Compare commits
10 Commits
3b379cad55
...
2f92285054
Author | SHA1 | Date |
---|---|---|
Stephen Gallagher | 2f92285054 | |
Stephen Gallagher | 34be907513 | |
Stephen Gallagher | 7f6afd68f8 | |
Stephen Gallagher | 29dbec123b | |
Mohan Boddu | b40aa7ee5c | |
Stephen Gallagher | a3ce8bd969 | |
Stephen Gallagher | 0d91054d47 | |
Mohan Boddu | 2bd8fafbbc | |
Stephen Gallagher | 2db8955928 | |
Branislav Náter | 516bc844e5 |
|
@ -22,3 +22,4 @@
|
|||
/sscg-2.6.0.tar.xz
|
||||
/sscg-2.6.1.tar.xz
|
||||
/sscg-2.6.2.tar.xz
|
||||
/sscg-3.0.0.tar.xz
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
81e3b33e118edff96583314ceb4bfde9a1e6b45c sscg-3.0.0.tar.xz
|
|
@ -0,0 +1,34 @@
|
|||
From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Sat, 7 Aug 2021 11:48:04 -0400
|
||||
Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC()
|
||||
|
||||
This macro was dropped in OpenSSL 3.0 and has actually not been
|
||||
providing a valid return code for some time.
|
||||
|
||||
Related: rhbz#1964837
|
||||
|
||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
include/sscg.h | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/include/sscg.h b/include/sscg.h
|
||||
index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644
|
||||
--- a/include/sscg.h
|
||||
+++ b/include/sscg.h
|
||||
@@ -94,11 +94,10 @@
|
||||
if (_sslret != 1) \
|
||||
{ \
|
||||
/* Get information about error from OpenSSL */ \
|
||||
unsigned long _ssl_error = ERR_get_error (); \
|
||||
if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \
|
||||
- (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) && \
|
||||
((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \
|
||||
(ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \
|
||||
{ \
|
||||
fprintf ( \
|
||||
stderr, \
|
||||
--
|
||||
2.33.0
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
|
||||
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
|
||||
Date: Tue, 26 Oct 2021 12:32:13 +0200
|
||||
Subject: [PATCH 2/2] Correct certificate lifetime calculation
|
||||
|
||||
sscg allows passing the certificate lifetime, as a number of days, as a
|
||||
commandline argument. It converts this value to seconds using the
|
||||
formula
|
||||
|
||||
days * 24 * 3650
|
||||
|
||||
which is incorrect. The correct value is 3600.
|
||||
|
||||
This effectively adds an extra 20 minutes to the lifetime of the
|
||||
certificate for each day as given on the commandline, and was enough to
|
||||
cause some new integration tests in cockpit to fail.
|
||||
|
||||
Interestingly, 3650 is the old default value for the number of days of
|
||||
certificate validity (~10 years) so this probably slipped in as a sort
|
||||
of muscle-memory-assisted typo.
|
||||
|
||||
Let's just write `24 * 60 * 60` to make things clear.
|
||||
---
|
||||
src/x509.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/x509.c b/src/x509.c
|
||||
index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
|
||||
--- a/src/x509.c
|
||||
+++ b/src/x509.c
|
||||
@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
|
||||
X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
|
||||
}
|
||||
|
||||
/* set time */
|
||||
X509_gmtime_adj (X509_get_notBefore (cert), 0);
|
||||
- X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650);
|
||||
+ X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60);
|
||||
|
||||
/* set subject */
|
||||
subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
|
||||
sslret = X509_set_subject_name (cert, subject);
|
||||
CHECK_SSL (sslret, X509_set_subject_name);
|
||||
--
|
||||
2.33.0
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Tue, 8 Mar 2022 16:33:35 -0500
|
||||
Subject: [PATCH] Truncate IP address in SAN
|
||||
|
||||
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
|
||||
but in OpenSSL 3.0 it is rejected as an invalid input.
