
char *hostname = NULL;
char *packagename;
@ -86,11 +74,7 @@ index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a8
char **alternative_names = NULL;
char *ca_file = NULL;
char *ca_key_file = NULL;
char *cert_file = NULL;
@@ -349,14 +358,14 @@ main (int argc, const char **argv)
_ ("Strength of the certificate private keys in bits."),
minimum_key_strength_help },
@@ -351,10 +360,10 @@ main (int argc, const char **argv)
{
"hash-alg",
'\0',
@ -104,11 +88,7 @@ index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a8
_ ("{sha256,sha384,sha512}"),
},
{
"ca-file",
'\0',
@@ -590,21 +599,14 @@ main (int argc, const char **argv)
options->minimum_key_strength);
ret = EINVAL;
@@ -592,17 +601,10 @@ main (int argc, const char **argv)
goto done;
}
@ -130,8 +110,6 @@ index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a8
if (!options->hash_fn)
{
fprintf (stderr, "Unsupported hashing algorithm.");
ret = EINVAL;
goto done;
--
2.19.1
2.23.0

22
SOURCES/0004-Properly-check-all-return-values.patch
View File

@ -1,7 +1,7 @@
From 9e4497d1dd2a337be1f69e0cfb24ce8080690ccf Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 28 Nov 2018 09:16:29 -0500
Subject: [PATCH 4/4] Properly check all return values
Subject: [PATCH 4/6] Properly check all return values
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
@ -14,9 +14,7 @@ diff --git a/src/authority.c b/src/authority.c
index b735868416b7fb5d016f0854baf0f27cd5f98b26..4e0dccc6c1210beffb38acd9f7dfb6108ca4a4ad 100644
--- a/src/authority.c
+++ b/src/authority.c
@@ -178,10 +178,11 @@ create_private_CA (TALLOC_CTX *mem_ctx,
}
sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
@@ -180,6 +180,7 @@ create_private_CA (TALLOC_CTX *mem_ctx,
/* Finalize the CSR */
ret = sscg_x509v3_csr_finalize (ca_certinfo, pkey, csr);
@ -24,15 +22,11 @@ index b735868416b7fb5d016f0854baf0f27cd5f98b26..4e0dccc6c1210beffb38acd9f7dfb610
if (options->verbosity >= SSCG_DEBUG)
{
fprintf (stderr, "DEBUG: Writing CA CSR to ./debug-ca.csr\n");
BIO *ca_csr_out = BIO_new_file ("./debug-ca.csr", "w");
diff --git a/src/service.c b/src/service.c
index b292e94063f032fd3c34a8134702063ea46bfa0c..34c976dbe905528000b181c24d1fa95da3cd1377 100644
--- a/src/service.c
+++ b/src/service.c
@@ -124,10 +124,11 @@ create_service_cert (TALLOC_CTX *mem_ctx,
ret = sscg_x509v3_csr_new (tmp_ctx, svc_certinfo, pkey, &csr);
CHECK_OK (ret);
@@ -126,6 +126,7 @@ create_service_cert (TALLOC_CTX *mem_ctx,
/* Finalize the CSR */
ret = sscg_x509v3_csr_finalize (svc_certinfo, pkey, csr);
@ -40,15 +34,11 @@ index b292e94063f032fd3c34a8134702063ea46bfa0c..34c976dbe905528000b181c24d1fa95d
if (options->verbosity >= SSCG_DEBUG)
{
fprintf (stderr,
"DEBUG: Writing service certificate CSR to ./debug-svc.csr\n");
diff --git a/src/x509.c b/src/x509.c
index 6d152fc969d745cc5cf085116c8688866f9d6ab4..18f0627bc64e7cb503a9e81c36dbe726186d1144 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -39,10 +39,11 @@ sscg_generate_serial (TALLOC_CTX *mem_ctx, struct sscg_bignum **serial)
{
return ENOMEM;
@@ -41,6 +41,7 @@ sscg_generate_serial (TALLOC_CTX *mem_ctx, struct sscg_bignum **serial)
}
ret = sscg_init_bignum (tmp_ctx, 0, &bn);
@ -56,8 +46,6 @@ index 6d152fc969d745cc5cf085116c8688866f9d6ab4..18f0627bc64e7cb503a9e81c36dbe726
/* We'll create a random number of sizeof(unsigned long) - 1 bits
to use as the serial. We use unsigned long to ensure that it
could be printed by BN_get_word() later. We omit the last bit
in order to ensure that we can't randomly get 0xffffffffL, which
--
2.19.1
2.23.0

