9 changed files with 1335 additions and 86 deletions
--- a/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch
+++ b/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch
@ -1,7 +1,7 @@
-From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001
+From 67ef8f036f7324fe37bc7a7e31a38e7088d21df2 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Sat, 7 Aug 2021 11:48:04 -0400
-Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC()
+Subject: [PATCH 1/6] Drop usage of ERR_GET_FUNC()
 This macro was dropped in OpenSSL 3.0 and has actually not been
 providing a valid return code for some time.
@ -17,9 +17,7 @@ diff --git a/include/sscg.h b/include/sscg.h
 index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644
 --- a/include/sscg.h
 +++ b/include/sscg.h
-@@ -94,11 +94,10 @@
+@@ -96,7 +96,6 @@
       if (_sslret != 1)                                                       \
         {                                                                     \
           /* Get information about error from OpenSSL */                      \
           unsigned long _ssl_error = ERR_get_error ();                        \
           if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) &&                     \
@ -27,8 +25,6 @@ index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24
               ((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) ||      \
                (ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL)))       \
             {                                                                 \
               fprintf (                                                       \
                 stderr,                                                       \
 -- 
-2.33.0
+2.49.0
--- a/SOURCES/0002-Correct-certificate-lifetime-calculation.patch
+++ b/SOURCES/0002-Correct-certificate-lifetime-calculation.patch
@ -1,7 +1,7 @@
-From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
+From 5852d74f338bb6de3f303275aa73024f082b47bf Mon Sep 17 00:00:00 2001
 From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
 Date: Tue, 26 Oct 2021 12:32:13 +0200
-Subject: [PATCH 2/2] Correct certificate lifetime calculation
+Subject: [PATCH 2/6] Correct certificate lifetime calculation
 sscg allows passing the certificate lifetime, as a number of days, as a
 commandline argument.  It converts this value to seconds using the
@ -28,9 +28,7 @@ diff --git a/src/x509.c b/src/x509.c
 index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
 --- a/src/x509.c
 +++ b/src/x509.c
-@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
+@@ -418,7 +418,7 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
       X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
     }
   /* set time */
   X509_gmtime_adj (X509_get_notBefore (cert), 0);
@ -39,8 +37,6 @@ index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e84
   /* set subject */
   subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
   sslret = X509_set_subject_name (cert, subject);
   CHECK_SSL (sslret, X509_set_subject_name);
 -- 
-2.33.0
+2.49.0
--- a/SOURCES/0003-Truncate-IP-address-in-SAN.patch
+++ b/SOURCES/0003-Truncate-IP-address-in-SAN.patch
@ -1,7 +1,7 @@
-From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
+From c633de3d77987cef5b652c861aa646774c6f1167 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Tue, 8 Mar 2022 16:33:35 -0500
-Subject: [PATCH] Truncate IP address in SAN
+Subject: [PATCH 3/6] Truncate IP address in SAN
 In OpenSSL 1.1, this was done automatically when addind a SAN extension,
 but in OpenSSL 3.0 it is rejected as an invalid input.
@ -15,9 +15,7 @@ diff --git a/src/x509.c b/src/x509.c
 index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
 --- a/src/x509.c
 +++ b/src/x509.c
-@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+@@ -133,6 +133,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
   size_t i;
   X509_NAME *subject;
   char *alt_name = NULL;
   char *tmp = NULL;
   char *san = NULL;
@ -25,11 +23,7 @@ index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e
   TALLOC_CTX *tmp_ctx;
   X509_EXTENSION *ex = NULL;
   struct sscg_x509_req *csr;
- 
+@@ -267,6 +268,12 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
   /* Make sure we have a key available */
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
                 tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
             }
           else
             {
               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
@ -42,11 +36,7 @@ index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e
             }
           CHECK_MEM (san);
-           if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
+@@ -289,7 +296,13 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
             {
@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
           alt_name = tmp;
         }
     }
   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
@ -61,8 +51,6 @@ index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e
   sk_X509_EXTENSION_push (certinfo->extensions, ex);
   /* Set the public key for the certificate */
   sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
   CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
 -- 
-2.35.1
+2.49.0
--- a/SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
+++ b/SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
@ -1,7 +1,7 @@
-From 282f819bc39c9557ee34f73c6f6623182f680792 Mon Sep 17 00:00:00 2001
+From 259c4c83307273551fd267585ec8854896a168bd Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Wed, 16 Nov 2022 15:27:58 -0500
-Subject: [PATCH] dhparams: don't fail if default file can't be created
+Subject: [PATCH 4/6] dhparams: don't fail if default file can't be created
 Resolves: rhbz#2143206
@ -135,5 +135,5 @@ index 1bf8019c2dda136abe56acd101dfe8ad0b3d725d..dcff4cd2b8dfd2e11c8612d36ecc94b1
   sscg_io_utils_finalize_output_files (options->streams);
 -- 
-2.38.1
+2.49.0
--- a/SOURCES/0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
+++ b/SOURCES/0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
@ -0,0 +1,32 @@
 From 7abb9f7f929eb85fa3ab66a150978bbc5e198e5c Mon Sep 17 00:00:00 2001
 From: Simon Chopin <simon.chopin@canonical.com>
 Date: Mon, 13 Dec 2021 15:20:55 +0100
 Subject: [PATCH 5/6] dhparams: Fix the FIPS_mode() call for OpenSSL 3.0
 This function has been removed from OpenSSL 3.0, replaced by
 EVP_default_properties_is_fips_enabled().
