From c1434becab501a822d44849ef463ddd72b52d6e1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 May 2023 06:08:55 +0000 Subject: [PATCH] import sscg-3.0.0-7.el8 --- .gitignore | 1 + .sscg.metadata | 1 + SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch | 34 +++ ...ect-certificate-lifetime-calculation.patch | 46 +++ SOURCES/0003-Truncate-IP-address-in-SAN.patch | 68 +++++ ...ail-if-default-file-can-t-be-created.patch | 139 +++++++++ SPECS/sscg.spec | 268 ++++++++++++++++++ 7 files changed, 557 insertions(+) create mode 100644 .gitignore create mode 100644 .sscg.metadata create mode 100644 SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch create mode 100644 SOURCES/0002-Correct-certificate-lifetime-calculation.patch create mode 100644 SOURCES/0003-Truncate-IP-address-in-SAN.patch create mode 100644 SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch create mode 100644 SPECS/sscg.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4798d97 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/sscg-3.0.0.tar.xz diff --git a/.sscg.metadata b/.sscg.metadata new file mode 100644 index 0000000..ba54818 --- /dev/null +++ b/.sscg.metadata @@ -0,0 +1 @@ +81e3b33e118edff96583314ceb4bfde9a1e6b45c SOURCES/sscg-3.0.0.tar.xz diff --git a/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch b/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch new file mode 100644 index 0000000..5ad7b9d --- /dev/null +++ b/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch @@ -0,0 +1,34 @@ +From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Sat, 7 Aug 2021 11:48:04 -0400 +Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC() + +This macro was dropped in OpenSSL 3.0 and has actually not been +providing a valid return code for some time. + +Related: rhbz#1964837 + +Signed-off-by: Stephen Gallagher +--- + include/sscg.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/include/sscg.h b/include/sscg.h +index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644 +--- a/include/sscg.h ++++ b/include/sscg.h +@@ -94,11 +94,10 @@ + if (_sslret != 1) \ + { \ + /* Get information about error from OpenSSL */ \ + unsigned long _ssl_error = ERR_get_error (); \ + if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \ +- (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) && \ + ((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \ + (ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \ + { \ + fprintf ( \ + stderr, \ +-- +2.33.0 + diff --git a/SOURCES/0002-Correct-certificate-lifetime-calculation.patch b/SOURCES/0002-Correct-certificate-lifetime-calculation.patch new file mode 100644 index 0000000..5a0b87b --- /dev/null +++ b/SOURCES/0002-Correct-certificate-lifetime-calculation.patch @@ -0,0 +1,46 @@ +From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001 +From: Allison Karlitskaya +Date: Tue, 26 Oct 2021 12:32:13 +0200 +Subject: [PATCH 2/2] Correct certificate lifetime calculation + +sscg allows passing the certificate lifetime, as a number of days, as a +commandline argument. It converts this value to seconds using the +formula + + days * 24 * 3650 + +which is incorrect. The correct value is 3600. + +This effectively adds an extra 20 minutes to the lifetime of the +certificate for each day as given on the commandline, and was enough to +cause some new integration tests in cockpit to fail. + +Interestingly, 3650 is the old default value for the number of days of +certificate validity (~10 years) so this probably slipped in as a sort +of muscle-memory-assisted typo. + +Let's just write `24 * 60 * 60` to make things clear. +--- + src/x509.