|
||||
|
||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/x509.c | 15 ++++++++++++++-
|
||||
1 file changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/x509.c b/src/x509.c
|
||||
index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
|
||||
--- a/src/x509.c
|
||||
+++ b/src/x509.c
|
||||
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||
size_t i;
|
||||
X509_NAME *subject;
|
||||
char *alt_name = NULL;
|
||||
char *tmp = NULL;
|
||||
char *san = NULL;
|
||||
+ char *slash = NULL;
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
X509_EXTENSION *ex = NULL;
|
||||
struct sscg_x509_req *csr;
|
||||
|
||||
/* Make sure we have a key available */
|
||||
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||
tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
|
||||
}
|
||||
else
|
||||
{
|
||||
san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
|
||||
+ /* SAN IP addresses cannot include the subnet mask */
|
||||
+ if ((slash = strchr (san, '/')))
|
||||
+ {
|
||||
+ /* Truncate at the slash */
|
||||
+ *slash = '\0';
|
||||
+ }
|
||||
}
|
||||
CHECK_MEM (san);
|
||||
|
||||
if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
|
||||
{
|
||||
@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||
alt_name = tmp;
|
||||
}
|
||||
}
|
||||
|
||||
ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
|
||||
- CHECK_MEM (ex);
|
||||
+ if (!ex)
|
||||
+ {
|
||||
+ ret = EINVAL;
|
||||
+ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
sk_X509_EXTENSION_push (certinfo->extensions, ex);
|
||||
|
||||
/* Set the public key for the certificate */
|
||||
sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
|
||||
CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
|
||||
--
|
||||
2.35.1
|
||||
|
|
@ -0,0 +1,139 @@
|
|||
From 282f819bc39c9557ee34f73c6f6623182f680792 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Wed, 16 Nov 2022 15:27:58 -0500
|
||||
Subject: [PATCH] dhparams: don't fail if default file can't be created
|
||||
|
||||
Resolves: rhbz#2143206
|
||||
|
||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/arguments.c | 1 -
|
||||
src/io_utils.c | 12 +++++++++++
|
||||
src/sscg.c | 55 +++++++++++++++++++++++++++++++++----------------
|
||||
3 files changed, 49 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/arguments.c b/src/arguments.c
|
||||
index 7b9da14a732875b0f33a12e22a97d51a78216839..770d834aacc05d6d92cc0c855852eadb88f8c9bc 100644
|
||||
--- a/src/arguments.c
|
||||
+++ b/src/arguments.c
|
||||
@@ -69,7 +69,6 @@ set_default_options (struct sscg_options *opts)
|
||||
|
||||
opts->lifetime = 398;
|
||||
|
||||
- opts->dhparams_file = talloc_strdup (opts, "dhparams.pem");
|
||||
opts->dhparams_group = talloc_strdup (opts, "ffdhe4096");
|
||||
opts->dhparams_generator = 2;
|
||||
|
||||
diff --git a/src/io_utils.c b/src/io_utils.c
|
||||
index 1b8bc41c3849acbe4657ae14dfe55e3010957129..5d34327bdbe450add5326ac20c337c9399b471dc 100644
|
||||
--- a/src/io_utils.c
|
||||
+++ b/src/io_utils.c
|
||||
@@ -544,6 +544,18 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite)
|
||||
{
|
||||
SSCG_LOG (SSCG_DEBUG, "Opening %s\n", stream->path);
|
||||
stream->bio = BIO_new_file (stream->path, create_mode);
|
||||
+ if (!stream->bio)
|
||||
+ {
|
||||
+ fprintf (stderr,
|
||||
+ "Could not write to %s. Check directory permissions.\n",
|
||||
+ stream->path);
|
||||
+
|
||||
+ /* The dhparams file is special, it will be handled later */
|
||||
+ if (i != SSCG_FILE_TYPE_DHPARAMS)
