From 4f3f20a780d8470c608aee4eb0741133afffc65d Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mon, 23 Jan 2023 09:33:48 -0500
Subject: [PATCH] import swtpm-0.7.0-4.20211109gitb79fd91.el9_1

---
 ...st-for-available-issuercert-before-c.patch | 65 +++++++++++++++++++
 SPECS/swtpm.spec                              |  7 +-
 2 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch

diff --git a/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch b/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
new file mode 100644
index 0000000..201620b
--- /dev/null
+++ b/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
@@ -0,0 +1,65 @@
+From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 1 Feb 2022 12:40:06 -0500
+Subject: [PATCH] swtpm_localca: Test for available issuercert before creating
+ CA
+
+Avoid trying to create TPM certificates while the issuer certificate has
+not been created, yet (in a 2nd step).
+
+To resolve this do not just test for availability of the signing key, which
+is created first, but also test for the issuer certifcate, which is created
+in a 2nd step when the local CA is created. If either one is missing,
+attempt to create the CA.
+
+Resolves: https://github.com/stefanberger/swtpm/issues/644
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
+index 037bfd5266bb..089e4e0db4ce 100644
+--- a/src/swtpm_localca/swtpm_localca.c
++++ b/src/swtpm_localca/swtpm_localca.c
+@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir,
+             goto error;
+     }
+ 
+-    if (access(signkey, R_OK) != 0) {
++    if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) {
+         g_autofree gchar *directory = g_path_get_dirname(signkey);
+         g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL);
+         g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL);
+@@ -808,13 +808,28 @@ int main(int argc, char *argv[])
+         if (ret != 0)
+             goto error;
+     } else {
++        int create_certs = 0;
++
++        /* create certificate if either the signing key or issuer cert are missing */
+         if (access(signkey, R_OK) != 0) {
+             if (stat(signkey, &statbuf) == 0) {
+                 logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n",
+                        signkey, curr_user ? curr_user->pw_name : "<unknown>");
+                 goto error;
+             }
++            create_certs = 1;
++        }
++
++        if (access(issuercert, R_OK) != 0) {
++            if (stat(issuercert, &statbuf) == 0) {
++                logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n",
++                       issuercert, curr_user ? curr_user->pw_name : "<unknown>");
++                goto error;
++            }
++            create_certs = 1;
++        }
+ 
++        if (create_certs) {
+             logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n");
+             if (create_localca_cert(lockfile, statedir, signkey, signkey_password,
+                                     issuercert) != 0) {
+-- 
+2.37.0.rc0
+
diff --git a/SPECS/swtpm.spec b/SPECS/swtpm.spec
index d072e48..8d05aea 100644
--- a/SPECS/swtpm.spec
+++ b/SPECS/swtpm.spec
@@ -12,12 +12,13 @@
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.7.0
-Release:        3.%{gitdate}git%{gitshortcommit}%{?dist}
+Release:        4.%{gitdate}git%{gitshortcommit}%{?dist}
 License:        BSD
 Url:            http://github.com/stefanberger/swtpm
 Source0:        %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
 Patch0001:      0001-swtpm-Check-header-size-indicator-against-expected-s.patch
 Patch0002:      0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
+Patch0003:      0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
 
 BuildRequires: make
 BuildRequires:  git-core
@@ -180,6 +181,10 @@ fi
 %{_datadir}/swtpm/swtpm-create-tpmca
 
 %changelog
+* Fri Dec 16 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-4.20211109gitb79fd91
+- swtpm_localca: Test for available issuercert before creating CA
+  Resolves: rhbz#2152916
+
 * Fri Jun 17 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
 - Disable OpenSSL FIPS mode to avoid libtpms failures
   Resolves: rhbz#2090219