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/x509.c b/src/x509.c +index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644 +--- a/src/x509.c ++++ b/src/x509.c +@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx, + X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr)); + } + + /* set time */ + X509_gmtime_adj (X509_get_notBefore (cert), 0); +- X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650); ++ X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60); + + /* set subject */ + subject = X509_NAME_dup (X509_REQ_get_subject_name (csr)); + sslret = X509_set_subject_name (cert, subject); + CHECK_SSL (sslret, X509_set_subject_name); +-- +2.33.0 + diff --git a/SOURCES/0003-Truncate-IP-address-in-SAN.patch b/SOURCES/0003-Truncate-IP-address-in-SAN.patch new file mode 100644 index 0000000..c492f38 --- /dev/null +++ b/SOURCES/0003-Truncate-IP-address-in-SAN.patch @@ -0,0 +1,68 @@ +From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 8 Mar 2022 16:33:35 -0500 +Subject: [PATCH] Truncate IP address in SAN + +In OpenSSL 1.1, this was done automatically when addind a SAN extension, +but in OpenSSL 3.0 it is rejected as an invalid input. + +Signed-off-by: Stephen Gallagher +--- + src/x509.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/x509.c b/src/x509.c +index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644 +--- a/src/x509.c ++++ b/src/x509.c +@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, + size_t i; + X509_NAME *subject; + char *alt_name = NULL; + char *tmp = NULL; + char *san = NULL; ++ char *slash = NULL; + TALLOC_CTX *tmp_ctx; + X509_EXTENSION *ex = NULL; + struct sscg_x509_req *csr; + + /* Make sure we have a key available */ +@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, + tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]); + } + else + { + san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]); ++ /* SAN IP addresses cannot include the subnet mask */ ++ if ((slash = strchr (san, '/'))) ++ { ++ /* Truncate at the slash */ ++ *slash = '\0'; ++ } + } + CHECK_MEM (san); + + if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4) + { +@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, + alt_name = tmp; + } + } + + ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name); +- CHECK_MEM (ex); ++ if (!ex) ++ { ++ ret = EINVAL; ++ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name); ++ goto done; ++ } ++ + sk_X509_EXTENSION_push (certinfo->extensions, ex); + + /* Set the public key for the certificate */ + sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey); + CHECK_SSL (sslret, X509_REQ_set_pubkey (OU)); +-- +2.35.1 + diff --git a/SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch b/SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch new file mode 100644 index 0000000..27deba5 --- /dev/null +++ b/SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch @@ -0,0 +1,139 @@ +From 282f819bc39c9557ee34f73c6f6623182f680792 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Wed, 16 Nov 2022 15:27:58 -0500 +Subject: [PATCH] dhparams: don't fail if default file can't be created + +Resolves: rhbz#2143206 + +Signed-off-by: Stephen Gallagher +--- + src/arguments.c | 1 - + src/io_utils.c | 12 +++++++++++ + src/sscg.c | 55 +++++++++++++++++++++++++++++++++---------------- + 3 files changed, 49 insertions(+), 19 deletions(-) + +diff --git a/src/arguments.c b/src/arguments.c +index 7b9da14a732875b0f33a12e22a97d51a78216839..770d834aacc05d6d92cc0c855852eadb88f8c9bc 100644 +--- a/src/arguments.c ++++ b/src/arguments.c +@@ -69,7 +69,6 @@ set_default_options (struct sscg_options *opts) + + opts->lifetime = 398; + +- opts->dhparams_file = talloc_strdup (opts, "dhparams.pem"); + opts->dhparams_group = talloc_strdup (opts, "ffdhe4096"); + opts->dhparams_generator = 2; + +diff --git a/src/io_utils.c b/src/io_utils.c +index 1b8bc41c3849acbe4657ae14dfe55e3010957129..5d34327bdbe450add5326ac20c337c9399b471dc 100644 +--- a/src/io_utils.c ++++ b/src/io_utils.c +@@ -544,6 +544,18 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite) + { + SSCG_LOG (SSCG_DEBUG, "Opening %s\n", stream->path); + stream->bio = BIO_new_file (stream->path, create_mode); ++ if (!stream->bio) ++ { ++ fprintf (stderr, ++ "Could not write to %s. Check directory permissions.