273
SOURCES/0005-Add-password-support-for-private-keys.patch Normal file
View File

@ -0,0 +1,273 @@
From 7190d08e1a166455e767769492b8c6b9f41bc0da Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 5 Jun 2019 17:08:23 -0400
Subject: [PATCH 5/6] Add password support for private keys
Fixes: https://github.com/sgallagher/sscg/issues/14
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
include/sscg.h | 7 +++
src/sscg.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 157 insertions(+), 2 deletions(-)
diff --git a/include/sscg.h b/include/sscg.h
index fc90b81a0060af28529f3be6922b1b1501559300..ce9a7916e9432d0843d82af61d56ea7238ded682 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -141,8 +141,15 @@ struct sscg_options
int key_strength;
int minimum_key_strength;
char *hash_alg;
+ char *cipher_alg;
+ const EVP_CIPHER *cipher;
const EVP_MD *hash_fn;
+ bool ca_key_pass_prompt;
+ char *ca_key_pass;
+ bool cert_key_pass_prompt;
+ char *cert_key_pass;
+
/* Output Files */
char *ca_file;
char *ca_key_file;
diff --git a/src/sscg.c b/src/sscg.c
index 58855f764480d24d6c0f57460b22a3a83281e37e..9dc926c77038105ca881a612cccd1913bc2d42f1 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -97,6 +97,9 @@ set_default_options (struct sscg_options *opts)
}
opts->minimum_key_strength = opts->key_strength;
+
+ opts->cipher_alg = talloc_strdup (opts, "aes-256-cbc");
+
return 0;
}
@@ -170,6 +173,42 @@ done:
return ret;
}
+
+/* This function takes a copy of a string into a talloc hierarchy and memsets
+ * the original string to zeroes to avoid leaking it when that memory is freed.
+ */
+static char *
+sscg_secure_string_steal (TALLOC_CTX *mem_ctx, char *src)
+{
+ char *dest = talloc_strdup (mem_ctx, src);
+
+ memset (src, 0, strlen (src));
+
+ return dest;
+}
+
+
+static int
+sscg_options_destructor (TALLOC_CTX *opts)
+{
+ struct sscg_options *options =
+ talloc_get_type_abort (opts, struct sscg_options);
+
+ /* Zero out the memory before freeing it so we don't leak passwords */
+ if (options->ca_key_pass)
+ {
+ memset (options->ca_key_pass, 0, strlen (options->ca_key_pass));
+ }
+
+ if (options->cert_key_pass)
+ {
+ memset (options->cert_key_pass, 0, strlen (options->cert_key_pass));
+ }
+
+ return 0;
+}
+
+
int
main (int argc, const char **argv)
{
@@ -196,8 +235,11 @@ main (int argc, const char **argv)
int ca_mode = 0644;
int ca_key_mode = 0600;
+ char *ca_key_password = NULL;
+
int cert_mode = 0644;
int cert_key_mode = 0600;
+ char *cert_key_password = NULL;
char *create_mode = NULL;
@@ -227,6 +269,7 @@ main (int argc, const char **argv)
options = talloc_zero (main_ctx, struct sscg_options);
CHECK_MEM (options);
+ talloc_set_destructor ((TALLOC_CTX *)options, sscg_options_destructor);
ret = set_default_options (options);
if (ret != EOK)
@@ -366,6 +409,16 @@ main (int argc, const char **argv)
_ ("Hashing algorithm to use for signing."),
_ ("{sha256,sha384,sha512}"),
},
+ {
+ "cipher-alg",
+ '\0',
+ POPT_ARG_STRING | POPT_ARGFLAG_SHOW_DEFAULT,
+ &options->cipher_alg,
+ 0,
+ _ ("Cipher to use for encrypting key files."),
+ _ ("{des-ede3-cbc,aes-256-cbc}"),
+ },
+
{
"ca-file",
'\0',
@@ -404,6 +457,29 @@ main (int argc, const char **argv)
_ ("File mode of the created CA key. (default: 0600)"),
_ ("0600"),
},
+ {
+ "ca-key-password",
+ '\0',
+ POPT_ARG_STRING,
+ &ca_key_password,
+ 0,
+ _ ("Provide a password for the CA key file. Note that this will be "
+ "visible in the process table for all users, so it should be used "
