diff --git a/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch b/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch new file mode 100644 index 0000000..201620b --- /dev/null +++ b/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch @@ -0,0 +1,65 @@ +From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 1 Feb 2022 12:40:06 -0500 +Subject: [PATCH] swtpm_localca: Test for available issuercert before creating + CA + +Avoid trying to create TPM certificates while the issuer certificate has +not been created, yet (in a 2nd step). + +To resolve this do not just test for availability of the signing key, which +is created first, but also test for the issuer certifcate, which is created +in a 2nd step when the local CA is created. If either one is missing, +attempt to create the CA. + +Resolves: https://github.com/stefanberger/swtpm/issues/644 +Signed-off-by: Stefan Berger +--- + src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c +index 037bfd5266bb..089e4e0db4ce 100644 +--- a/src/swtpm_localca/swtpm_localca.c ++++ b/src/swtpm_localca/swtpm_localca.c +@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir, + goto error; + } + +- if (access(signkey, R_OK) != 0) { ++ if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) { + g_autofree gchar *directory = g_path_get_dirname(signkey); + g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL); + g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL); +@@ -808,13 +808,28 @@ int main(int argc, char *argv[]) + if (ret != 0) + goto error; + } else { ++ int create_certs = 0; ++ ++ /* create certificate if either the signing key or issuer cert are missing */ + if (access(signkey, R_OK) != 0) { + if (stat(signkey, &statbuf) == 0) { + logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n", + signkey, curr_user ? curr_user->pw_name : ""); + goto error; + } ++ create_certs = 1; ++ } ++ ++ if (access(issuercert, R_OK) != 0) { ++ if (stat(issuercert, &statbuf) == 0) { ++ logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n", ++ issuercert, curr_user ? curr_user->pw_name : ""); ++ goto error; ++ } ++ create_certs = 1; ++ } + ++ if (create_certs) { + logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n"); + if (create_localca_cert(lockfile, statedir, signkey, signkey_password, + issuercert) != 0) { +-- +2.37.0.rc0 + diff --git a/sources b/sources index f7c95de..5c54e4d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (swtpm-b79fd91.tar.gz) = bb17a2dc7542261618ea7572301d447820ad762478cb5b38b11cf49e46a6c81620861ba5d1f150c966fe19aed828da40431ce9544775bfd048152c2957bc178e +SHA1 (swtpm-b79fd91.tar.gz) = b79a2d005663868139f0678cddeecf70278ec219 diff --git a/swtpm.spec b/swtpm.spec index e3d10c6..181a689 100644 --- a/swtpm.spec +++ b/swtpm.spec @@ -12,11 +12,14 @@ Summary: TPM Emulator Name: swtpm Version: 0.7.0 -Release: 1.%{gitdate}git%{gitshortcommit}%{?dist} +Release: 4.%{gitdate}git%{gitshortcommit}%{?dist} License: BSD Url: http://github.com/stefanberger/swtpm Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz ExcludeArch: i686 +Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch +Patch0002: 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch +Patch0003: 0001-swtpm_localca-Test-for-available-issuercert-before-c.patch BuildRequires: make BuildRequires: git-core @@ -179,6 +182,18 @@ fi %{_datadir}/swtpm/swtpm-create-tpmca %changelog +* Mon Jul 18 2022 Marc-André Lureau - 0.7.0-4.20211109gitb79fd91 +- swtpm_localca: Test for available issuercert before creating CA + Resolves: rhbz#2100508 + +* Mon Jun 20 2022 Marc-André Lureau - 0.7.0-3.20211109gitb79fd91 +- Disable OpenSSL FIPS mode to avoid libtpms failures + Resolves: rhbz#2097947 + +* Mon Feb 21 2022 Marc-André Lureau - 0.7.0-2.20211109gitb79fd91 +- Add fix for CVE-2022-23645. + Resolves: rhbz#2056517 + * Tue Jan 04 2022 Marc-André Lureau - 0.7.0-1.20211109gitb79fd91 - Rebase to 0.7.0, disable TPM 1.2. Resovles: rhbz#2029612