From 712320d348952898525cb6148ba7f6fd1383a61d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 14 May 2015 11:40:57 +0200 Subject: [PATCH] allow changing the digest used when exporting CRL and use SHA1 by default --- pyOpenSSL-0.14-crl-digest.patch | 47 +++++++++++++++++++++++++++++++++ pyOpenSSL.spec | 9 ++++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 pyOpenSSL-0.14-crl-digest.patch diff --git a/pyOpenSSL-0.14-crl-digest.patch b/pyOpenSSL-0.14-crl-digest.patch new file mode 100644 index 0000000..7b3f59b --- /dev/null +++ b/pyOpenSSL-0.14-crl-digest.patch @@ -0,0 +1,47 @@ +commit 2923dc0f475e0d1a7893c7ca264c95c75f8ba9dd +Author: Bulat Gaifullin +Date: Sun Sep 21 22:36:48 2014 +0400 + + added parameter digest to select digest algorithm for CRL + +diff --git a/OpenSSL/crypto.py b/OpenSSL/crypto.py +index 313a30a..efa1d91 100644 +--- a/OpenSSL/crypto.py ++++ b/OpenSSL/crypto.py +@@ -1707,7 +1707,7 @@ class CRL(object): + _raise_current_error() + + +- def export(self, cert, key, type=FILETYPE_PEM, days=100): ++ def export(self, cert, key, type=FILETYPE_PEM, days=100, digest="sha1"): + """ + export a CRL as a string + +@@ -1721,6 +1721,7 @@ class CRL(object): + + :param days: The number of days until the next update of this CRL. + :type days: :py:data:`int` ++ :param digest: The message digest to use + + :return: :py:data:`str` + """ +@@ -1731,6 +1732,10 @@ class CRL(object): + if not isinstance(type, int): + raise TypeError("type must be an integer") + ++ digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest)) ++ if digest_obj == _ffi.NULL: ++ raise ValueError("No such digest method") ++ + bio = _lib.BIO_new(_lib.BIO_s_mem()) + if bio == _ffi.NULL: + # TODO: This is untested. +@@ -1750,7 +1755,7 @@ class CRL(object): + + _lib.X509_CRL_set_issuer_name(self._crl, _lib.X509_get_subject_name(cert._x509)) + +- sign_result = _lib.X509_CRL_sign(self._crl, key._pkey, _lib.EVP_md5()) ++ sign_result = _lib.X509_CRL_sign(self._crl, key._pkey, digest_obj) + if not sign_result: + _raise_current_error() + diff --git a/pyOpenSSL.spec b/pyOpenSSL.spec index e0297bc..4c1eeb2 100644 --- a/pyOpenSSL.spec +++ b/pyOpenSSL.spec @@ -5,8 +5,10 @@ Summary: Python wrapper module around the OpenSSL library Name: pyOpenSSL Version: 0.14 -Release: 3%{?dist} +Release: 4%{?dist} Source0: http://pypi.python.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz +# The patch is included upstream except we use sha1 by default instead of md5 +Patch1: pyOpenSSL-0.14-crl-digest.patch BuildArch: noarch License: ASL 2.0 @@ -54,6 +56,8 @@ Documentation for pyOpenSSL %prep %setup -q -n pyOpenSSL-%{version} +%patch1 -p1 -b .digest + %build %if 0%{?with_python3} rm -rf %{py3dir} @@ -96,6 +100,9 @@ popd %doc examples doc/_build/html %changelog +* Thu May 14 2015 Tomáš Mráz - 0.14-4 +- allow changing the digest used when exporting CRL and use SHA1 by default + * Fri Jan 30 2015 Miro Hrončok - 0.14-3 - Fix bogus requires (python3-cryptography should belong to python3-pyOpenSSL)