|
||||
+ {
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
CHECK_BIO (stream->bio, stream->path);
|
||||
}
|
||||
|
||||
diff --git a/src/sscg.c b/src/sscg.c
|
||||
index 1bf8019c2dda136abe56acd101dfe8ad0b3d725d..dcff4cd2b8dfd2e11c8612d36ecc94b175e9dc26 100644
|
||||
--- a/src/sscg.c
|
||||
+++ b/src/sscg.c
|
||||
@@ -93,6 +93,7 @@ main (int argc, const char **argv)
|
||||
int ret, sret;
|
||||
struct sscg_options *options;
|
||||
bool build_client_cert = false;
|
||||
+ char *dhparams_file = NULL;
|
||||
|
||||
struct sscg_x509_cert *cacert;
|
||||
struct sscg_evp_pkey *cakey;
|
||||
@@ -182,9 +183,19 @@ main (int argc, const char **argv)
|
||||
options->crl_mode);
|
||||
CHECK_OK (ret);
|
||||
|
||||
+ if (options->dhparams_file)
|
||||
+ {
|
||||
+ dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem");
|
||||
+ }
|
||||
+ CHECK_MEM (dhparams_file);
|
||||
+
|
||||
ret = sscg_io_utils_add_output_file (options->streams,
|
||||
SSCG_FILE_TYPE_DHPARAMS,
|
||||
- options->dhparams_file,
|
||||
+ dhparams_file,
|
||||
options->dhparams_mode);
|
||||
CHECK_OK (ret);
|
||||
|
||||
@@ -281,28 +292,36 @@ main (int argc, const char **argv)
|
||||
|
||||
|
||||
/* Create DH parameters file */
|
||||
- bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS);
|
||||
- if (options->dhparams_prime_len > 0)
|
||||
+ if ((bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS)))
|
||||
{
|
||||
- ret = create_dhparams (options->verbosity,
|
||||
- options->dhparams_prime_len,
|
||||
- options->dhparams_generator,
|
||||
- &dhparams);
|
||||
- CHECK_OK (ret);
|
||||
+ if (options->dhparams_prime_len > 0)
|
||||
+ {
|
||||
+ ret = create_dhparams (options->verbosity,
|
||||
+ options->dhparams_prime_len,
|
||||
+ options->dhparams_generator,
|
||||
+ &dhparams);
|
||||
+ CHECK_OK (ret);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ ret = get_params_by_named_group (options->dhparams_group, &dhparams);
|
||||
+ CHECK_OK (ret);
|
||||
+ }
|
||||
+
|
||||
+ /* Export the DH parameters to the file */
|
||||
+ sret = PEM_write_bio_Parameters (bp, dhparams);
|
||||
+ CHECK_SSL (sret, PEM_write_bio_Parameters ());
|
||||
+ ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
|
||||
+ EVP_PKEY_free (dhparams);
|
||||
}
|
||||
- else
|
||||
+ else if (options->dhparams_file)
|
||||
{
|
||||
- ret = get_params_by_named_group (options->dhparams_group, &dhparams);
|
||||
- CHECK_OK (ret);
|
||||
+ /* A filename was explicitly passed, but it couldn't be created */
|
||||
+ ret = EPERM;
|
||||
+ fprintf (stderr, "Could not write to %s: ", options->dhparams_file);
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
- /* Export the DH parameters to the file */
|
||||
- sret = PEM_write_bio_Parameters (bp, dhparams);
|
||||
- CHECK_SSL (sret, PEM_write_bio_Parameters ());
|
||||
- ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
|
||||
- EVP_PKEY_free (dhparams);
|
||||
-
|
||||
-
|
||||
/* Set the final file permissions */
|
||||
sscg_io_utils_finalize_output_files (options->streams);
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From e65a507c487a37dd5a8c90b7dbd1ff3274146239 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Chopin <simon.chopin@canonical.com>
|
||||
Date: Mon, 13 Dec 2021 15:20:55 +0100
|
||||
Subject: [PATCH 5/5] dhparams: Fix the FIPS_mode() call for OpenSSL 3.0
|
||||
|
||||
This function has been removed from OpenSSL 3.0, replaced by
|
||||
EVP_default_properties_is_fips_enabled().
