.gitignore

@@ -1 +1,25 @@
-SOURCES/sscg-3.0.0.tar.xz
+/sscg-0.4.1.tar.gz
+/sscg-1.0.0-a3fe426.tar.gz
+/sscg-1.0.1-6858b79.tar.gz
+/sscg-1.0.2-897a89a.tar.gz
+/sscg-1.0.3-ecdee74.tar.gz
+/sscg-1.0.4-024d20e.tar.gz
+/sscg-1.1.0-4f90b27.tar.gz
+/sscg-2.0.0.tar.gz
+/sscg-2.0.1.tar.gz
+/sscg-2.0.2.tar.gz
+/sscg-2.0.3.tar.gz
+/sscg-2.0.4.tar.gz
+/sscg-2.1.0.tar.gz
+/sscg-2.2.0.tar.gz
+/sscg-2.3.0.tar.xz
+/sscg-2.3.1.tar.xz
+/sscg-2.3.2.tar.xz
+/sscg-2.3.3.tar.xz
+/sscg-2.4.0.tar.xz
+/sscg-2.5.0.tar.xz
+/sscg-2.5.1.tar.xz
+/sscg-2.6.0.tar.xz
+/sscg-2.6.1.tar.xz
+/sscg-2.6.2.tar.xz
+/sscg-3.0.0.tar.xz

.sscg.metadata

@@ -1 +1 @@
-81e3b33e118edff96583314ceb4bfde9a1e6b45c SOURCES/sscg-3.0.0.tar.xz
+81e3b33e118edff96583314ceb4bfde9a1e6b45c sscg-3.0.0.tar.xz

0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch

@@ -0,0 +1,32 @@
+From e65a507c487a37dd5a8c90b7dbd1ff3274146239 Mon Sep 17 00:00:00 2001
+From: Simon Chopin <simon.chopin@canonical.com>
+Date: Mon, 13 Dec 2021 15:20:55 +0100
+Subject: [PATCH 5/5] dhparams: Fix the FIPS_mode() call for OpenSSL 3.0
+
+This function has been removed from OpenSSL 3.0, replaced by
+EVP_default_properties_is_fips_enabled().
+
+Closes #50
+---
+ src/dhparams.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/dhparams.c b/src/dhparams.c
+index 5c50128970d48790df910b9f9531e61e1d4c5758..61fd57aeedca47fba49f75d356cd5f42b9586696 100644
+--- a/src/dhparams.c
++++ b/src/dhparams.c
+@@ -231,7 +231,11 @@ is_valid_named_group (const char *group_name)
+     }
+ 
+   /* Check non-FIPS groups */
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+   if (!FIPS_mode ())
++#else
++  if (!EVP_default_properties_is_fips_enabled(NULL))
++#endif
+     {
+       i = 0;
+       while (dh_nonfips_groups[i])
+-- 
+2.31.1
+

gating.yaml

@@ -0,0 +1,9 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier2.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier3.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}

sources

@@ -0,0 +1 @@
+SHA512 (sscg-3.0.0.tar.xz) = d5bbd14c102bb11b387b6018dced09b23b053498c60befd916aa142ece8240f443e364d9a578b6b5aa15c68cb943725ed96ef44cce77eb01013e464a6d4dc0f1

sscg.spec

@@ -26,11 +26,11 @@ BuildRequires:  ninja-build
 BuildRequires:  help2man
 
 
-Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
-Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
-Patch0003: 0003-Truncate-IP-address-in-SAN.patch
-Patch0004: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
-
+Patch: 0001-Drop-usage-of-ERR_GET_FUNC.patch
+Patch: 0002-Correct-certificate-lifetime-calculation.patch
+Patch: 0003-Truncate-IP-address-in-SAN.patch
+Patch: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
+Patch: 0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
 
 %description
 A utility to aid in the creation of more secure "self-signed"
@@ -61,69 +61,115 @@ false signatures from the service certificate.
 %{_mandir}/man8/%{name}.8*
 
 %changelog
-* Thu Dec 08 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-7
-- Correctly apply the patch for default dhparams
-- Resolves: rhbz#2143206
+* Fri Dec 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
+- Use EVP_default_properties_is_fips_enabled() on OpenSSL 3.0
+- Related: rhbz#2083879
 
 * Mon Nov 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
 - Don't fail if default dhparams file can't be created
-- Resolves: rhbz#2143206
+- Resolves: rhbz#2149064
 
-* Thu Jul 14 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
-- Rebase to sscg 3.0.0
-- Resolves: rhbz#2107369
-- Resolves: rhbz#2091525
+* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
+- Handle IP addresses in subjectAlternativeName correctly
+- Resolves: rhbz#2061923
 
-* Thu Jun 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-15
-- Fix certificate lifetime calculation
-- Resolves: rhbz#2091525
+* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
+- Correct certificate lifetime calculation
+- Resolves: rhbz#2017667
 
-* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-14
-- Properly handling reading long passphrase files.
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.0-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-13
-- Fix missing error check for --*-key-passfile
+* Sat Aug 07 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-2
+- Drop usage of removed macro ERR_GET_FUNC()
+- Related: rhbz#1964837
 
-* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-12
-- Improve validation of command-line arguments
-- Resolves: rhbz#1784441
-- Resolves: rhbz#1784443
+* Wed Jul 21 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-1
+- Release 3.0.0
+- Support for OpenSSL 3.0
+- Support for outputting named Diffie-Hellman parameter groups
+- Support for CentOS Stream 9
+- Resolves: rhbz#1984468
 
-* Tue Jan 07 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-11
-- Further improve --client-key-file help message
-- Resolves: rhbz#1720667
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-8
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
 
-* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-10
-- Fix incorrect help message
-- Resolves: rhbz#1720667
+* Wed May 26 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-7
+- OpenSSL 3.0 compatibility: fix RSA key-generation test
+- Resolves: rhbz#1964837
 
-* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-9
-- Fix null-dereference and memory leak issues with client certs
-- Resolves: rhbz#1720667
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-6
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Wed Dec 11 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-8
-- Add support for generating client authentication certificates
-- Resolves: rhbz#1720667
+* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-5
+- Fixing incorrect license declaration
 
-* Fri Nov 01 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-7
-- Add support for password-protecting the private key files
-- Resolves: rhbz#1717880
+* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-4
+- Updating to rebuild against the latest glibc
 
-* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
-- Fixes for issues detected by automated testing.
-- Resolves: rhbz#1653323
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-5
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 23 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-1
+- Update to 2.6.2
+- Handle very short and very long passphrases properly (fixes rhbz#1850183)
+- Drop upstreamed patch
+
+* Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-4
+- Rebuild with corrected ELN macro definitions
+
+* Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-3
+- Don't bother running clang-format in the RPM build
+- Lengthen the test timeout so ARM tests pass
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-1
+- Bugfixes from upstream
+
+* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-2
+- Fix incorrect help description for --client-key-file
+
+* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-1
+- Update to 2.6.0
+- Can now generate an empty CRL file.
+- Can now create and store a Diffie-Hellman parameters (dhparams) file.
+- Support for setting a password on private keys.
+- Support for generating a client authentication certificate and key.
+- Better support for OpenSSL 1.0
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.1-1
+- Update to 2.5.1
+- Fixes discovered by automated testing.
+
+* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.0-1
+- Update to 2.5.0
+- Auto-detect the hash algorithm to use by default.
+
+* Tue Nov 27 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.4.0-1
+- Update to 2.4.0
 - Autodetect the minimum key strength from the system security level.
-- Autodetect the hash algorithm to use from the system security level.
 - Disallow setting a key strength below the system minimum.
-- Resolves: rhbz#1653323
+
+- Drop upstreamed patches
 
 * Mon Sep 17 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-4
-- Add a manpage for sscg.
+- Add a manpage.
 
-* Thu Jul 05 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-3
-- Strip out bundled popt since RHEL 8 has a new-enough version.
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
@@ -266,3 +312,4 @@ false signatures from the service certificate.
 
 * Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-1
 - First packaging
+

test/help-usage/Makefile

@@ -0,0 +1,14 @@
+.PHONY: all install download clean
+
+BUILT_FILES=
+
+FILES=runtest.sh Makefile
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x ./runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)

test/help-usage/README.rst

@@ -0,0 +1,13 @@
+help-usage
+==========
+
+This is an example task for `Taskotron <https://fedoraproject.org/wiki/Taskotron>`_
+that tests the basic functionality of 'sscg --help' to confirm it generates a usage message.
+
+Standalone you can run it like this::
+
+  $ make run
+
+Through taskotron runner you can run it like this::
+
+  $ runtask -i sscg-2.0.4-1.fc27 -t koji_build -a x86_64 runtask.yml

test/help-usage/runtask.yml

@@ -0,0 +1,29 @@
+---
+name: help-usage
+desc: "Tests the basic functionality of 'sscg --help' to confirm it generates a usage message."
+maintainer: sgallagh
+
+input:
+    args:
+        - koji_build
+        - arch
+
+environment:
+    rpm:
+        - make
+
+actions:
+    - name: download the build
+      koji:
+          action: download
+          koji_build: ${koji_build}
+          arch: $arch
+          target_dir: ${workdir}/rpms
+
+    - name: install the build
+      shell:
+          - dnf install -y ${workdir}/rpms/*.rpm
+
+    - name: run test
+      shell:
+          - make run

test/help-usage/runtest.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+PACKAGE=sscg
+
+# Assume the test will pass.
+result=PASS
+
+sscg --help | grep -q -i '^usage:'
+if [ $? -ne 0 ]; then
+        result=FAIL
+fi
+
+echo $result