import sscg-2.3.3-10.el8
This commit is contained in:
parent
af73352779
commit
fa7ae85ce3
@ -1,7 +1,7 @@
|
|||||||
From 71e2451c6ba4d5f17de9e24687b66b93f2e58954 Mon Sep 17 00:00:00 2001
|
From 71e2451c6ba4d5f17de9e24687b66b93f2e58954 Mon Sep 17 00:00:00 2001
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
Date: Mon, 17 Sep 2018 09:58:25 -0400
|
Date: Mon, 17 Sep 2018 09:58:25 -0400
|
||||||
Subject: [PATCH 1/4] Generate manpage
|
Subject: [PATCH 1/6] Generate manpage
|
||||||
|
|
||||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
---
|
---
|
||||||
@ -12,9 +12,7 @@ diff --git a/meson.build b/meson.build
|
|||||||
index e6f33475cce6891d17656bcd10e1afabd43bdc07..a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c 100644
|
index e6f33475cce6891d17656bcd10e1afabd43bdc07..a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c 100644
|
||||||
--- a/meson.build
|
--- a/meson.build
|
||||||
+++ b/meson.build
|
+++ b/meson.build
|
||||||
@@ -5,11 +5,11 @@ project('sscg', 'c',
|
@@ -7,7 +7,7 @@ project('sscg', 'c',
|
||||||
'c_std=gnu99',
|
|
||||||
'warning_level=1',
|
|
||||||
'b_asneeded=true',
|
'b_asneeded=true',
|
||||||
],
|
],
|
||||||
license : 'MIT',
|
license : 'MIT',
|
||||||
@ -23,11 +21,7 @@ index e6f33475cce6891d17656bcd10e1afabd43bdc07..a2ca4ba1472bfff61fbbd30ba1ddc7ec
|
|||||||
|
|
||||||
cc = meson.get_compiler('c')
|
cc = meson.get_compiler('c')
|
||||||
test_cflags = [
|
test_cflags = [
|
||||||
'-Wpointer-arith',
|
@@ -141,3 +141,23 @@ configure_file(
|
||||||
'-Wmissing-declarations',
|
|
||||||
@@ -139,5 +139,25 @@ cdata.set('version', meson.project_version())
|
|
||||||
configure_file(
|
|
||||||
input : 'config.h.in',
|
|
||||||
output : 'config.h',
|
output : 'config.h',
|
||||||
configuration : cdata)
|
configuration : cdata)
|
||||||
|
|
||||||
@ -52,5 +46,5 @@ index e6f33475cce6891d17656bcd10e1afabd43bdc07..a2ca4ba1472bfff61fbbd30ba1ddc7ec
|
|||||||
+ 'man8'),
|
+ 'man8'),
|
||||||
+)
|
+)
|
||||||
--
|
--
|
||||||
2.19.1
|
2.23.0
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 942d9fa4f582a372af3d0bd499f073760dec2335 Mon Sep 17 00:00:00 2001
|
From 942d9fa4f582a372af3d0bd499f073760dec2335 Mon Sep 17 00:00:00 2001
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
Date: Tue, 27 Nov 2018 13:24:37 -0500
|
Date: Tue, 27 Nov 2018 13:24:37 -0500
|
||||||
Subject: [PATCH 2/4] Adjust defaults based on system security level
|
Subject: [PATCH 2/6] Adjust defaults based on system security level
|
||||||
|
|
||||||
Also permit arbitrary keylengths.
|
Also permit arbitrary keylengths.
|
||||||
|
|
||||||
@ -29,9 +29,7 @@ diff --git a/include/sscg.h b/include/sscg.h
|
|||||||
index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e376227eb7 100644
|
index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e376227eb7 100644
|
||||||
--- a/include/sscg.h
|
--- a/include/sscg.h
|
||||||
+++ b/include/sscg.h
|
+++ b/include/sscg.h
|
||||||
@@ -137,10 +137,11 @@ struct sscg_options
|
@@ -139,6 +139,7 @@ struct sscg_options
|
||||||
const char *hostname;
|
|
||||||
char **subject_alt_names;
|
|
||||||
|
|
||||||
/* Encryption requirements */
|
/* Encryption requirements */
|
||||||
int key_strength;
|
int key_strength;
|
||||||
@ -39,15 +37,11 @@ index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e3
|
|||||||
const EVP_MD *hash_fn;
|
const EVP_MD *hash_fn;
|
||||||
|
|
||||||
/* Output Files */
|
/* Output Files */
|
||||||
char *ca_file;
|
|
||||||
char *ca_key_file;
|
|
||||||
diff --git a/meson.build b/meson.build
|
diff --git a/meson.build b/meson.build
|
||||||
index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa 100644
|
index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa 100644
|
||||||
--- a/meson.build
|
--- a/meson.build
|
||||||
+++ b/meson.build
|
+++ b/meson.build
|
||||||
@@ -32,10 +32,11 @@ foreach cflag: test_cflags
|
@@ -34,6 +34,7 @@ endforeach
|
||||||
endif
|
|
||||||
endforeach
|
|
||||||
|
|
||||||
pkg = import('pkgconfig')
|
pkg = import('pkgconfig')
|
||||||
crypto = dependency('libcrypto')
|
crypto = dependency('libcrypto')
|
||||||
@ -55,11 +49,7 @@ index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba588
|
|||||||
path_utils = dependency('path_utils')
|
path_utils = dependency('path_utils')
|
||||||
talloc = dependency('talloc')
|
talloc = dependency('talloc')
|
||||||
|
|
||||||
popt = dependency(
|
@@ -49,6 +50,10 @@ else
|
||||||
'popt',
|
|
||||||
@@ -47,10 +48,14 @@ if popt.found()
|
|
||||||
else
|
|
||||||
popt = subproject('popt').get_variable('libpopt_a')
|
|
||||||
popt_incdirs = include_directories('subprojects/popt')
|
popt_incdirs = include_directories('subprojects/popt')
|
||||||
endif
|
endif
|
||||||
|
|
||||||
@ -70,11 +60,7 @@ index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba588
|
|||||||
sscg_lib_srcs = [
|
sscg_lib_srcs = [
|
||||||
'src/authority.c',
|
'src/authority.c',
|
||||||
'src/bignum.c',
|
'src/bignum.c',
|
||||||
'src/key.c',
|
@@ -70,6 +75,7 @@ sscg_lib = static_library(
|
||||||
'src/service.c',
|
|
||||||
@@ -68,10 +73,11 @@ sscg_lib_hdrs = [
|
|
||||||
sscg_lib = static_library(
|
|
||||||
'sscg',
|
|
||||||
sources : sscg_lib_srcs,
|
sources : sscg_lib_srcs,
|
||||||
dependencies : [
|
dependencies : [
|
||||||
crypto,
|
crypto,
|
||||||
@ -82,11 +68,7 @@ index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba588