+ "for testing purposes only. Use --ca-keypassfile or "
+ "--ca-key-password-prompt for secure password entry."),
+ NULL
+ },
+
+ {
+ "ca-key-password-prompt",
+ 'C',
+ POPT_ARG_NONE,
+ &options->ca_key_pass_prompt,
+ 0,
+ _ ("Prompt to enter a password for the CA key file."),
+ NULL
+ },
+
{
"cert-file",
'\0',
@@ -442,6 +518,29 @@ main (int argc, const char **argv)
_ ("File mode of the created certificate key. (default: 0600)"),
_ ("0600"),
},
+ {
+ "cert-key-password",
+ 'p',
+ POPT_ARG_STRING,
+ &cert_key_password,
+ 0,
+ _ ("Provide a password for the service key file. Note that this will be "
+ "visible in the process table for all users, so this flag should be "
+ "used for testing purposes only. Use --cert-keypassfile or "
+ "--cert-key-password-prompt for secure password entry."),
+ NULL
+ },
+
+ {
+ "cert-key-password-prompt",
+ 'P',
+ POPT_ARG_NONE,
+ &options->cert_key_pass_prompt,
+ 0,
+ _ ("Prompt to enter a password for the service key file."),
+ NULL
+ },
+
POPT_TABLEEND
};
@@ -592,6 +691,20 @@ main (int argc, const char **argv)
}
}
+ /* Password handling */
+ if (ca_key_password)
+ {
+ options->ca_key_pass =
+ sscg_secure_string_steal (options, ca_key_password);
+ }
+
+ if (cert_key_password)
+ {
+ options->cert_key_pass =
+ sscg_secure_string_steal (options, cert_key_password);
+ }
+
+
if (options->key_strength < options->minimum_key_strength)
{
fprintf (stderr,
@@ -601,6 +714,15 @@ main (int argc, const char **argv)
goto done;
}
+ /* Make sure we have a valid cipher */
+ options->cipher = EVP_get_cipherbyname (options->cipher_alg);
+ if (!options->cipher)
+ {
+ fprintf (stderr, "Invalid cipher specified: %s\n", options->cipher_alg);
+ ret = EINVAL;
+ goto done;
+ }
+
/* TODO: restrict this to approved hashes.
* For now, we'll only list SHA[256|384|512] in the help */
options->hash_fn = EVP_get_digestbyname (options->hash_alg);
@@ -696,8 +818,21 @@ main (int argc, const char **argv)
cert_key_out = BIO_new_file (options->cert_key_file, create_mode);
CHECK_BIO (cert_key_out, options->cert_key_file);
+ /* This function has a default mechanism for prompting for the
+ * password if it is passed a cipher and gets a NULL password.
+ *
+ * Only pass the cipher if we have a password or were instructed
+ * to prompt for one.
+ */
sret = PEM_write_bio_PrivateKey (
- cert_key_out, svc_key->evp_pkey, NULL, NULL, 0, NULL, NULL);
+ cert_key_out,
+ svc_key->evp_pkey,
+ options->cert_key_pass_prompt || options->cert_key_pass ? options->cipher :
+ NULL,
+ (unsigned char *)options->cert_key_pass,
+ options->cert_key_pass ? strlen (options->cert_key_pass) : 0,
+ NULL,
+ NULL);
CHECK_SSL (sret, PEM_write_bio_PrivateKey (svc));
BIO_get_fp (cert_key_out, &fp);
@@ -776,8 +911,21 @@ main (int argc, const char **argv)
}
CHECK_BIO (ca_key_out, options->ca_key_file);
+ /* This function has a default mechanism for prompting for the
+ * password if it is passed a cipher and gets a NULL password.
+ *
+ * Only pass the cipher if we have a password or were instructed
+ * to prompt for one.
+ */
sret = PEM_write_bio_PrivateKey (
- ca_key_out, cakey->evp_pkey, NULL, NULL, 0, NULL, NULL);
+ ca_key_out,
+ cakey->evp_pkey,
+ options->ca_key_pass_prompt || options->ca_key_pass ? options->cipher :
+ NULL,
+ (unsigned char *)options->ca_key_pass,
+ options->ca_key_pass ? strlen (options->ca_key_pass) : 0,
+ NULL,
+ NULL);
CHECK_SSL (sret, PEM_write_bio_PrivateKey (CA));
BIO_get_fp (ca_key_out, &fp);
if (options->verbosity >= SSCG_DEBUG)
--
2.23.0