 Closes #50
 ---
 src/dhparams.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/src/dhparams.c b/src/dhparams.c
 index 5c50128970d48790df910b9f9531e61e1d4c5758..61fd57aeedca47fba49f75d356cd5f42b9586696 100644
 --- a/src/dhparams.c
 +++ b/src/dhparams.c
@@ -231,7 +231,11 @@ is_valid_named_group (const char *group_name)
     }
   /* Check non-FIPS groups */
 +#if OPENSSL_VERSION_NUMBER < 0x30000000L
   if (!FIPS_mode ())
 +#else
 +  if (!EVP_default_properties_is_fips_enabled(NULL))
 +#endif
     {
       i = 0;
       while (dh_nonfips_groups[i])
 -- 
 2.49.0
--- a/SOURCES/0006-x509-Use-proper-version-for-CSR.patch
+++ b/SOURCES/0006-x509-Use-proper-version-for-CSR.patch
@ -0,0 +1,31 @@
 From 6b48b480d57f75fc93ea646fbe6a457c4afd319f Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
 Date: Sat, 19 Oct 2024 15:43:20 +0200
 Subject: [PATCH 6/6] x509: Use proper version for CSR.
 RFC 2986 only defines a single version for CSRs: X509_VERSION_1 (0).
 OpenSSL starting with 3.4 rejects everything else.
 Use X509_VERSION_1 as version for X509_REQ_set_version.
 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
 ---
 src/x509.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/x509.c b/src/x509.c
 index e828ec725b23d7ea79393151e7bb436e2f61bdb8..22f8163ec5a6b20bcb16177edf8088cf148a8661 100644
 --- a/src/x509.c
 +++ b/src/x509.c
@@ -156,7 +156,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
   talloc_set_destructor ((TALLOC_CTX *)csr, _sscg_csr_destructor);
   /* We will generate only x509v3 certificates */
 -  sslret = X509_REQ_set_version (csr->x509_req, 2);
 +  sslret = X509_REQ_set_version (csr->x509_req, X509_VERSION_1);
   CHECK_SSL (sslret, X509_REQ_set_version);
   subject = X509_REQ_get_subject_name (csr->x509_req);
 -- 
 2.49.0
--- a/SOURCES/0007-Ensure-critical-basicConstraint-for-CA-cert.patch
+++ b/SOURCES/0007-Ensure-critical-basicConstraint-for-CA-cert.patch
@ -0,0 +1,29 @@
 From 499ce83c85d14dd8cbc52f6431e775f1d00578d6 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Tue, 22 Apr 2025 13:09:32 -0400
 Subject: [PATCH 7/7] Ensure 'critical' basicConstraint for CA cert
 Fixes: https://github.com/sgallagher/sscg/issues/74
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
 ---
 src/authority.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/authority.c b/src/authority.c
 index af60e1a93023c32e3fdf6da920fba4464256ed81..044c62f5192e75a9f7d3f49616f852a97da7505a 100644
 --- a/src/authority.c
 +++ b/src/authority.c
@@ -89,7 +89,8 @@ create_private_CA (TALLOC_CTX *mem_ctx,
   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
   /* Mark it as a CA */
 -  ex = X509V3_EXT_conf_nid (NULL, NULL, NID_basic_constraints, "CA:TRUE");
 +  ex = X509V3_EXT_conf_nid (
 +    NULL, NULL, NID_basic_constraints, "critical,CA:TRUE");
   CHECK_MEM (ex);
   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
 -- 
 2.49.0
--- a/SOURCES/0008-Fix-IP-address-handling-in-CA-certificate-SAN-constr.patch
+++ b/SOURCES/0008-Fix-IP-address-handling-in-CA-certificate-SAN-constr.patch
--- a/SPECS/sscg.spec
+++ b/SPECS/sscg.spec
@ -9,7 +9,7 @@
 Name:           sscg
 Version:        3.0.0
-Release:        7%{?dist}
+Release:        10%{?dist}
 Summary:        Simple SSL certificate generator
 License:        GPLv3+ with exceptions
@ -26,11 +26,14 @@ BuildRequires:  ninja-build
 BuildRequires:  help2man
-Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
+Patch: 0001-Drop-usage-of-ERR_GET_FUNC.patch
-Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
+Patch: 0002-Correct-certificate-lifetime-calculation.patch
-Patch0003: 0003-Truncate-IP-address-in-SAN.patch
+Patch: 0003-Truncate-IP-address-in-SAN.patch
-Patch0004: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
+Patch: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
-
+Patch: 0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
 Patch: 0006-x509-Use-proper-version-for-CSR.patch
 Patch: 0007-Ensure-critical-basicConstraint-for-CA-cert.patch
 Patch: 0008-Fix-IP-address-handling-in-CA-certificate-SAN-constr.patch
 %description
 A utility to aid in the creation of more secure "self-signed"
@ -61,69 +64,127 @@ false signatures from the service certificate.