|
|||||||
talloc,
|
talloc,
|
||||||
],
|
],
|
||||||
install : false,
|
install : false,
|
||||||
pic : true,
|
@@ -135,9 +141,9 @@ init_bignum_test = executable(
|
||||||
)
|
|
||||||
@@ -133,13 +139,13 @@ init_bignum_test = executable(
|
|
||||||
install : false,
|
|
||||||
)
|
|
||||||
test('init_bignum_test', init_bignum_test)
|
test('init_bignum_test', init_bignum_test)
|
||||||
|
|
||||||
cdata = configuration_data()
|
cdata = configuration_data()
|
||||||
@ -98,15 +80,11 @@ index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba588
|
|||||||
output : 'config.h',
|
output : 'config.h',
|
||||||
configuration : cdata)
|
configuration : cdata)
|
||||||
|
|
||||||
# Generate a manpage from the POPT documentation
|
|
||||||
help2man = find_program('help2man')
|
|
||||||
diff --git a/src/sscg.c b/src/sscg.c
|
diff --git a/src/sscg.c b/src/sscg.c
|
||||||
index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b893300a4414cd 100644
|
index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b893300a4414cd 100644
|
||||||
--- a/src/sscg.c
|
--- a/src/sscg.c
|
||||||
+++ b/src/sscg.c
|
+++ b/src/sscg.c
|
||||||
@@ -15,30 +15,80 @@
|
@@ -17,6 +17,7 @@
|
||||||
along with sscg. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
Copyright 2017 by Stephen Gallagher <sgallagh@redhat.com>
|
Copyright 2017 by Stephen Gallagher <sgallagh@redhat.com>
|
||||||
*/
|
*/
|
||||||
|
|
||||||
@ -114,8 +92,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
|
|||||||
#include <popt.h>
|
#include <popt.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <string.h>
|
@@ -25,6 +26,7 @@
|
||||||
#include <talloc.h>
|
|
||||||
#include <path_utils.h>
|
#include <path_utils.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
@ -123,7 +100,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
|
|||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "include/sscg.h"
|
@@ -32,11 +34,59 @@
|
||||||
#include "include/authority.h"
|
#include "include/authority.h"
|
||||||
#include "include/service.h"
|
#include "include/service.h"
|
||||||
|
|
||||||
@ -184,11 +161,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
@@ -117,6 +167,7 @@ main (int argc, const char **argv)
|
||||||
print_options (struct sscg_options *opts)
|
|
||||||
@@ -115,10 +165,11 @@ main (int argc, const char **argv)
|
|
||||||
{
|
|
||||||
int ret, sret, opt;
|
|
||||||
size_t i;
|
size_t i;
|
||||||
poptContext pc;
|
poptContext pc;
|
||||||
struct sscg_options *options;
|
struct sscg_options *options;
|
||||||
@ -196,11 +169,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
|
|||||||
|
|
||||||
char *country = NULL;
|
char *country = NULL;
|
||||||
char *state = NULL;
|
char *state = NULL;
|
||||||
char *locality = NULL;
|
@@ -172,6 +223,9 @@ main (int argc, const char **argv)
|
||||||
char *organization = NULL;
|
|
||||||
@@ -170,10 +221,13 @@ main (int argc, const char **argv)
|
|
||||||
|
|
||||||
ret = set_default_options (options);
|
|
||||||
if (ret != EOK)
|
if (ret != EOK)
|
||||||
goto done;
|
goto done;
|
||||||
|
|
||||||
@ -210,11 +179,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
|
|||||||
options->verbosity = SSCG_DEFAULT;
|
options->verbosity = SSCG_DEFAULT;
|
||||||
struct poptOption long_options[] = {
|
struct poptOption long_options[] = {
|
||||||
POPT_AUTOHELP{ "quiet",
|
POPT_AUTOHELP{ "quiet",
|
||||||
'q',
|
@@ -293,7 +347,7 @@ main (int argc, const char **argv)
|
||||||
POPT_ARG_VAL,
|
|
||||||
@@ -291,11 +345,11 @@ main (int argc, const char **argv)
|
|
||||||
'\0',
|
|
||||||
POPT_ARG_INT | POPT_ARGFLAG_SHOW_DEFAULT,
|
|
||||||
&options->key_strength,
|
&options->key_strength,
|
||||||
0,
|
0,
|
||||||
_ ("Strength of the certificate private keys in bits."),
|
_ ("Strength of the certificate private keys in bits."),
|
||||||
@ -223,11 +188,7 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
|
|||||||
{
|
{
|
||||||
"hash-alg",
|
"hash-alg",
|
||||||
'\0',
|
'\0',
|
||||||
POPT_ARG_STRING,
|
@@ -529,11 +583,11 @@ main (int argc, const char **argv)
|
||||||
&hash_alg,
|
|
||||||
@@ -527,15 +581,15 @@ main (int argc, const char **argv)
|
|
||||||
options->subject_alt_names[i + 1] = NULL;
|
|
||||||
i++;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -242,8 +203,6 @@ index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b89330
|
|||||||
ret = EINVAL;
|
ret = EINVAL;
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!hash_alg)
|
|
||||||
--
|
--
|
||||||
2.19.1
|
2.23.0
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 298015e8a7cf35cc0de581203b44826d2ae1d406 Mon Sep 17 00:00:00 2001
|
From 298015e8a7cf35cc0de581203b44826d2ae1d406 Mon Sep 17 00:00:00 2001
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
Date: Wed, 28 Nov 2018 08:00:08 -0500
|
Date: Wed, 28 Nov 2018 08:00:08 -0500
|
||||||
Subject: [PATCH 3/4] Adjust hash defaults based on system security level
|
Subject: [PATCH 3/6] Adjust hash defaults based on system security level
|
||||||
|
|
||||||
Unlike the key-strength, this does not set a minimum level because
|
Unlike the key-strength, this does not set a minimum level because
|
||||||
it's not a simple calculation. We will have to rely on libcrypto
|
it's not a simple calculation. We will have to rely on libcrypto
|
||||||
@ -17,9 +17,7 @@ diff --git a/include/sscg.h b/include/sscg.h
