From e859029ea0657a8fe25bd6d1a898a78302a8af4f Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 3 Jun 2022 15:31:56 +0200 Subject: [PATCH] Replace expired certificates Resolves: rhbz#2092456 --- 0066-replace-expired-certs.patch | 212 +++++++++++++++++++++++++++++++ openssl.spec | 9 +- 2 files changed, 220 insertions(+), 1 deletion(-) create mode 100644 0066-replace-expired-certs.patch diff --git a/0066-replace-expired-certs.patch b/0066-replace-expired-certs.patch new file mode 100644 index 0000000..adc9460 --- /dev/null +++ b/0066-replace-expired-certs.patch @@ -0,0 +1,212 @@ +diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem +index 1fa449d5a098..6aa9455f09ed 100644 +--- a/test/certs/embeddedSCTs1_issuer.pem ++++ b/test/certs/embeddedSCTs1_issuer.pem +@@ -1,18 +1,18 @@ + -----BEGIN CERTIFICATE----- +-MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk ++MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk + MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX +-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw +-MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu +-c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf +-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7 +-jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP +-KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL +-svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk +-tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG +-A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO +-MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB +-/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt +-OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy +-f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP +-OwqULg== ++YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw ++ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy ++YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w ++gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG ++0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4 ++SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG ++acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw ++wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw ++CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB ++MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD ++AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq +++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo ++2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c ++Doud4XrO + -----END CERTIFICATE----- +diff --git a/test/certs/sm2-ca-cert.pem b/test/certs/sm2-ca-cert.pem +index 5677ac6c9f6a..70ce71e43091 100644 +--- a/test/certs/sm2-ca-cert.pem ++++ b/test/certs/sm2-ca-cert.pem +@@ -1,14 +1,14 @@ + -----BEGIN CERTIFICATE----- +-MIICJDCCAcqgAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT ++MIICJzCCAcygAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT + AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl +-c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe +-Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMGgxCzAJBgNVBAYTAkNOMQsw +-CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn +-MRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTBZMBMGByqG +-SM49AgEGCCqBHM9VAYItA0IABHRYnqErofBdXPptvvO7+BSVJxcpHuTGnZ+UPrbU +-5kVEUMaUnNOeMJZl/vRGimZCm/AkReJmRfnb15ESHR+ssp6jXTBbMB0GA1UdDgQW +-BBTFjcWu/zJgSZ5SKUlU5Vx4/0W5dDAfBgNVHSMEGDAWgBTFjcWu/zJgSZ5SKUlU +-5Vx4/0W5dDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzPVQGDdQNI +-ADBFAiEAs6byi1nSQtFELOw/2tQIv5AEsZFR5MJ/oB2ztXzs2LYCIEfIw4xlUH6X +-YFhs4RnIa0K9Ng1ebsGPrifYkudwBIk3 ++c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAg ++Fw0yMjA2MDIxNTQ5MzlaGA8yMTIyMDUwOTE1NDkzOVowaDELMAkGA1UEBhMCQ04x ++CzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzERMA8GA1UECgwIVGVzdCBP ++cmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rlc3QgU00yIENBMFkwEwYH ++KoZIzj0CAQYIKoEcz1UBgi0DQgAEdFieoSuh8F1c+m2+87v4FJUnFyke5Madn5Q+ ++ttTmRURQxpSc054wlmX+9EaKZkKb8CRF4mZF+dvXkRIdH6yynqNdMFswHQYDVR0O ++BBYEFMWNxa7/MmBJnlIpSVTlXHj/Rbl0MB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIp ++SVTlXHj/Rbl0MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqBHM9VAYN1 ++A0kAMEYCIQC3c2TkO6Lyxt5GNZqoZNuMEphjL9K7W1TsX6mHzlhHDwIhAICXy2XC ++WsTzdrMZUXLtrDDFOq+3FaD4pe1HP2LZFNpu + -----END CERTIFICATE----- +diff --git a/test/certs/sm2-root.crt b/test/certs/sm2-root.crt +index 5677ac6c9f6a..70ce71e43091 100644 +--- a/test/certs/sm2-root.crt ++++ b/test/certs/sm2-root.crt +@@ -1,14 +1,14 @@ + -----BEGIN CERTIFICATE----- +-MIICJDCCAcqgAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT ++MIICJzCCAcygAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT + AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl +-c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe +-Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMGgxCzAJBgNVBAYTAkNOMQsw +-CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn +-MRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTBZMBMGByqG +-SM49AgEGCCqBHM9VAYItA0IABHRYnqErofBdXPptvvO7+BSVJxcpHuTGnZ+UPrbU +-5kVEUMaUnNOeMJZl/vRGimZCm/AkReJmRfnb15ESHR+ssp6jXTBbMB0GA1UdDgQW +-BBTFjcWu/zJgSZ5SKUlU5Vx4/0W5dDAfBgNVHSMEGDAWgBTFjcWu/zJgSZ5SKUlU +-5Vx4/0W5dDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzPVQGDdQNI +-ADBFAiEAs6byi1nSQtFELOw/2tQIv5AEsZFR5MJ/oB2ztXzs2LYCIEfIw4xlUH6X +-YFhs4RnIa0K9Ng1ebsGPrifYkudwBIk3 ++c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAg ++Fw0yMjA2MDIxNTQ5MzlaGA8yMTIyMDUwOTE1NDkzOVowaDELMAkGA1UEBhMCQ04x ++CzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzERMA8GA1UECgwIVGVzdCBP ++cmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rlc3QgU00yIENBMFkwEwYH ++KoZIzj0CAQYIKoEcz1UBgi0DQgAEdFieoSuh8F1c+m2+87v4FJUnFyke5Madn5Q+ ++ttTmRURQxpSc054wlmX+9EaKZkKb8CRF4mZF+dvXkRIdH6yynqNdMFswHQYDVR0O ++BBYEFMWNxa7/MmBJnlIpSVTlXHj/Rbl0MB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIp ++SVTlXHj/Rbl0MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqBHM9VAYN1 ++A0kAMEYCIQC3c2TkO6Lyxt5GNZqoZNuMEphjL9K7W1TsX6mHzlhHDwIhAICXy2XC ++WsTzdrMZUXLtrDDFOq+3FaD4pe1HP2LZFNpu + -----END CERTIFICATE----- +diff --git a/test/certs/sm2.pem b/test/certs/sm2.pem +index 189abb137625..daf12926aff9 100644 +--- a/test/certs/sm2.pem ++++ b/test/certs/sm2.pem +@@ -1,13 +1,14 @@ + -----BEGIN CERTIFICATE----- +-MIIB6DCCAY6gAwIBAgIJAKH2BR6ITHZeMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT +-AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl +-c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe +-Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMG8xCzAJBgNVBAYTAkNOMQsw +-CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn +-MRAwDgYDVQQLDAdUZXN0IE9VMRswGQYDVQQDDBJUZXN0IFNNMiBTaWduIENlcnQw +-WTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAQwqeNkWp7fiu1KZnuDkAucpM8piEzE +-TL1ymrcrOBvv8mhNNkeb20asbWgFQI2zOrSM99/sXGn9rM2/usM/MlcaoxowGDAJ +-BgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNIADBFAiEA9edBnAqT +-TNuGIUIvXsj6/nP+AzXA9HGtAIY4nrqW8LkCIHyZzhRTlxYtgfqkDl0OK5QQRCZH +-OZOfmtx613VyzXwc ++MIICNDCCAdugAwIBAgIUOMbsiFLCy2BCPtfHQSdG4R1+3BowCgYIKoEcz1UBg3Uw ++aDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzER ++MA8GA1UECgwIVGVzdCBPcmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rl ++c3QgU00yIENBMCAXDTIyMDYwMjE1NTU0OFoYDzIxMjIwNTA5MTU1NTQ4WjBvMQsw ++CQYDVQQGEwJDTjELMAkGA1UECAwCTE4xETAPBgNVBAcMCFNoZW55YW5nMREwDwYD ++VQQKDAhUZXN0IE9yZzEQMA4GA1UECwwHVGVzdCBPVTEbMBkGA1UEAwwSVGVzdCBT ++TTIgU2lnbiBDZXJ0MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEMKnjZFqe34rt ++SmZ7g5ALnKTPKYhMxEy9cpq3Kzgb7/JoTTZHm9tGrG1oBUCNszq0jPff7Fxp/azN ++v7rDPzJXGqNaMFgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBsAwHQYDVR0OBBYEFNPl ++u8JjXkhQPiJ5bYrrq+voqBUlMB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIpSVTlXHj/ ++Rbl0MAoGCCqBHM9VAYN1A0cAMEQCIG3gG1D7T7ltn6Gz1UksBZahgBE6jmkQ9Sp9 ++/3aY5trlAiB5adxiK0avV0LEKfbzTdff9skoZpd7vje1QTW0l0HaGg== + -----END CERTIFICATE----- +diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh +index 12e8a7305402..109b9c4abc28 100644 +--- a/test/smime-certs/mksmime-certs.sh ++++ b/test/smime-certs/mksmime-certs.sh +@@ -15,23 +15,23 @@ export OPENSSL_CONF + + # Root CA: create certificate directly + CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \ +- -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650 ++ -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501 + + # EE RSA certificates: create request first + CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -noenc \ + -keyout smrsa1.pem -out req.pem -newkey rsa:2048 + # Sign request: end entity extensions +-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ ++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem + + CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -noenc \ + -keyout smrsa2.pem -out req.pem -newkey rsa:2048 +-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ ++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem + + CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -noenc \ + -keyout smrsa3.pem -out req.pem -newkey rsa:2048 +-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ ++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem + + # Create DSA parameters +@@ -40,15 +40,15 @@ $OPENSSL dsaparam -out dsap.pem 2048 + + CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -noenc \ + -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem +-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ ++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem + CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -noenc \ + -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem +-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ ++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem + CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -noenc \ + -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem +-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ ++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem + + # Create EC parameters +@@ -58,16 +58,17 @@ $OPENSSL ecparam -out ecp2.pem -name K-283 + + CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -noenc \ + -keyout smec1.pem -out req.pem -newkey ec:ecp.pem +-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ ++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem + CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -noenc \ + -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem +-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ ++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem +-CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \ +- -keyout smec3.pem -out req.pem -newkey ec:ecp.pem +-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem ++# Do not renew this cert as it is used for legacy data decrypt test ++#CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \ ++# -keyout smec3.pem -out req.pem -newkey ec:ecp.pem ++#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ ++# -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem + # Create X9.42 DH parameters. + $OPENSSL genpkey -genparam -algorithm DHX -out dhp.pem + # Generate X9.42 DH key. +@@ -77,7 +78,7 @@ $OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem + CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \ + -keyout smtmp.pem -out req.pem -newkey rsa:2048 + # Sign request but force public key to DH +-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ ++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ + -force_pubkey dhpub.pem \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem + # Remove temp files. diff --git a/openssl.spec b/openssl.spec index 76c96bb..4792222 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 33%{?dist} +Release: 34%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -126,6 +126,9 @@ Patch63: 0063-CVE-2022-1473.patch Patch64: 0064-CVE-2022-1343.diff # upstream commit 1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2 Patch65: 0065-CVE-2022-1292.patch +# https://github.com/openssl/openssl/pull/18444 +# https://github.com/openssl/openssl/pull/18467 +Patch66: 0066-replace-expired-certs.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -456,6 +459,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri Jun 03 2022 Dmitry Belyavskiy - 1:3.0.1-34 +- Some OpenSSL test certificates are expired, updating +- Resolves: rhbz#2092456 + * Thu May 26 2022 Dmitry Belyavskiy - 1:3.0.1-33 - CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory - Resolves: rhbz#2089444