 %{_mandir}/man8/%{name}.8*
 %changelog
-* Thu Dec 08 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-7
+* Mon Aug 11 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-10
- Correctly apply the patch for default dhparams
+- Fix IP address handling in CA certificate SAN constraints
- Resolves: rhbz#2143206
+- Resolves: RHEL-107289
 * Tue Apr 22 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-9
 - Ensure 'critical' basicConstraint for CA cert
 - Resolves: RHEL-88119
 * Wed Apr 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-8
 - x509: Use proper version for CSR
 - Resolves: RHEL-85851
 * Fri Dec 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-7
 - Use EVP_default_properties_is_fips_enabled() on OpenSSL 3.0
 - Related: rhbz#2083879
 * Mon Nov 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
 - Don't fail if default dhparams file can't be created
- Resolves: rhbz#2143206
+- Resolves: rhbz#2149064
-* Thu Jul 14 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
+* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
- Rebase to sscg 3.0.0
+- Handle IP addresses in subjectAlternativeName correctly
- Resolves: rhbz#2107369
+- Resolves: rhbz#2061923
 - Resolves: rhbz#2091525
-* Thu Jun 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-15
+* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
- Fix certificate lifetime calculation
+- Correct certificate lifetime calculation
- Resolves: rhbz#2091525
+- Resolves: rhbz#2017667
-* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-14
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.0-3
- Properly handling reading long passphrase files.
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
-* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-13
+* Sat Aug 07 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-2
- Fix missing error check for --*-key-passfile
+- Drop usage of removed macro ERR_GET_FUNC()
 - Related: rhbz#1964837
-* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-12
+* Wed Jul 21 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-1
- Improve validation of command-line arguments
+- Release 3.0.0
- Resolves: rhbz#1784441
+- Support for OpenSSL 3.0
- Resolves: rhbz#1784443
+- Support for outputting named Diffie-Hellman parameter groups
 - Support for CentOS Stream 9
 - Resolves: rhbz#1984468
-* Tue Jan 07 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-11
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-8
- Further improve --client-key-file help message
+- Rebuilt for RHEL 9 BETA for openssl 3.0
- Resolves: rhbz#1720667
+  Related: rhbz#1971065
-* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-10
+* Wed May 26 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-7
- Fix incorrect help message
+- OpenSSL 3.0 compatibility: fix RSA key-generation test
- Resolves: rhbz#1720667
+- Resolves: rhbz#1964837
-* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-9
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-6
- Fix null-dereference and memory leak issues with client certs
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 - Resolves: rhbz#1720667
-* Wed Dec 11 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-8
+* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-5
- Add support for generating client authentication certificates
+- Fixing incorrect license declaration
 - Resolves: rhbz#1720667
-* Fri Nov 01 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-7
+* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-4
- Add support for password-protecting the private key files
+- Updating to rebuild against the latest glibc
 - Resolves: rhbz#1717880
-* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-3
- Fixes for issues detected by automated testing.
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 - Resolves: rhbz#1653323
-* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-5
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jun 23 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-1
 - Update to 2.6.2
 - Handle very short and very long passphrases properly (fixes rhbz#1850183)
 - Drop upstreamed patch
 * Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-4
 - Rebuild with corrected ELN macro definitions
 * Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-3
 - Don't bother running clang-format in the RPM build
 - Lengthen the test timeout so ARM tests pass
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-1
 - Bugfixes from upstream
 * Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-2
 - Fix incorrect help description for --client-key-file
 * Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-1
 - Update to 2.6.0
 - Can now generate an empty CRL file.
 - Can now create and store a Diffie-Hellman parameters (dhparams) file.
 - Support for setting a password on private keys.
 - Support for generating a client authentication certificate and key.
 - Better support for OpenSSL 1.0
 * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.1-1
 - Update to 2.5.1
 - Fixes discovered by automated testing.
 * Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.0-1
 - Update to 2.5.0
 - Auto-detect the hash algorithm to use by default.
 * Tue Nov 27 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.4.0-1
 - Update to 2.4.0
 - Autodetect the minimum key strength from the system security level.
 - Autodetect the hash algorithm to use from the system security level.
 - Disallow setting a key strength below the system minimum.
- Resolves: rhbz#1653323
+
 - Drop upstreamed patches
 * Mon Sep 17 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-4
- Add a manpage for sscg.
+- Add a manpage.
-* Thu Jul 05 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-3
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-3
- Strip out bundled popt since RHEL 8 has a new-enough version.
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
@ -266,3 +327,4 @@ false signatures from the service certificate.
 * Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-1
 - First packaging