|
|||||||
index 3e97cfe49a5cd8fc734ecf43a94156e376227eb7..fc90b81a0060af28529f3be6922b1b1501559300 100644
|
index 3e97cfe49a5cd8fc734ecf43a94156e376227eb7..fc90b81a0060af28529f3be6922b1b1501559300 100644
|
||||||
--- a/include/sscg.h
|
--- a/include/sscg.h
|
||||||
+++ b/include/sscg.h
|
+++ b/include/sscg.h
|
||||||
@@ -138,10 +138,11 @@ struct sscg_options
|
@@ -140,6 +140,7 @@ struct sscg_options
|
||||||
char **subject_alt_names;
|
|
||||||
|
|
||||||
/* Encryption requirements */
|
/* Encryption requirements */
|
||||||
int key_strength;
|
int key_strength;
|
||||||
int minimum_key_strength;
|
int minimum_key_strength;
|
||||||
@ -27,15 +25,11 @@ index 3e97cfe49a5cd8fc734ecf43a94156e376227eb7..fc90b81a0060af28529f3be6922b1b15
|
|||||||
const EVP_MD *hash_fn;
|
const EVP_MD *hash_fn;
|
||||||
|
|
||||||
/* Output Files */
|
/* Output Files */
|
||||||
char *ca_file;
|
|
||||||
char *ca_key_file;
|
|
||||||
diff --git a/src/sscg.c b/src/sscg.c
|
diff --git a/src/sscg.c b/src/sscg.c
|
||||||
index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a83281e37e 100644
|
index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a83281e37e 100644
|
||||||
--- a/src/sscg.c
|
--- a/src/sscg.c
|
||||||
+++ b/src/sscg.c
|
+++ b/src/sscg.c
|
||||||
@@ -64,28 +64,38 @@ set_default_options (struct sscg_options *opts)
|
@@ -66,14 +66,21 @@ set_default_options (struct sscg_options *opts)
|
||||||
{
|
|
||||||
case 0:
|
|
||||||
case 1:
|
case 1:
|
||||||
case 2:
|
case 2:
|
||||||
/* Security level 2 and below permits lower key-strengths, but SSCG
|
/* Security level 2 and below permits lower key-strengths, but SSCG
|
||||||
@ -60,9 +54,7 @@ index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a8
|
|||||||
|
|
||||||
default:
|
default:
|
||||||
/* Unknown security level. Default to the highest we know about */
|
/* Unknown security level. Default to the highest we know about */
|
||||||
fprintf (stderr,
|
@@ -83,7 +90,10 @@ set_default_options (struct sscg_options *opts)
|
||||||
"Unknown system security level %d. Defaulting to highest-known "
|
|
||||||
"level.\n",
|
|
||||||
security_level);
|
security_level);
|
||||||
/* Fall through */
|
/* Fall through */
|
||||||
|
|
||||||
@ -74,11 +66,7 @@ index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a8
|
|||||||
}
|
}
|
||||||
|
|
||||||
opts->minimum_key_strength = opts->key_strength;
|
opts->minimum_key_strength = opts->key_strength;
|
||||||
return 0;
|
@@ -177,7 +187,6 @@ main (int argc, const char **argv)
|
||||||
}
|
|
||||||
@@ -175,11 +185,10 @@ main (int argc, const char **argv)
|
|
||||||
char *organization = NULL;
|
|
||||||
char *organizational_unit = NULL;
|
|
||||||
char *email = NULL;
|
char *email = NULL;
|
||||||
char *hostname = NULL;
|
char *hostname = NULL;
|
||||||
char *packagename;
|
char *packagename;
|
||||||
@ -86,11 +74,7 @@ index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a8
|
|||||||
char **alternative_names = NULL;
|
char **alternative_names = NULL;
|
||||||
|
|
||||||
char *ca_file = NULL;
|
char *ca_file = NULL;
|
||||||
char *ca_key_file = NULL;
|
@@ -351,10 +360,10 @@ main (int argc, const char **argv)
|
||||||
char *cert_file = NULL;
|
|
||||||
@@ -349,14 +358,14 @@ main (int argc, const char **argv)
|
|
||||||
_ ("Strength of the certificate private keys in bits."),
|
|
||||||
minimum_key_strength_help },
|
|
||||||
{
|
{
|
||||||
"hash-alg",
|
"hash-alg",
|
||||||
'\0',
|
'\0',
|
||||||
@ -104,11 +88,7 @@ index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a8
|
|||||||
_ ("{sha256,sha384,sha512}"),
|
_ ("{sha256,sha384,sha512}"),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"ca-file",
|
@@ -592,17 +601,10 @@ main (int argc, const char **argv)
|
||||||
'\0',
|
|
||||||
@@ -590,21 +599,14 @@ main (int argc, const char **argv)
|
|
||||||
options->minimum_key_strength);
|
|
||||||
ret = EINVAL;
|
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -130,8 +110,6 @@ index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a8
|
|||||||
if (!options->hash_fn)
|
if (!options->hash_fn)
|
||||||
{
|
{
|
||||||
fprintf (stderr, "Unsupported hashing algorithm.");
|
fprintf (stderr, "Unsupported hashing algorithm.");
|
||||||
ret = EINVAL;
|
|
||||||
goto done;
|
|
||||||
--
|
--
|
||||||
2.19.1
|
2.23.0
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 9e4497d1dd2a337be1f69e0cfb24ce8080690ccf Mon Sep 17 00:00:00 2001
|
From 9e4497d1dd2a337be1f69e0cfb24ce8080690ccf Mon Sep 17 00:00:00 2001
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
Date: Wed, 28 Nov 2018 09:16:29 -0500
|
Date: Wed, 28 Nov 2018 09:16:29 -0500
|
||||||
Subject: [PATCH 4/4] Properly check all return values
|
Subject: [PATCH 4/6] Properly check all return values
|
||||||
|
|
||||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
---
|
---
|
||||||
@ -14,9 +14,7 @@ diff --git a/src/authority.c b/src/authority.c
|
|||||||
index b735868416b7fb5d016f0854baf0f27cd5f98b26..4e0dccc6c1210beffb38acd9f7dfb6108ca4a4ad 100644
|
index b735868416b7fb5d016f0854baf0f27cd5f98b26..4e0dccc6c1210beffb38acd9f7dfb6108ca4a4ad 100644
|
||||||
--- a/src/authority.c
|
--- a/src/authority.c
|
||||||
+++ b/src/authority.c
|
+++ b/src/authority.c
|
||||||
@@ -178,10 +178,11 @@ create_private_CA (TALLOC_CTX *mem_ctx,
|