153
SOURCES/0006-Allow-specifying-keyfile-password-by-file.patch Normal file
View File

@ -0,0 +1,153 @@
From 9cb7daa54708dcf5e6500cd20ec7b1cc2f6f6350 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 10 Jun 2019 10:15:42 -0400
Subject: [PATCH 6/6] Allow specifying keyfile password by file
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/sscg.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
diff --git a/src/sscg.c b/src/sscg.c
index 9dc926c77038105ca881a612cccd1913bc2d42f1..a02e4df66c6cf9ec1865f425b4a15da82fbfdc72 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -34,6 +34,10 @@
#include "include/authority.h"
#include "include/service.h"
+
+/* Same as OpenSSL CLI */
+#define MAX_PW_LEN 1024
+
static int
get_security_level (void)
{
@@ -209,6 +213,44 @@ sscg_options_destructor (TALLOC_CTX *opts)
}
+static char *
+sscg_read_pw_file (TALLOC_CTX *mem_ctx, char *path)
+{
+ int i;
+ BIO *pwdbio = NULL;
+ char tpass[MAX_PW_LEN];
+ char *tmp = NULL;
+ char *password = NULL;
+
+ pwdbio = BIO_new_file (path, "r");
+ if (pwdbio == NULL)
+ {
+ fprintf (stderr, "Can't open file %s\n", path);
+ return NULL;
+ }
+
+ i = BIO_gets (pwdbio, tpass, MAX_PW_LEN);
+ BIO_free_all (pwdbio);
+ pwdbio = NULL;
+
+ if (i <= 0)
+ {
+ fprintf (stderr, "Error reading password from BIO\n");
+ return NULL;
+ }
+
+ tmp = strchr (tpass, '\n');
+ if (tmp != NULL)
+ *tmp = 0;
+
+ password = talloc_strdup (mem_ctx, tpass);
+
+ memset (tpass, 0, MAX_PW_LEN);
+
+ return password;
+}
+
+
int
main (int argc, const char **argv)
{
@@ -236,10 +278,12 @@ main (int argc, const char **argv)
int ca_mode = 0644;
int ca_key_mode = 0600;
char *ca_key_password = NULL;
+ char *ca_key_passfile = NULL;
int cert_mode = 0644;
int cert_key_mode = 0600;
char *cert_key_password = NULL;
+ char *cert_key_passfile = NULL;
char *create_mode = NULL;
@@ -470,6 +514,16 @@ main (int argc, const char **argv)
NULL
},
+ {
+ "ca-key-passfile",
+ '\0',
+ POPT_ARG_STRING,
+ &ca_key_passfile,
+ 0,
+ _ ("A file containing the password to encrypt the CA key file."),
+ NULL
+ },
+
{
"ca-key-password-prompt",
'C',
@@ -531,6 +585,16 @@ main (int argc, const char **argv)
NULL
},
+ {
+ "cert-key-passfile",
+ '\0',
+ POPT_ARG_STRING,
+ &cert_key_passfile,
+ 0,
+ _ ("A file containing the password to encrypt the service key file."),
+ NULL
+ },
+
{
"cert-key-password-prompt",
'P',
@@ -697,12 +761,32 @@ main (int argc, const char **argv)
options->ca_key_pass =
sscg_secure_string_steal (options, ca_key_password);
}
+ else if (ca_key_passfile)
+ {
+ options->ca_key_pass = sscg_read_pw_file (options, ca_key_passfile);
+ if (!options->ca_key_pass)
+ {
+ fprintf (
+ stderr, "Failed to read passphrase from %s", ca_key_passfile);
+ goto done;
+ }
+ }
if (cert_key_password)
{
options->cert_key_pass =
sscg_secure_string_steal (options, cert_key_password);
}
+ else if (cert_key_passfile)
+ {
+ options->cert_key_pass = sscg_read_pw_file (options, cert_key_passfile);
+ if (!options->cert_key_pass)
+ {
+ fprintf (
+ stderr, "Failed to read passphrase from %s", cert_key_passfile);
+ goto done;
+ }
+ }
if (options->key_strength < options->minimum_key_strength)
--
2.23.0