\n", ++ stream->path); ++ ++ /* The dhparams file is special, it will be handled later */ ++ if (i != SSCG_FILE_TYPE_DHPARAMS) ++ { ++ continue; ++ } ++ } + CHECK_BIO (stream->bio, stream->path); + } + +diff --git a/src/sscg.c b/src/sscg.c +index 1bf8019c2dda136abe56acd101dfe8ad0b3d725d..dcff4cd2b8dfd2e11c8612d36ecc94b175e9dc26 100644 +--- a/src/sscg.c ++++ b/src/sscg.c +@@ -93,6 +93,7 @@ main (int argc, const char **argv) + int ret, sret; + struct sscg_options *options; + bool build_client_cert = false; ++ char *dhparams_file = NULL; + + struct sscg_x509_cert *cacert; + struct sscg_evp_pkey *cakey; +@@ -182,9 +183,19 @@ main (int argc, const char **argv) + options->crl_mode); + CHECK_OK (ret); + ++ if (options->dhparams_file) ++ { ++ dhparams_file = talloc_strdup (main_ctx, options->dhparams_file); ++ } ++ else ++ { ++ dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem"); ++ } ++ CHECK_MEM (dhparams_file); ++ + ret = sscg_io_utils_add_output_file (options->streams, + SSCG_FILE_TYPE_DHPARAMS, +- options->dhparams_file, ++ dhparams_file, + options->dhparams_mode); + CHECK_OK (ret); + +@@ -281,28 +292,36 @@ main (int argc, const char **argv) + + + /* Create DH parameters file */ +- bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS); +- if (options->dhparams_prime_len > 0) ++ if ((bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS))) + { +- ret = create_dhparams (options->verbosity, +- options->dhparams_prime_len, +- options->dhparams_generator, +- &dhparams); +- CHECK_OK (ret); ++ if (options->dhparams_prime_len > 0) ++ { ++ ret = create_dhparams (options->verbosity, ++ options->dhparams_prime_len, ++ options->dhparams_generator, ++ &dhparams); ++ CHECK_OK (ret); ++ } ++ else ++ { ++ ret = get_params_by_named_group (options->dhparams_group, &dhparams); ++ CHECK_OK (ret); ++ } ++ ++ /* Export the DH parameters to the file */ ++ sret = PEM_write_bio_Parameters (bp, dhparams); ++ CHECK_SSL (sret, PEM_write_bio_Parameters ()); ++ ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS); ++ EVP_PKEY_free (dhparams); + } +- else ++ else if (options->dhparams_file) + { +- ret = get_params_by_named_group (options->dhparams_group, &dhparams); +- CHECK_OK (ret); ++ /* A filename was explicitly passed, but it couldn't be created */ ++ ret = EPERM; ++ fprintf (stderr, "Could not write to %s: ", options->dhparams_file); ++ goto done; + } + +- /* Export the DH parameters to the file */ +- sret = PEM_write_bio_Parameters (bp, dhparams); +- CHECK_SSL (sret, PEM_write_bio_Parameters ()); +- ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS); +- EVP_PKEY_free (dhparams); +- +- + /* Set the final file permissions */ + sscg_io_utils_finalize_output_files (options->streams); + +-- +2.38.1 + diff --git a/SPECS/sscg.spec b/SPECS/sscg.spec new file mode 100644 index 0000000..217fade --- /dev/null +++ b/SPECS/sscg.spec @@ -0,0 +1,268 @@ +%global provider github +%global provider_tld com +%global project sgallagher +%global repo sscg +# https://github.com/sgallagher/sscg +%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} +%global import_path %{provider_prefix} + + +Name: sscg +Version: 3.0.0 +Release: 7%{?dist} +Summary: Simple SSL certificate generator + +License: GPLv3+ with exceptions +URL: https://%{provider_prefix} +Source0: https://%{provider_prefix}/releases/download/%{repo}-%{version}/%{repo}-%{version}.tar.xz + +BuildRequires: gcc +BuildRequires: libtalloc-devel +BuildRequires: openssl-devel +BuildRequires: popt-devel +BuildRequires: libpath_utils-devel +BuildRequires: meson +BuildRequires: ninja-build +BuildRequires: help2man + + +Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch +Patch0002: 0002-Correct-certificate-lifetime-calculation.patch +Patch0003: 0003-Truncate-IP-address-in-SAN.patch +Patch0004: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch + + +%description +A utility to aid in the creation of more secure "self-signed" +certificates. The certificates created by this tool are generated in a +way so as to create a CA certificate that can be safely imported into a +client machine to trust the service certificate without needing to set +up a full PKI environment and without exposing the machine to a risk of +false signatures from the service certificate. + +%prep +%autosetup -p1 + + +%build +%meson +%meson_build + +%install +%meson_install + +%check +%meson_test -t 10 + +%files +%license COPYING +%doc README.md +%{_bindir}/%{name} +%{_mandir}/man8/%{name}.8* + +%changelog +* Thu Dec 08 2022 Stephen Gallagher - 3.0.0-7 +- Correctly apply the patch for default dhparams +- Resolves: rhbz#2143206 + +* Mon Nov 28 2022 Stephen Gallagher - 3.0.0-6 +- Don't fail if default dhparams file can't be created +- Resolves: rhbz#2143206 + +* Thu Jul 14 2022 Stephen Gallagher - 3.0.0-5 +- Rebase to sscg 3.0.0 +- Resolves: rhbz#2107369 +- Resolves: rhbz#2091525 + +* Thu Jun 02 2022 Stephen Gallagher - 2.3.3-15 +- Fix certificate lifetime calculation +- Resolves: rhbz#2091525 + +* Tue Jan 21 2020 Stephen Gallagher - 2.3.3-14 +- Properly handling reading long passphrase files. + +* Tue Jan 21 2020 Stephen Gallagher - 2.3.3-13 +- Fix missing error check for --*-key-passfile + +* Thu Jan 09 2020 Stephen Gallagher - 2.3.3-12 +- Improve validation of command-line arguments +- Resolves: rhbz#1784441 +- Resolves: rhbz#1784443 + +* Tue Jan 07 2020 Stephen Gallagher - 2.3.3-11 +- Further improve --client-key-file help message +- Resolves: rhbz#1720667 + +* Fri Dec 13 2019 Stephen Gallagher - 2.3.3-10 +- Fix incorrect help message +- Resolves: rhbz#1720667 + +* Fri Dec 13 2019 Stephen Gallagher - 2.3.3-9 +- Fix null-dereference and memory leak issues with client certs +- Resolves: rhbz#1720667 + +* Wed Dec 11 2019 Stephen Gallagher - 2.3.3-8 +- Add support for generating client authentication certificates +- Resolves: rhbz#1720667 + +* Fri Nov 01 2019 Stephen Gallagher - 2.3.3-7 +- Add support for password-protecting the private key files +- Resolves: rhbz#1717880 + +* Wed Nov 28 2018 Stephen Gallagher - 2.3.3-6 +- Fixes for issues detected by automated testing. +- Resolves: rhbz#1653323 + +* Wed Nov 28 2018 Stephen Gallagher - 2.3.3-5 +- Autodetect the minimum key strength from the system security level. +- Autodetect the hash algorithm to use from the system security level. +- Disallow setting a key strength below the system minimum. +- Resolves: rhbz#1653323 + +* Mon Sep 17 2018 Stephen Gallagher - 2.3.3-4 +- Add a manpage for sscg. + +* Thu Jul 05 2018 Stephen Gallagher - 2.3.3-3 +- Strip out bundled popt since RHEL 8 has a new-enough version. + +* Fri Feb 09 2018 Fedora Release Engineering - 2.