@@ -180,6 +180,7 @@ create_private_CA (TALLOC_CTX *mem_ctx,
|
||||||
}
|
|
||||||
sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
|
|
||||||
|
|
||||||
/* Finalize the CSR */
|
/* Finalize the CSR */
|
||||||
ret = sscg_x509v3_csr_finalize (ca_certinfo, pkey, csr);
|
ret = sscg_x509v3_csr_finalize (ca_certinfo, pkey, csr);
|
||||||
@ -24,15 +22,11 @@ index b735868416b7fb5d016f0854baf0f27cd5f98b26..4e0dccc6c1210beffb38acd9f7dfb610
|
|||||||
|
|
||||||
if (options->verbosity >= SSCG_DEBUG)
|
if (options->verbosity >= SSCG_DEBUG)
|
||||||
{
|
{
|
||||||
fprintf (stderr, "DEBUG: Writing CA CSR to ./debug-ca.csr\n");
|
|
||||||
BIO *ca_csr_out = BIO_new_file ("./debug-ca.csr", "w");
|
|
||||||
diff --git a/src/service.c b/src/service.c
|
diff --git a/src/service.c b/src/service.c
|
||||||
index b292e94063f032fd3c34a8134702063ea46bfa0c..34c976dbe905528000b181c24d1fa95da3cd1377 100644
|
index b292e94063f032fd3c34a8134702063ea46bfa0c..34c976dbe905528000b181c24d1fa95da3cd1377 100644
|
||||||
--- a/src/service.c
|
--- a/src/service.c
|
||||||
+++ b/src/service.c
|
+++ b/src/service.c
|
||||||
@@ -124,10 +124,11 @@ create_service_cert (TALLOC_CTX *mem_ctx,
|
@@ -126,6 +126,7 @@ create_service_cert (TALLOC_CTX *mem_ctx,
|
||||||
ret = sscg_x509v3_csr_new (tmp_ctx, svc_certinfo, pkey, &csr);
|
|
||||||
CHECK_OK (ret);
|
|
||||||
|
|
||||||
/* Finalize the CSR */
|
/* Finalize the CSR */
|
||||||
ret = sscg_x509v3_csr_finalize (svc_certinfo, pkey, csr);
|
ret = sscg_x509v3_csr_finalize (svc_certinfo, pkey, csr);
|
||||||
@ -40,15 +34,11 @@ index b292e94063f032fd3c34a8134702063ea46bfa0c..34c976dbe905528000b181c24d1fa95d
|
|||||||
|
|
||||||
if (options->verbosity >= SSCG_DEBUG)
|
if (options->verbosity >= SSCG_DEBUG)
|
||||||
{
|
{
|
||||||
fprintf (stderr,
|
|
||||||
"DEBUG: Writing service certificate CSR to ./debug-svc.csr\n");
|
|
||||||
diff --git a/src/x509.c b/src/x509.c
|
diff --git a/src/x509.c b/src/x509.c
|
||||||
index 6d152fc969d745cc5cf085116c8688866f9d6ab4..18f0627bc64e7cb503a9e81c36dbe726186d1144 100644
|
index 6d152fc969d745cc5cf085116c8688866f9d6ab4..18f0627bc64e7cb503a9e81c36dbe726186d1144 100644
|
||||||
--- a/src/x509.c
|
--- a/src/x509.c
|
||||||
+++ b/src/x509.c
|
+++ b/src/x509.c
|
||||||
@@ -39,10 +39,11 @@ sscg_generate_serial (TALLOC_CTX *mem_ctx, struct sscg_bignum **serial)
|
@@ -41,6 +41,7 @@ sscg_generate_serial (TALLOC_CTX *mem_ctx, struct sscg_bignum **serial)
|
||||||
{
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = sscg_init_bignum (tmp_ctx, 0, &bn);
|
ret = sscg_init_bignum (tmp_ctx, 0, &bn);
|
||||||
@ -56,8 +46,6 @@ index 6d152fc969d745cc5cf085116c8688866f9d6ab4..18f0627bc64e7cb503a9e81c36dbe726
|
|||||||
|
|
||||||
/* We'll create a random number of sizeof(unsigned long) - 1 bits
|
/* We'll create a random number of sizeof(unsigned long) - 1 bits
|
||||||
to use as the serial. We use unsigned long to ensure that it
|
to use as the serial. We use unsigned long to ensure that it
|
||||||
could be printed by BN_get_word() later. We omit the last bit
|
|
||||||
in order to ensure that we can't randomly get 0xffffffffL, which
|
|
||||||
--
|
--
|
||||||
2.19.1
|
2.23.0
|
||||||
|
|
||||||
|
273
SOURCES/0005-Add-password-support-for-private-keys.patch
Normal file
273
SOURCES/0005-Add-password-support-for-private-keys.patch
Normal file
@ -0,0 +1,273 @@
|
|||||||
|
From 7190d08e1a166455e767769492b8c6b9f41bc0da Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Wed, 5 Jun 2019 17:08:23 -0400
|
||||||
|
Subject: [PATCH 5/6] Add password support for private keys
|
||||||
|
|
||||||
|
Fixes: https://github.com/sgallagher/sscg/issues/14
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
include/sscg.h | 7 +++
|
||||||
|
src/sscg.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||||
|
2 files changed, 157 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/include/sscg.h b/include/sscg.h
|
||||||
|
index fc90b81a0060af28529f3be6922b1b1501559300..ce9a7916e9432d0843d82af61d56ea7238ded682 100644
|
||||||
|
--- a/include/sscg.h
|
||||||
|
+++ b/include/sscg.h
|
||||||
|
@@ -141,8 +141,15 @@ struct sscg_options
|
||||||
|
int key_strength;
|
||||||
|
int minimum_key_strength;
|
||||||
|
char *hash_alg;
|
||||||
|
+ char *cipher_alg;
|
||||||
|
+ const EVP_CIPHER *cipher;
|
||||||
|
const EVP_MD *hash_fn;
|
||||||
|
|
||||||
|
+ bool ca_key_pass_prompt;
|
||||||
|
+ char *ca_key_pass;
|
||||||
|
+ bool cert_key_pass_prompt;
|
||||||
|
+ char *cert_key_pass;
|
||||||
|
+
|
||||||
|
/* Output Files */
|
||||||
|
char *ca_file;
|
||||||
|
char *ca_key_file;
|
||||||
|
diff --git a/src/sscg.c b/src/sscg.c
|
||||||
|
index 58855f764480d24d6c0f57460b22a3a83281e37e..9dc926c77038105ca881a612cccd1913bc2d42f1 100644
|
||||||
|
--- a/src/sscg.c
|
||||||
|
+++ b/src/sscg.c
|
||||||
|
@@ -97,6 +97,9 @@ set_default_options (struct sscg_options *opts)
|
||||||
|
}
|
||||||
|
|
||||||
|
opts->minimum_key_strength = opts->key_strength;
|
||||||
|
+
|
||||||
|
+ opts->cipher_alg = talloc_strdup (opts, "aes-256-cbc");
|
||||||
|
+
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -170,6 +173,42 @@ done:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
+/* This function takes a copy of a string into a talloc hierarchy and memsets
|
||||||
|
+ * the original string to zeroes to avoid leaking it when that memory is freed.