2651
SOURCES/0007-Add-support-for-client-certificates-and-dhparams.patch Normal file
View File

File diff suppressed because it is too large Load Diff

98
SOURCES/0008-Fix-client-cert-issues-found-by-CI-tests.patch Normal file
View File

@ -0,0 +1,98 @@
From 8afa0ce578ecd5cc3a397707fdb163cc169b9bd1 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 13 Dec 2019 08:25:01 -0500
Subject: [PATCH 8/8] Fix client-cert issues found by CI tests
Resolves: rhbz#1720667
Better error message for client certs without public key file
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Fix memory leak in sscg_sign_x509_csr()
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Address clang-analyzer warning
clang-analyzer determined that it was possible for the GET_BIO()
return value to have changed between conditional creation of the
client certificate and writing it out. This patch stores the result
of the lookup so it's certain to be consistent.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/io_utils.c | 4 ++--
src/sscg.c | 8 +++++---
src/x509.c | 1 +
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/io_utils.c b/src/io_utils.c
index 809a1da0e455afa0dba0796a5f7ac406742328a1..a2502afb20f4bcb536428f3528900c2bb06997f5 100644
--- a/src/io_utils.c
+++ b/src/io_utils.c
@@ -363,8 +363,8 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite)
case IO_UTILS_CLIENT_UNMATCHED:
SSCG_ERROR (
- "The client certificate must have both public and private key "
- "locations specified.\n");
+ "The client certificate must have the public key location "
+ "specified.\n");
ret = EINVAL;
goto done;
diff --git a/src/sscg.c b/src/sscg.c
index 470af815d91f5170a1e8fe00006dbaee4d07b209..f34a43b83e562d0bd7da9a77e25911762db83693 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -300,6 +300,7 @@ main (int argc, const char **argv)
char *cert_key_password = NULL;
char *cert_key_passfile = NULL;
+ bool build_client_cert = false;
int client_mode = SSCG_CERT_DEFAULT_MODE;
int client_key_mode = SSCG_KEY_DEFAULT_MODE;
char *client_key_password = NULL;
@@ -1118,7 +1119,8 @@ main (int argc, const char **argv)
/* If requested, generate the client auth certificate and sign it with the
* private CA.
*/
- if (GET_BIO (SSCG_FILE_TYPE_CLIENT))
+ build_client_cert = !!(GET_BIO (SSCG_FILE_TYPE_CLIENT));
+ if (build_client_cert)
{
ret = create_cert (main_ctx,
options,
@@ -1136,7 +1138,7 @@ main (int argc, const char **argv)
/* Write private keys first */
- if (GET_BIO (SSCG_FILE_TYPE_CLIENT_KEY))
+ if (build_client_cert)
{
/* This function has a default mechanism for prompting for the
* password if it is passed a cipher and gets a NULL password.
@@ -1201,7 +1203,7 @@ main (int argc, const char **argv)
/* Public keys come next, in chain order */
/* Start with the client certificate */
- if (GET_BIO (SSCG_FILE_TYPE_CLIENT))
+ if (build_client_cert)
{
sret = PEM_write_bio_X509 (GET_BIO (SSCG_FILE_TYPE_CLIENT),
client_cert->certificate);
diff --git a/src/x509.c b/src/x509.c
index 18f0627bc64e7cb503a9e81c36dbe726186d1144..c173f539791fbbc51e52e6b121e587dca43924d4 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -482,5 +482,6 @@ done:
*_cert = talloc_steal (mem_ctx, scert);
}
X509_NAME_free (subject);
+ talloc_free(tmp_ctx);
return ret;
}
--
2.23.0

