Import rpm: fa86fe1793a70fb2ba2e7b33f169ba75193b6c85
This commit is contained in:
James Antill
parent
c289acd76b
commit
77601364e6
@ -0,0 +1,65 @@
|
|||||||
|
From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Berger <stefanb@linux.ibm.com>
|
||||||
|
Date: Tue, 1 Feb 2022 12:40:06 -0500
|
||||||
|
Subject: [PATCH] swtpm_localca: Test for available issuercert before creating
|
||||||
|
CA
|
||||||
|
|
||||||
|
Avoid trying to create TPM certificates while the issuer certificate has
|
||||||
|
not been created, yet (in a 2nd step).
|
||||||
|
|
||||||
|
To resolve this do not just test for availability of the signing key, which
|
||||||
|
is created first, but also test for the issuer certifcate, which is created
|
||||||
|
in a 2nd step when the local CA is created. If either one is missing,
|
||||||
|
attempt to create the CA.
|
||||||
|
|
||||||
|
Resolves: https://github.com/stefanberger/swtpm/issues/644
|
||||||
|
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++-
|
||||||
|
1 file changed, 16 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
|
||||||
|
index 037bfd5266bb..089e4e0db4ce 100644
|
||||||
|
--- a/src/swtpm_localca/swtpm_localca.c
|
||||||
|
+++ b/src/swtpm_localca/swtpm_localca.c
|
||||||
|
@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir,
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (access(signkey, R_OK) != 0) {
|
||||||
|
+ if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) {
|
||||||
|
g_autofree gchar *directory = g_path_get_dirname(signkey);
|
||||||
|
g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL);
|
||||||
|
g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL);
|
||||||
|
@@ -808,13 +808,28 @@ int main(int argc, char *argv[])
|
||||||
|
if (ret != 0)
|
||||||
|
goto error;
|
||||||
|
} else {
|
||||||
|
+ int create_certs = 0;
|
||||||
|
+
|
||||||
|
+ /* create certificate if either the signing key or issuer cert are missing */
|
||||||
|
if (access(signkey, R_OK) != 0) {
|
||||||
|
if (stat(signkey, &statbuf) == 0) {
|
||||||
|
logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n",
|
||||||
|
signkey, curr_user ? curr_user->pw_name : "<unknown>");
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
+ create_certs = 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (access(issuercert, R_OK) != 0) {
|
||||||
|
+ if (stat(issuercert, &statbuf) == 0) {
|
||||||
|
+ logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n",
|
||||||
|
+ issuercert, curr_user ? curr_user->pw_name : "<unknown>");
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+ create_certs = 1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
+ if (create_certs) {
|
||||||
|
logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n");
|
||||||
|
if (create_localca_cert(lockfile, statedir, signkey, signkey_password,
|
||||||
|
issuercert) != 0) {
|
||||||
|
--
|
||||||
|
2.37.0.rc0
|
||||||
|
|
||||||
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (swtpm-b79fd91.tar.gz) = bb17a2dc7542261618ea7572301d447820ad762478cb5b38b11cf49e46a6c81620861ba5d1f150c966fe19aed828da40431ce9544775bfd048152c2957bc178e
|
SHA1 (swtpm-b79fd91.tar.gz) = b79a2d005663868139f0678cddeecf70278ec219
|
||||||
|
|||||||
17
swtpm.spec
17
swtpm.spec
@ -12,11 +12,14 @@
|
|||||||
Summary: TPM Emulator
|
Summary: TPM Emulator
|
||||||
Name: swtpm
|
Name: swtpm
|
||||||
Version: 0.7.0
|
Version: 0.7.0
|
||||||
Release: 1.%{gitdate}git%{gitshortcommit}%{?dist}
|
Release: 4.%{gitdate}git%{gitshortcommit}%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Url: http://github.com/stefanberger/swtpm
|
Url: http://github.com/stefanberger/swtpm
|
||||||
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
|
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
|
||||||
ExcludeArch: i686
|
ExcludeArch: i686
|
||||||
|
Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch
|
||||||
|
Patch0002: 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
|
||||||
|
Patch0003: 0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: git-core
|
BuildRequires: git-core
|
||||||
@ -179,6 +182,18 @@ fi
|
|||||||
%{_datadir}/swtpm/swtpm-create-tpmca
|
%{_datadir}/swtpm/swtpm-create-tpmca
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jul 18 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-4.20211109gitb79fd91
|
||||||
|
- swtpm_localca: Test for available issuercert before creating CA
|
||||||
|
Resolves: rhbz#2100508
|
||||||
|
|
||||||
|
* Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
|
||||||
|
- Disable OpenSSL FIPS mode to avoid libtpms failures
|
||||||
|
Resolves: rhbz#2097947
|
||||||
|
|
||||||
|
* Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
|
||||||
|
- Add fix for CVE-2022-23645.
|
||||||
|
Resolves: rhbz#2056517
|
||||||
|
|
||||||
* Tue Jan 04 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
|
* Tue Jan 04 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
|
||||||
- Rebase to 0.7.0, disable TPM 1.2.
|
- Rebase to 0.7.0, disable TPM 1.2.
|
||||||
Resovles: rhbz#2029612
|
Resovles: rhbz#2029612
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user