|
||||||
|
+ */
|
||||||
|
+static char *
|
||||||
|
+sscg_secure_string_steal (TALLOC_CTX *mem_ctx, char *src)
|
||||||
|
+{
|
||||||
|
+ char *dest = talloc_strdup (mem_ctx, src);
|
||||||
|
+
|
||||||
|
+ memset (src, 0, strlen (src));
|
||||||
|
+
|
||||||
|
+ return dest;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+sscg_options_destructor (TALLOC_CTX *opts)
|
||||||
|
+{
|
||||||
|
+ struct sscg_options *options =
|
||||||
|
+ talloc_get_type_abort (opts, struct sscg_options);
|
||||||
|
+
|
||||||
|
+ /* Zero out the memory before freeing it so we don't leak passwords */
|
||||||
|
+ if (options->ca_key_pass)
|
||||||
|
+ {
|
||||||
|
+ memset (options->ca_key_pass, 0, strlen (options->ca_key_pass));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (options->cert_key_pass)
|
||||||
|
+ {
|
||||||
|
+ memset (options->cert_key_pass, 0, strlen (options->cert_key_pass));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
int
|
||||||
|
main (int argc, const char **argv)
|
||||||
|
{
|
||||||
|
@@ -196,8 +235,11 @@ main (int argc, const char **argv)
|
||||||
|
|
||||||
|
int ca_mode = 0644;
|
||||||
|
int ca_key_mode = 0600;
|
||||||
|
+ char *ca_key_password = NULL;
|
||||||
|
+
|
||||||
|
int cert_mode = 0644;
|
||||||
|
int cert_key_mode = 0600;
|
||||||
|
+ char *cert_key_password = NULL;
|
||||||
|
|
||||||
|
char *create_mode = NULL;
|
||||||
|
|
||||||
|
@@ -227,6 +269,7 @@ main (int argc, const char **argv)
|
||||||
|
|
||||||
|
options = talloc_zero (main_ctx, struct sscg_options);
|
||||||
|
CHECK_MEM (options);
|
||||||
|
+ talloc_set_destructor ((TALLOC_CTX *)options, sscg_options_destructor);
|
||||||
|
|
||||||
|
ret = set_default_options (options);
|
||||||
|
if (ret != EOK)
|
||||||
|
@@ -366,6 +409,16 @@ main (int argc, const char **argv)
|
||||||
|
_ ("Hashing algorithm to use for signing."),
|
||||||
|
_ ("{sha256,sha384,sha512}"),
|
||||||
|
},
|
||||||
|
+ {
|
||||||
|
+ "cipher-alg",
|
||||||
|
+ '\0',
|
||||||
|
+ POPT_ARG_STRING | POPT_ARGFLAG_SHOW_DEFAULT,
|
||||||
|
+ &options->cipher_alg,
|
||||||
|
+ 0,
|
||||||
|
+ _ ("Cipher to use for encrypting key files."),
|
||||||
|
+ _ ("{des-ede3-cbc,aes-256-cbc}"),
|
||||||
|
+ },
|
||||||
|
+
|
||||||
|
{
|
||||||
|
"ca-file",
|
||||||
|
'\0',
|
||||||
|
@@ -404,6 +457,29 @@ main (int argc, const char **argv)
|
||||||
|
_ ("File mode of the created CA key. (default: 0600)"),
|
||||||
|
_ ("0600"),
|
||||||
|
},
|
||||||
|
+ {
|
||||||
|
+ "ca-key-password",
|
||||||
|
+ '\0',
|
||||||
|
+ POPT_ARG_STRING,
|
||||||
|
+ &ca_key_password,
|
||||||
|
+ 0,
|
||||||
|
+ _ ("Provide a password for the CA key file. Note that this will be "
|
||||||
|
+ "visible in the process table for all users, so it should be used "
|
||||||
|
+ "for testing purposes only. Use --ca-keypassfile or "
|
||||||
|
+ "--ca-key-password-prompt for secure password entry."),
|
||||||
|
+ NULL
|
||||||
|
+ },
|
||||||
|
+
|
||||||
|
+ {
|
||||||
|
+ "ca-key-password-prompt",
|
||||||
|
+ 'C',
|
||||||
|
+ POPT_ARG_NONE,
|
||||||
|
+ &options->ca_key_pass_prompt,
|
||||||
|
+ 0,
|
||||||
|
+ _ ("Prompt to enter a password for the CA key file."),
|
||||||
|
+ NULL
|
||||||
|
+ },
|
||||||
|
+
|
||||||
|
{
|
||||||
|
"cert-file",
|
||||||
|
'\0',
|
||||||
|
@@ -442,6 +518,29 @@ main (int argc, const char **argv)
|
||||||
|
_ ("File mode of the created certificate key. (default: 0600)"),
|
||||||
|
_ ("0600"),
|
||||||
|
},
|
||||||
|
+ {
|
||||||
|
+ "cert-key-password",
|
||||||
|
+ 'p',
|
||||||
|
+ POPT_ARG_STRING,
|
||||||
|
+ &cert_key_password,
|
||||||
|
+ 0,
|
||||||
|
+ _ ("Provide a password for the service key file. Note that this will be "
|
||||||
|
+ "visible in the process table for all users, so this flag should be "
|
||||||
|
+ "used for testing purposes only. Use --cert-keypassfile or "
|
||||||
|
+ "--cert-key-password-prompt for secure password entry."),
|
||||||
|
+ NULL
|
||||||
|
+ },
|
||||||
|
+
|
||||||
|
+ {
|
||||||
|
+ "cert-key-password-prompt",
|
||||||
|
+ 'P',
|
||||||
|
+ POPT_ARG_NONE,
|
||||||
|
+ &options->cert_key_pass_prompt,
|
||||||
|
+ 0,
|
||||||
|
+ _ ("Prompt to enter a password for the service key file."),
|
||||||
|
+ NULL
|
||||||
|
+ },
|
||||||
|
+
|
||||||
|
POPT_TABLEEND
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -592,6 +691,20 @@ main (int argc, const char **argv)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Password handling */
|
||||||
|
+ if (ca_key_password)
|
||||||
|
+ {
|
||||||
|
+ options->ca_key_pass =
|
||||||
|
+ sscg_secure_string_steal (options, ca_key_password);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (cert_key_password)
|
||||||
|
+ {
|
||||||
|
+ options->cert_key_pass =
|
||||||
|
+ sscg_secure_string_steal (options, cert_key_password);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
if (options->key_strength < options->minimum_key_strength)
|
||||||
|
{
|
||||||
|
fprintf (stderr,
|
||||||
|
@@ -601,6 +714,15 @@ main (int argc, const char **argv)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Make sure we have a valid cipher */
|
||||||
|
+ options->cipher = EVP_get_cipherbyname (options->cipher_alg);
|
||||||
|
+ if (!options->cipher)
|
||||||
|
+ {
|
||||||
|
+ fprintf (stderr, "Invalid cipher specified: %s\n", options->cipher_alg);
|
||||||
|
+ ret = EINVAL;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* TODO: restrict this to approved hashes.