31
SOURCES/0009-Fix-help-message-for-client-key-file.patch Normal file
View File

@ -0,0 +1,31 @@
From ec20eab0c58bb079c7092183e4893ebc773af9a0 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 13 Dec 2019 11:51:43 -0500
Subject: [PATCH 9/9] Fix help message for --client-key-file
Resolves: rhbz#1720667
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/sscg.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/sscg.c b/src/sscg.c
index f34a43b83e562d0bd7da9a77e25911762db83693..87833d266b541f6d0422fdc538d208abd7d81e22 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -734,9 +734,8 @@ main (int argc, const char **argv)
&client_key_file,
0,
_ ("Path where the client's private key will be stored. "
- "(default is client-file with a .key suffix, if "
- "--client-file was passed, otherwise this file will not "
- "be generated.)"),
+ "(default is the client-file, if --client-file was passed, "
+ "otherwise this file will not be generated.)"),
NULL,
},
--
2.23.0

27
SPECS/sscg.spec
View File

@ -9,7 +9,7 @@
Name: sscg
Version: 2.3.3
Release: 6%{?dist}
Release: 10%{?dist}
Summary: Simple SSL certificate generator
License: BSD
@ -34,6 +34,15 @@ Patch0002: 0002-Adjust-defaults-based-on-system-security-level.patch
Patch0003: 0003-Adjust-hash-defaults-based-on-system-security-level.patch
Patch0004: 0004-Properly-check-all-return-values.patch
# RHBZ #1717880
Patch0005: 0005-Add-password-support-for-private-keys.patch
Patch0006: 0006-Allow-specifying-keyfile-password-by-file.patch
# RHBZ #1720667
Patch0007: 0007-Add-support-for-client-certificates-and-dhparams.patch
Patch0008: 0008-Fix-client-cert-issues-found-by-CI-tests.patch
Patch0009: 0009-Fix-help-message-for-client-key-file.patch
%description
A utility to aid in the creation of more secure "self-signed"
certificates. The certificates created by this tool are generated in a
@ -67,6 +76,22 @@ false signatures from the service certificate.
%{_mandir}/man8/%{name}.8*
%changelog
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-10
- Fix incorrect help message
- Resolves: rhbz#1720667
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-9
- Fix null-dereference and memory leak issues with client certs
- Resolves: rhbz#1720667
* Wed Dec 11 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-8
- Add support for generating client authentication certificates
- Resolves: rhbz#1720667
* Fri Nov 01 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-7
- Add support for password-protecting the private key files
- Resolves: rhbz#1717880
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
- Fixes for issues detected by automated testing.
- Resolves: rhbz#1653323