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Feb 02 2018 Stephen Gallagher - 2.3.3-1 +- Update to 2.3.3 +- Do not overwrite destination files without --force + +* Thu Jan 25 2018 Stephen Gallagher - 2.3.2-1 +- Update to 2.3.2 +- Properly support hostnames up to 64 characters +- Resolves: rhbz#1535537 + +* Tue Jan 02 2018 Stephen Gallagher - 2.3.1-2 +- Skip tests on 32-bit ARM for now + +* Tue Jan 02 2018 Stephen Gallagher - 2.3.1-1 +- Update to 2.3.1 +- Bundle popt 1.16 on older releases like EPEL. + +* Mon Dec 18 2017 Stephen Gallagher - 2.3.0-1 +- Update to 2.3.0 +- Switch to meson build system +- Add support for non-DNS subjectAlternativeName values (issue #4) + +* Thu Sep 21 2017 Stephen Gallagher - 2.2.0-1 +- Reorder combined PEM file +- Resolves: RHBZ#1494208 + +* Wed Sep 20 2017 Stephen Gallagher - 2.1.0-1 +- Add --email argument for setting emailAddress in the issuer + +* Thu Aug 03 2017 Fedora Release Engineering - 2.0.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.0.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Apr 03 2017 Stephen Gallagher - 2.0.4-2 +- Bump release to perform taskotron tests + +* Tue Mar 21 2017 Stephen Gallagher - 2.0.4-1 +- Update to 2.0.4 +- Addresses a potential race-condition when the key and certificate share the + same file. + +* Wed Mar 08 2017 Stephen Gallagher - 2.0.3-1 +- Update to 2.0.3 +- Adds support for setting the file mode on the output certificates + and keys. + +* Fri Mar 03 2017 Stephen Gallagher - 2.0.2-1 +- Update to 2.0.2 +- Always run with umask(077) + +* Fri Mar 03 2017 Stephen Gallagher - 2.0.1-1 +- Update to 2.0.1 +- Fix an issue with passing certificate lifetime explicitly + +* Thu Feb 16 2017 Stephen Gallagher - 2.0.0-1 +- Update to 2.0.0 + +* Thu Feb 16 2017 Stephen Gallagher - 1.1.0-6 +- Exclude PPC64 from the build since it doesn't support linking to OpenSSL + +* Sat Feb 11 2017 Fedora Release Engineering - 1.1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Nov 23 2016 Stephen Gallagher - 1.1.0-4 +- Use compat-openssl10-devel on F26+ + +* Thu Jul 21 2016 Fedora Release Engineering - 1.1.0-3 +- https://fedoraproject.org/wiki/Changes/golang1.7 + +* Tue May 31 2016 Stephen Gallagher - 1.1.0-2 +- Debundle spacelog + +* Wed May 25 2016 Stephen Gallagher - 1.1.0-1 +- Update to 1.1.0 +- Add support for signing service keys with an existing CA + +* Wed May 25 2016 Stephen Gallagher - 1.0.4-1 +- Add support for exporting the CA private key +- Fix incorrect output from -version +- Add README.md + +* Tue May 24 2016 Stephen Gallagher - 1.0.3-1 +- Only sign certificates after all extensions have been added + +* Mon May 23 2016 Stephen Gallagher - 1.0.2-1 +- Generate x509v3 certificates + +* Mon May 23 2016 Stephen Gallagher - 1.0.1-1 +- Fix issue with temporary file creation + +* Mon May 23 2016 Stephen Gallagher - 1.0.0-1 +- New upstream release 1.0.0 +- Rewritten in Go +- Runtime depends only on OpenSSL, no more Python +- Support for writing certificate and key in a single file + +* Wed May 18 2016 Stephen Gallagher - 0.4.1-4 +- Add requirement on python-setuptools + +* Fri Feb 05 2016 Fedora Release Engineering - 0.4.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 0.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Fri Jun 19 2015 Fedora Release Engineering - 0.4.1-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Mar 30 2015 Stephen Gallagher 0.4.1-1 +- Change default CA location to match service certificate +- Improve error handling + +* Tue Mar 24 2015 Stephen Gallagher 0.4.0-1 +- Spec file cleanups +- PEP8 Cleanups +- Make location arguments optional + +* Mon Mar 23 2015 Stephen Gallagher 0.3.0-1 +- Rename to sscg +- Only build with default python interpreter + +* Tue Mar 17 2015 Stephen Gallagher 0.2.1-1 +- Include the LICENSE file in the tarball + +* Tue Mar 17 2015 Stephen Gallagher 0.2-2 +- Include the license in the build RPMs + +* Tue Mar 17 2015 Stephen Gallagher 0.2-1 +- Add support for namedConstraints +- Add support for subjectAltNames +- Fix packaging issues from Fedora package review + +* Mon Mar 16 2015 Stephen Gallagher 0.1-2 +- Update BuildRequires + +* Mon Mar 16 2015 Stephen Gallagher 0.1-1 +- First packaging