From 77601364e6110d6e86c524486e5a497a2857e71c Mon Sep 17 00:00:00 2001
From: James Antill <jantill@redhat.com>
Date: Thu, 23 Feb 2023 13:22:48 -0500
Subject: [PATCH] Import rpm: fa86fe1793a70fb2ba2e7b33f169ba75193b6c85

---
 ...st-for-available-issuercert-before-c.patch | 65 +++++++++++++++++++
 sources                                       |  2 +-
 swtpm.spec                                    | 17 ++++-
 3 files changed, 82 insertions(+), 2 deletions(-)
 create mode 100644 0001-swtpm_localca-Test-for-available-issuercert-before-c.patch

diff --git a/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch b/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
new file mode 100644
index 0000000..201620b
--- /dev/null
+++ b/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
@@ -0,0 +1,65 @@
+From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 1 Feb 2022 12:40:06 -0500
+Subject: [PATCH] swtpm_localca: Test for available issuercert before creating
+ CA
+
+Avoid trying to create TPM certificates while the issuer certificate has
+not been created, yet (in a 2nd step).
+
+To resolve this do not just test for availability of the signing key, which
+is created first, but also test for the issuer certifcate, which is created
+in a 2nd step when the local CA is created. If either one is missing,
+attempt to create the CA.
+
+Resolves: https://github.com/stefanberger/swtpm/issues/644
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
+index 037bfd5266bb..089e4e0db4ce 100644
+--- a/src/swtpm_localca/swtpm_localca.c
++++ b/src/swtpm_localca/swtpm_localca.c
+@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir,
+             goto error;
+     }
+ 
+-    if (access(signkey, R_OK) != 0) {
++    if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) {
+         g_autofree gchar *directory = g_path_get_dirname(signkey);
+         g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL);
+         g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL);
+@@ -808,13 +808,28 @@ int main(int argc, char *argv[])
+         if (ret != 0)
+             goto error;
+     } else {
++        int create_certs = 0;
++
++        /* create certificate if either the signing key or issuer cert are missing */
+         if (access(signkey, R_OK) != 0) {
+             if (stat(signkey, &statbuf) == 0) {
+                 logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n",
+                        signkey, curr_user ? curr_user->pw_name : "<unknown>");
+                 goto error;
+             }
++            create_certs = 1;
++        }
++
++        if (access(issuercert, R_OK) != 0) {
++            if (stat(issuercert, &statbuf) == 0) {
++                logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n",
++                       issuercert, curr_user ? curr_user->pw_name : "<unknown>");
++                goto error;
++            }
++            create_certs = 1;
++        }
+ 
++        if (create_certs) {
+             logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n");
+             if (create_localca_cert(lockfile, statedir, signkey, signkey_password,
+                                     issuercert) != 0) {
+-- 
+2.37.0.rc0
+
diff --git a/sources b/sources
index f7c95de..5c54e4d 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (swtpm-b79fd91.tar.gz) = bb17a2dc7542261618ea7572301d447820ad762478cb5b38b11cf49e46a6c81620861ba5d1f150c966fe19aed828da40431ce9544775bfd048152c2957bc178e
+SHA1 (swtpm-b79fd91.tar.gz) = b79a2d005663868139f0678cddeecf70278ec219
diff --git a/swtpm.spec b/swtpm.spec
index e3d10c6..181a689 100644
--- a/swtpm.spec
+++ b/swtpm.spec
@@ -12,11 +12,14 @@
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.7.0
-Release:        1.%{gitdate}git%{gitshortcommit}%{?dist}
+Release:        4.%{gitdate}git%{gitshortcommit}%{?dist}
 License:        BSD
 Url:            http://github.com/stefanberger/swtpm
 Source0:        %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
 ExcludeArch:    i686
+Patch0001:      0001-swtpm-Check-header-size-indicator-against-expected-s.patch
+Patch0002:      0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
+Patch0003:      0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
 
 BuildRequires: make
 BuildRequires:  git-core
@@ -179,6 +182,18 @@ fi
 %{_datadir}/swtpm/swtpm-create-tpmca
 
 %changelog
+* Mon Jul 18 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-4.20211109gitb79fd91
+- swtpm_localca: Test for available issuercert before creating CA
+  Resolves: rhbz#2100508
+
+* Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
+- Disable OpenSSL FIPS mode to avoid libtpms failures
+  Resolves: rhbz#2097947
+
+* Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
+- Add fix for CVE-2022-23645.
+  Resolves: rhbz#2056517
+
 * Tue Jan 04 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
 - Rebase to 0.7.0, disable TPM 1.2.
   Resovles: rhbz#2029612