|
||||||
|
* For now, we'll only list SHA[256|384|512] in the help */
|
||||||
|
options->hash_fn = EVP_get_digestbyname (options->hash_alg);
|
||||||
|
@@ -696,8 +818,21 @@ main (int argc, const char **argv)
|
||||||
|
cert_key_out = BIO_new_file (options->cert_key_file, create_mode);
|
||||||
|
CHECK_BIO (cert_key_out, options->cert_key_file);
|
||||||
|
|
||||||
|
+ /* This function has a default mechanism for prompting for the
|
||||||
|
+ * password if it is passed a cipher and gets a NULL password.
|
||||||
|
+ *
|
||||||
|
+ * Only pass the cipher if we have a password or were instructed
|
||||||
|
+ * to prompt for one.
|
||||||
|
+ */
|
||||||
|
sret = PEM_write_bio_PrivateKey (
|
||||||
|
- cert_key_out, svc_key->evp_pkey, NULL, NULL, 0, NULL, NULL);
|
||||||
|
+ cert_key_out,
|
||||||
|
+ svc_key->evp_pkey,
|
||||||
|
+ options->cert_key_pass_prompt || options->cert_key_pass ? options->cipher :
|
||||||
|
+ NULL,
|
||||||
|
+ (unsigned char *)options->cert_key_pass,
|
||||||
|
+ options->cert_key_pass ? strlen (options->cert_key_pass) : 0,
|
||||||
|
+ NULL,
|
||||||
|
+ NULL);
|
||||||
|
CHECK_SSL (sret, PEM_write_bio_PrivateKey (svc));
|
||||||
|
BIO_get_fp (cert_key_out, &fp);
|
||||||
|
|
||||||
|
@@ -776,8 +911,21 @@ main (int argc, const char **argv)
|
||||||
|
}
|
||||||
|
CHECK_BIO (ca_key_out, options->ca_key_file);
|
||||||
|
|
||||||
|
+ /* This function has a default mechanism for prompting for the
|
||||||
|
+ * password if it is passed a cipher and gets a NULL password.
|
||||||
|
+ *
|
||||||
|
+ * Only pass the cipher if we have a password or were instructed
|
||||||
|
+ * to prompt for one.
|
||||||
|
+ */
|
||||||
|
sret = PEM_write_bio_PrivateKey (
|
||||||
|
- ca_key_out, cakey->evp_pkey, NULL, NULL, 0, NULL, NULL);
|
||||||
|
+ ca_key_out,
|
||||||
|
+ cakey->evp_pkey,
|
||||||
|
+ options->ca_key_pass_prompt || options->ca_key_pass ? options->cipher :
|
||||||
|
+ NULL,
|
||||||
|
+ (unsigned char *)options->ca_key_pass,
|
||||||
|
+ options->ca_key_pass ? strlen (options->ca_key_pass) : 0,
|
||||||
|
+ NULL,
|
||||||
|
+ NULL);
|
||||||
|
CHECK_SSL (sret, PEM_write_bio_PrivateKey (CA));
|
||||||
|
BIO_get_fp (ca_key_out, &fp);
|
||||||
|
if (options->verbosity >= SSCG_DEBUG)
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
153
SOURCES/0006-Allow-specifying-keyfile-password-by-file.patch
Normal file
153
SOURCES/0006-Allow-specifying-keyfile-password-by-file.patch
Normal file
@ -0,0 +1,153 @@
|
|||||||
|
From 9cb7daa54708dcf5e6500cd20ec7b1cc2f6f6350 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Mon, 10 Jun 2019 10:15:42 -0400
|
||||||
|
Subject: [PATCH 6/6] Allow specifying keyfile password by file
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/sscg.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 84 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/sscg.c b/src/sscg.c
|
||||||
|
index 9dc926c77038105ca881a612cccd1913bc2d42f1..a02e4df66c6cf9ec1865f425b4a15da82fbfdc72 100644
|
||||||
|
--- a/src/sscg.c
|
||||||
|
+++ b/src/sscg.c
|
||||||
|
@@ -34,6 +34,10 @@
|
||||||
|
#include "include/authority.h"
|
||||||
|
#include "include/service.h"
|
||||||
|
|
||||||
|
+
|
||||||
|
+/* Same as OpenSSL CLI */
|
||||||
|
+#define MAX_PW_LEN 1024
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
get_security_level (void)
|
||||||
|
{
|
||||||
|
@@ -209,6 +213,44 @@ sscg_options_destructor (TALLOC_CTX *opts)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
+static char *
|
||||||
|
+sscg_read_pw_file (TALLOC_CTX *mem_ctx, char *path)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+ BIO *pwdbio = NULL;
|
||||||
|
+ char tpass[MAX_PW_LEN];
|
||||||
|
+ char *tmp = NULL;
|
||||||
|
+ char *password = NULL;
|
||||||
|
+
|
||||||
|
+ pwdbio = BIO_new_file (path, "r");
|
||||||
|
+ if (pwdbio == NULL)
|
||||||
|
+ {
|
||||||
|
+ fprintf (stderr, "Can't open file %s\n", path);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ i = BIO_gets (pwdbio, tpass, MAX_PW_LEN);
|
||||||
|
+ BIO_free_all (pwdbio);
|
||||||
|
+ pwdbio = NULL;
|
||||||
|
+
|
||||||
|
+ if (i <= 0)
|
||||||
|
+ {
|
||||||
|
+ fprintf (stderr, "Error reading password from BIO\n");
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ tmp = strchr (tpass, '\n');
|
||||||
|
+ if (tmp != NULL)
|
||||||
|
+ *tmp = 0;
|
||||||
|
+
|
||||||
|
+ password = talloc_strdup (mem_ctx, tpass);
|
||||||
|
+
|
||||||
|
+ memset (tpass, 0, MAX_PW_LEN);
|
||||||
|
+
|
||||||
|
+ return password;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
int
|
||||||
|
main (int argc, const char **argv)
|
||||||
|
{
|
||||||
|
@@ -236,10 +278,12 @@ main (int argc, const char **argv)
|
||||||
|
int ca_mode = 0644;
|
||||||
|
int ca_key_mode = 0600;
|
||||||
|
char *ca_key_password = NULL;
|
||||||
|
+ char *ca_key_passfile = NULL;
|
||||||
|
|
||||||
|
int cert_mode = 0644;
|
||||||
|
int cert_key_mode = 0600;
|
||||||
|
char *cert_key_password = NULL;
|
||||||
|
+ char *cert_key_passfile = NULL;