|
||||
|
||||
Closes #50
|
||||
---
|
||||
src/dhparams.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/dhparams.c b/src/dhparams.c
|
||||
index 5c50128970d48790df910b9f9531e61e1d4c5758..61fd57aeedca47fba49f75d356cd5f42b9586696 100644
|
||||
--- a/src/dhparams.c
|
||||
+++ b/src/dhparams.c
|
||||
@@ -231,7 +231,11 @@ is_valid_named_group (const char *group_name)
|
||||
}
|
||||
|
||||
/* Check non-FIPS groups */
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (!FIPS_mode ())
|
||||
+#else
|
||||
+ if (!EVP_default_properties_is_fips_enabled(NULL))
|
||||
+#endif
|
||||
{
|
||||
i = 0;
|
||||
while (dh_nonfips_groups[i])
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier2.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier3.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (sscg-2.6.2.tar.xz) = 5e900b4bc52d867325db2bd3ad83c072b0dac14ffcb2bf5539ea7b3d1701384ab0428a342d99928ea29d1a6ddec81664eac4a1255cd2aee2ba37e3a8105f1467
|
||||
SHA512 (sscg-3.0.0.tar.xz) = d5bbd14c102bb11b387b6018dced09b23b053498c60befd916aa142ece8240f443e364d9a578b6b5aa15c68cb943725ed96ef44cce77eb01013e464a6d4dc0f1
|
||||
|
|
50
sscg.spec
50
sscg.spec
|
@ -8,8 +8,8 @@
|
|||
|
||||
|
||||
Name: sscg
|
||||
Version: 2.6.2
|
||||
Release: 6%{?dist}
|
||||
Version: 3.0.0
|
||||
Release: 7%{?dist}
|
||||
Summary: Simple SSL certificate generator
|
||||
|
||||
License: GPLv3+ with exceptions
|
||||
|
@ -26,6 +26,12 @@ BuildRequires: ninja-build
|
|||
BuildRequires: help2man
|
||||
|
||||
|
||||
Patch: 0001-Drop-usage-of-ERR_GET_FUNC.patch
|
||||
Patch: 0002-Correct-certificate-lifetime-calculation.patch
|
||||
Patch: 0003-Truncate-IP-address-in-SAN.patch
|
||||
Patch: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
|
||||
Patch: 0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
|
||||
|
||||
%description
|
||||
A utility to aid in the creation of more secure "self-signed"
|
||||
certificates. The certificates created by this tool are generated in a
|
||||
|
@ -55,6 +61,45 @@ false signatures from the service certificate.
|
|||
%{_mandir}/man8/%{name}.8*
|
||||
|
||||
%changelog
|
||||
* Fri Dec 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
|
||||
- Use EVP_default_properties_is_fips_enabled() on OpenSSL 3.0
|
||||
- Related: rhbz#2083879
|
||||
|
||||
* Mon Nov 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
|
||||
- Don't fail if default dhparams file can't be created
|
||||
- Resolves: rhbz#2149064
|
||||
|
||||
* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
|
||||
- Handle IP addresses in subjectAlternativeName correctly
|
||||
- Resolves: rhbz#2061923
|
||||
|
||||
* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
|
||||
- Correct certificate lifetime calculation
|
||||
- Resolves: rhbz#2017667
|
||||
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.0-3
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Sat Aug 07 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-2
|
||||
- Drop usage of removed macro ERR_GET_FUNC()
|
||||
- Related: rhbz#1964837
|
||||
|
||||
* Wed Jul 21 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-1
|
||||
- Release 3.0.0
|
||||
- Support for OpenSSL 3.0
|
||||
- Support for outputting named Diffie-Hellman parameter groups
|
||||
- Support for CentOS Stream 9
|
||||
- Resolves: rhbz#1984468
|
||||
|
||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-8
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Wed May 26 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-7
|
||||
- OpenSSL 3.0 compatibility: fix RSA key-generation test
|
||||
- Resolves: rhbz#1964837
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-6
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
|
@ -267,3 +312,4 @@ false signatures from the service certificate.
|
|||
|
||||
* Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-1
|
||||
- First packaging
|
||||
|
||||
|
|
Loading…
Reference in New Issue