Add patch to for passing certificate chain validation

This patch fixes test errors on Fedora Rawhide due to the change in the min-verification-profile setting in gnutls.config. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2020-08-01 09:22:20 -04:00 · 2020-08-01 09:22:20 -04:00 · ac941adb9f
commit ac941adb9f
parent 8ab2c96965
2 changed files with 58 additions and 1 deletions
--- a/0001-tests-Modify-sample-key-to-be-2048-bit-rather-than-o.patch
+++ b/0001-tests-Modify-sample-key-to-be-2048-bit-rather-than-o.patch
@ -0,0 +1,56 @@
+From f5bd8ba14f5165bc5b7cd3b20a7ba07f6acbfffe Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Fri, 31 Jul 2020 10:47:27 -0400
+Subject: [PATCH] tests: Modify sample key to be 2048 bit rather than only 2033
+ bit
+
+The generated sample keys started with 00010203, thus leaving the upper
+15 bits of the key as '0', which in turn causes gnutls to think that the
+key is only 2033 bit long, thus rejecting certificate verification once
+the min-verification-profile is set to 'medium' in gnutls's config file
+in /etc/crypto-policies/back-ends/gnutls.config.
+
+We now create sample keys starting with 800102, which sets the highest bit.
+
+This fixes test errors on Fedora Rawhide due to the change in the
+min-verification-profile setting in gnutls.config.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ tests/test_tpm2_samples_swtpm_localca        | 4 ++--
+ tests/test_tpm2_samples_swtpm_localca_pkcs11 | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tests/test_tpm2_samples_swtpm_localca b/tests/test_tpm2_samples_swtpm_localca
+index 3611b9d2..11ad10ba 100755
+--- a/tests/test_tpm2_samples_swtpm_localca
+++ b/tests/test_tpm2_samples_swtpm_localca
+@@ -11,8 +11,8 @@ SWTPM_LOCALCA=${TOPSRC}/samples/swtpm-localca
+ 
+ workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX")
+ 
+-ek=""
+-for ((i = 0; i < 256; i++)); do
+ek="80" # 2048 bit key must have highest bit set
+for ((i = 1; i < 256; i++)); do
+   ek="${ek}$(printf "%02x" $i)"
+ done
+ 
+diff --git a/tests/test_tpm2_samples_swtpm_localca_pkcs11 b/tests/test_tpm2_samples_swtpm_localca_pkcs11
+index 5d0d1d45..372a6391 100755
+--- a/tests/test_tpm2_samples_swtpm_localca_pkcs11
+++ b/tests/test_tpm2_samples_swtpm_localca_pkcs11
+@@ -11,8 +11,8 @@ SWTPM_LOCALCA=${TOPSRC}/samples/swtpm-localca
+ 
+ workdir=$(mktemp -d)
+ 
+-ek=""
+-for ((i = 0; i < 256; i++)); do
+ek="80" # 2048 bit key must have highest bit set
+for ((i = 1; i < 256; i++)); do
+   ek="${ek}$(printf "%02x" $i)"
+ done
+ 
+-- 
+2.25.4
+
--- a/swtpm.spec
+++ b/swtpm.spec
@ -12,12 +12,13 @@
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.3.0
-Release:        3.%{gitdate}git%{gitshortcommit}%{?dist}
+Release:        4.%{gitdate}git%{gitshortcommit}%{?dist}
 License:        BSD
 Url:            http://github.com/stefanberger/swtpm
 Source0:        %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz

 Patch0001:      0001-tests-Skip-test-4-of-derived-keys-in-case-an-allowed.patch
+Patch0002:      0001-tests-Modify-sample-key-to-be-2048-bit-rather-than-o.patch

 BuildRequires:  git-core
 BuildRequires:  automake