|
||||||
|
|
||||||
|
char *create_mode = NULL;
|
||||||
|
|
||||||
|
@@ -470,6 +514,16 @@ main (int argc, const char **argv)
|
||||||
|
NULL
|
||||||
|
},
|
||||||
|
|
||||||
|
+ {
|
||||||
|
+ "ca-key-passfile",
|
||||||
|
+ '\0',
|
||||||
|
+ POPT_ARG_STRING,
|
||||||
|
+ &ca_key_passfile,
|
||||||
|
+ 0,
|
||||||
|
+ _ ("A file containing the password to encrypt the CA key file."),
|
||||||
|
+ NULL
|
||||||
|
+ },
|
||||||
|
+
|
||||||
|
{
|
||||||
|
"ca-key-password-prompt",
|
||||||
|
'C',
|
||||||
|
@@ -531,6 +585,16 @@ main (int argc, const char **argv)
|
||||||
|
NULL
|
||||||
|
},
|
||||||
|
|
||||||
|
+ {
|
||||||
|
+ "cert-key-passfile",
|
||||||
|
+ '\0',
|
||||||
|
+ POPT_ARG_STRING,
|
||||||
|
+ &cert_key_passfile,
|
||||||
|
+ 0,
|
||||||
|
+ _ ("A file containing the password to encrypt the service key file."),
|
||||||
|
+ NULL
|
||||||
|
+ },
|
||||||
|
+
|
||||||
|
{
|
||||||
|
"cert-key-password-prompt",
|
||||||
|
'P',
|
||||||
|
@@ -697,12 +761,32 @@ main (int argc, const char **argv)
|
||||||
|
options->ca_key_pass =
|
||||||
|
sscg_secure_string_steal (options, ca_key_password);
|
||||||
|
}
|
||||||
|
+ else if (ca_key_passfile)
|
||||||
|
+ {
|
||||||
|
+ options->ca_key_pass = sscg_read_pw_file (options, ca_key_passfile);
|
||||||
|
+ if (!options->ca_key_pass)
|
||||||
|
+ {
|
||||||
|
+ fprintf (
|
||||||
|
+ stderr, "Failed to read passphrase from %s", ca_key_passfile);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (cert_key_password)
|
||||||
|
{
|
||||||
|
options->cert_key_pass =
|
||||||
|
sscg_secure_string_steal (options, cert_key_password);
|
||||||
|
}
|
||||||
|
+ else if (cert_key_passfile)
|
||||||
|
+ {
|
||||||
|
+ options->cert_key_pass = sscg_read_pw_file (options, cert_key_passfile);
|
||||||
|
+ if (!options->cert_key_pass)
|
||||||
|
+ {
|
||||||
|
+ fprintf (
|
||||||
|
+ stderr, "Failed to read passphrase from %s", cert_key_passfile);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
|
||||||
|
if (options->key_strength < options->minimum_key_strength)
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
2651
SOURCES/0007-Add-support-for-client-certificates-and-dhparams.patch
Normal file
2651
SOURCES/0007-Add-support-for-client-certificates-and-dhparams.patch
Normal file
File diff suppressed because it is too large
Load Diff
98
SOURCES/0008-Fix-client-cert-issues-found-by-CI-tests.patch
Normal file
98
SOURCES/0008-Fix-client-cert-issues-found-by-CI-tests.patch
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
From 8afa0ce578ecd5cc3a397707fdb163cc169b9bd1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Fri, 13 Dec 2019 08:25:01 -0500
|
||||||
|
Subject: [PATCH 8/8] Fix client-cert issues found by CI tests
|
||||||
|
|
||||||
|
Resolves: rhbz#1720667
|
||||||
|
|
||||||
|
Better error message for client certs without public key file
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
|
||||||
|
Fix memory leak in sscg_sign_x509_csr()
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
|
||||||
|
Address clang-analyzer warning
|
||||||
|
|
||||||
|
clang-analyzer determined that it was possible for the GET_BIO()
|
||||||
|
return value to have changed between conditional creation of the
|
||||||
|
client certificate and writing it out. This patch stores the result
|
||||||
|
of the lookup so it's certain to be consistent.
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/io_utils.c | 4 ++--
|
||||||
|
src/sscg.c | 8 +++++---
|
||||||
|
src/x509.c | 1 +
|
||||||
|
3 files changed, 8 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/io_utils.c b/src/io_utils.c
|
||||||
|
index 809a1da0e455afa0dba0796a5f7ac406742328a1..a2502afb20f4bcb536428f3528900c2bb06997f5 100644
|
||||||
|
--- a/src/io_utils.c
|
||||||
|
+++ b/src/io_utils.c
|
||||||
|
@@ -363,8 +363,8 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite)
|
||||||
|
|
||||||
|
case IO_UTILS_CLIENT_UNMATCHED:
|
||||||
|
SSCG_ERROR (
|
||||||
|
- "The client certificate must have both public and private key "
|
||||||
|
- "locations specified.\n");
|
||||||
|
+ "The client certificate must have the public key location "
|
||||||
|
+ "specified.\n");
|
||||||
|
ret = EINVAL;
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
diff --git a/src/sscg.c b/src/sscg.c
|
||||||
|
index 470af815d91f5170a1e8fe00006dbaee4d07b209..f34a43b83e562d0bd7da9a77e25911762db83693 100644
|
||||||
|
--- a/src/sscg.c
|
||||||
|
+++ b/src/sscg.c
|
||||||
|
@@ -300,6 +300,7 @@ main (int argc, const char **argv)
|
||||||
|
char *cert_key_password = NULL;
|
||||||
|
char *cert_key_passfile = NULL;
|
||||||
|
|
||||||
|
+ bool build_client_cert = false;
|
||||||
|
int client_mode = SSCG_CERT_DEFAULT_MODE;
|
||||||
|
int client_key_mode = SSCG_KEY_DEFAULT_MODE;
|
||||||
|
char *client_key_password = NULL;
|
||||||
|
@@ -1118,7 +1119,8 @@ main (int argc, const char **argv)
|
||||||
|
/* If requested, generate the client auth certificate and sign it with the
|
||||||
|
* private CA.
|
||||||
|
*/
|
||||||
|
- if (GET_BIO (SSCG_FILE_TYPE_CLIENT))
|
||||||
|
+ build_client_cert = !!(GET_BIO (SSCG_FILE_TYPE_CLIENT));
|
||||||
|
+ if (build_client_cert)
|
||||||
|
{
|
||||||
|
ret = create_cert (main_ctx,
|
||||||
|
options,
|
||||||
|
@@ -1136,7 +1138,7 @@ main (int argc, const char **argv)
|
||||||
|
|
||||||
|
/* Write private keys first */
|
||||||
|
|
||||||
|
- if (GET_BIO (SSCG_FILE_TYPE_CLIENT_KEY))
|
||||||
|
+ if (build_client_cert)
|
||||||
|
{
|
||||||
|
/* This function has a default mechanism for prompting for the
|
||||||
|
* password if it is passed a cipher and gets a NULL password.
|
||||||
|
@@ -1201,7 +1203,7 @@ main (int argc, const char **argv)
|
||||||
|
/* Public keys come next, in chain order */
|
||||||
|
|
||||||
|
/* Start with the client certificate */
|
||||||
|
- if (GET_BIO (SSCG_FILE_TYPE_CLIENT))
|
||||||
|
+ if (build_client_cert)
|
||||||
|
{
|
||||||
|
sret = PEM_write_bio_X509 (GET_BIO (SSCG_FILE_TYPE_CLIENT),
|
||||||
|
client_cert->certificate);
|
||||||
|
diff --git a/src/x509.c b/src/x509.c
|
||||||
|
index 18f0627bc64e7cb503a9e81c36dbe726186d1144..c173f539791fbbc51e52e6b121e587dca43924d4 100644
|
||||||
|
--- a/src/x509.c
|
||||||
|
+++ b/src/x509.c
|
||||||
|
@@ -482,5 +482,6 @@ done:
|
||||||
|
*_cert = talloc_steal (mem_ctx, scert);
|
||||||
|
}
|
||||||
|
X509_NAME_free (subject);
|
||||||
|
+ talloc_free(tmp_ctx);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
31
SOURCES/0009-Fix-help-message-for-client-key-file.patch
Normal file
31
SOURCES/0009-Fix-help-message-for-client-key-file.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From ec20eab0c58bb079c7092183e4893ebc773af9a0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Fri, 13 Dec 2019 11:51:43 -0500
|
||||||
|
Subject: [PATCH 9/9] Fix help message for --client-key-file
|
||||||
|
|
||||||
|
Resolves: rhbz#1720667
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/sscg.c | 5 ++---
|
||||||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/sscg.c b/src/sscg.c
|
||||||
|
index f34a43b83e562d0bd7da9a77e25911762db83693..87833d266b541f6d0422fdc538d208abd7d81e22 100644
|
||||||
|
--- a/src/sscg.c
|
||||||
|
+++ b/src/sscg.c
|
||||||
|
@@ -734,9 +734,8 @@ main (int argc, const char **argv)
|
||||||
|
&client_key_file,
|
||||||
|
0,
|
||||||
|
_ ("Path where the client's private key will be stored. "
|
||||||
|
- "(default is client-file with a .key suffix, if "
|
||||||
|
- "--client-file was passed, otherwise this file will not "
|
||||||
|
- "be generated.)"),
|
||||||
|
+ "(default is the client-file, if --client-file was passed, "
|
||||||
|
+ "otherwise this file will not be generated.)"),
|
||||||
|
NULL,
|
||||||
|
},
|
||||||
|
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
@ -9,7 +9,7 @@
|
|||||||
|
|
||||||
Name: sscg
|
Name: sscg
|
||||||
Version: 2.3.3
|
Version: 2.3.3
|
||||||
Release: 6%{?dist}
|
Release: 10%{?dist}
|
||||||
Summary: Simple SSL certificate generator
|
Summary: Simple SSL certificate generator
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
@ -34,6 +34,15 @@ Patch0002: 0002-Adjust-defaults-based-on-system-security-level.patch
|
|||||||
Patch0003: 0003-Adjust-hash-defaults-based-on-system-security-level.patch
|
Patch0003: 0003-Adjust-hash-defaults-based-on-system-security-level.patch
|
||||||
Patch0004: 0004-Properly-check-all-return-values.patch
|
Patch0004: 0004-Properly-check-all-return-values.patch
|
||||||
|
|
||||||
|
# RHBZ #1717880
|
||||||
|
Patch0005: 0005-Add-password-support-for-private-keys.patch
|
||||||
|
Patch0006: 0006-Allow-specifying-keyfile-password-by-file.patch
|
||||||
|
|
||||||
|
# RHBZ #1720667
|
||||||
|
Patch0007: 0007-Add-support-for-client-certificates-and-dhparams.patch
|
||||||
|
Patch0008: 0008-Fix-client-cert-issues-found-by-CI-tests.patch
|
||||||
|
Patch0009: 0009-Fix-help-message-for-client-key-file.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
A utility to aid in the creation of more secure "self-signed"
|
A utility to aid in the creation of more secure "self-signed"
|
||||||
certificates. The certificates created by this tool are generated in a
|
certificates. The certificates created by this tool are generated in a
|
||||||
@ -67,6 +76,22 @@ false signatures from the service certificate.
|
|||||||
%{_mandir}/man8/%{name}.8*
|
%{_mandir}/man8/%{name}.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-10
|
||||||
|
- Fix incorrect help message
|
||||||
|
- Resolves: rhbz#1720667
|
||||||
|
|
||||||
|
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-9
|
||||||
|
- Fix null-dereference and memory leak issues with client certs
|
||||||
|
- Resolves: rhbz#1720667
|
||||||
|
|
||||||
|
* Wed Dec 11 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-8
|
||||||
|
- Add support for generating client authentication certificates
|
||||||
|
- Resolves: rhbz#1720667
|
||||||
|
|
||||||
|
* Fri Nov 01 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-7
|
||||||
|
- Add support for password-protecting the private key files
|
||||||
|
- Resolves: rhbz#1717880
|
||||||
|
|
||||||
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
|
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
|
||||||
- Fixes for issues detected by automated testing.
|
- Fixes for issues detected by automated testing.
|
||||||
- Resolves: rhbz#1653323
|
- Resolves: rhbz#1653323
|
||||||
|
Loading…
Reference in New Issue
Block a user