import sscg-3.0.5-10.el10

58a7188d · Rocky Automation · 31ec5f48 · 58a7188d · 58a7188d · 58a7188d
Commit 58a7188d authored 1 week ago by Rocky Automation
--- a/SOURCES/0001-Extend-maximum-DNS-name-to-255.patch
+++ b/SOURCES/0001-Extend-maximum-DNS-name-to-255.patch
-From 750dee2eded3b1c16e0434fa387d35a869545d9e Mon Sep 17 00:00:00 2001
+From d3a4452d7cc78589fb6077e98b228e09e9e76e3f Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Wed, 15 Feb 2023 15:49:38 -0500
-Subject: [PATCH 1/2] Extend maximum DNS name to 255
+Subject: [PATCH 1/3] Extend maximum DNS name to 255

 The hostname part is still restricted to 63 characters

@@ -201,5 +201,5 @@ index 4f3f11cd3411f00cf6de3a72ba897adc97944e35..9f6f21b49c2dd70629fed67d32702737
               goto done;
             }
 -- 
-2.41.0
+2.49.0

--- a/SOURCES/0002-Update-README.md-with-latest-usage-information.patch
+++ b/SOURCES/0002-Update-README.md-with-latest-usage-information.patch
+From 14df7d212d020f247587e2d850ec27dbd16add38 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Fri, 1 Sep 2023 08:19:01 -0400
+Subject: [PATCH 2/3] Update README.md with latest usage information
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ README.md | 55 +++++++++++++++++++++++++------------------------------
+ 1 file changed, 25 insertions(+), 30 deletions(-)
+
+diff --git a/README.md b/README.md
+index d15c3d955d03026e8a68c04870a5f97a20eb03d9..4d57138895443f228212a6c77209350432eecbd7 100644
+--- a/README.md
+++ b/README.md
+@@ -26,8 +26,8 @@ Usage of sscg:
+ Usage: sscg [OPTION...]
+   -q, --quiet                                           Display no output unless there is an error.
+   -v, --verbose                                         Display progress messages.
+-  -d, --debug                                           Enable logging of debug messages. Implies verbose. Warning! This will print
+-                                                        private key information to the screen!
+  -d, --debug                                           Enable logging of debug messages. Implies verbose. Warning! This will print private key information to the
+                                                        screen!
+   -V, --version                                         Display the version number and exit.
+   -f, --force                                           Overwrite any pre-existing files in the requested locations
+       --lifetime=1-3650                                 Certificate lifetime (days). (default: 398)
+@@ -37,57 +37,52 @@ Usage: sscg [OPTION...]
+       --organization=My Company                         Certificate DN: Organization (O). (default: "Unspecified")
+       --organizational-unit=Engineering, etc.           Certificate DN: Organizational Unit (OU).
+       --email=myname@example.com                        Certificate DN: Email Address (Email).
+-      --hostname=server.example.com                     The valid hostname of the certificate. Must be an FQDN. (default: current system
+-                                                        FQDN)
+-      --subject-alt-name alt.example.com                Optional additional valid hostnames for the certificate. In addition to hostnames,
+-                                                        this option also accepts explicit values supported by RFC 5280 such as
+-                                                        IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy May be specified multiple times.
+      --hostname=server.example.com                     The valid hostname of the certificate. Must be an FQDN. (default: current system FQDN)
+      --subject-alt-name alt.example.com                Optional additional valid hostnames for the certificate. In addition to hostnames, this option also accepts
+                                                        explicit values supported by RFC 5280 such as IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy May be specified multiple
+                                                        times.
+       --package=STRING                                  Unused. Retained for compatibility with earlier versions of sscg.
+       --key-strength=2048 or larger                     Strength of the certificate private keys in bits. (default: 2048)
+       --hash-alg={sha256,sha384,sha512}                 Hashing algorithm to use for signing. (default: "sha256")
+       --cipher-alg={des-ede3-cbc,aes-256-cbc}           Cipher to use for encrypting key files. (default: "aes-256-cbc")
+       --ca-file=STRING                                  Path where the public CA certificate will be stored. (default: "./ca.crt")
+       --ca-mode=0644                                    File mode of the created CA certificate.
+-      --ca-key-file=STRING                              Path where the CA's private key will be stored. If unspecified, the key will be
+-                                                        destroyed rather than written to the disk.
+      --ca-key-file=STRING                              Path where the CA's private key will be stored. If unspecified, the key will be destroyed rather than written
+                                                        to the disk.
+       --ca-key-mode=0600                                File mode of the created CA key.
+-      --ca-key-password=STRING                          Provide a password for the CA key file. Note that this will be visible in the
+-                                                        process table for all users, so it should be used for testing purposes only. Use
+-                                                        --ca-keypassfile or --ca-key-password-prompt for secure password entry.
+      --ca-key-password=STRING                          Provide a password for the CA key file. Note that this will be visible in the process table for all users, so
+                                                        it should be used for testing purposes only. Use --ca-keypassfile or --ca-key-password-prompt for secure
+                                                        password entry.
+       --ca-key-passfile=STRING                          A file containing the password to encrypt the CA key file.
+   -C, --ca-key-password-prompt                          Prompt to enter a password for the CA key file.
+-      --crl-file=STRING                                 Path where an (empty) Certificate Revocation List file will be created, for
+-                                                        applications that expect such a file to exist. If unspecified, no such file will
+-                                                        be created.
+      --crl-file=STRING                                 Path where an (empty) Certificate Revocation List file will be created, for applications that expect such a
+                                                        file to exist. If unspecified, no such file will be created.
+       --crl-mode=0644                                   File mode of the created Certificate Revocation List.
+       --cert-file=STRING                                Path where the public service certificate will be stored. (default "./service.pem")
+       --cert-mode=0644                                  File mode of the created certificate.
+       --cert-key-file=STRING                            Path where the service's private key will be stored. (default "service-key.pem")
+       --cert-key-mode=0600                              File mode of the created certificate key.
+-  -p, --cert-key-password=STRING                        Provide a password for the service key file. Note that this will be visible in the
+-                                                        process table for all users, so this flag should be used for testing purposes
+-                                                        only. Use --cert-keypassfile or --cert-key-password-prompt for secure password
+-                                                        entry.
+  -p, --cert-key-password=STRING                        Provide a password for the service key file. Note that this will be visible in the process table for all users,
+                                                        so this flag should be used for testing purposes only. Use --cert-keypassfile or --cert-key-password-prompt for
+                                                        secure password entry.
+       --cert-key-passfile=STRING                        A file containing the password to encrypt the service key file.
+   -P, --cert-key-password-prompt                        Prompt to enter a password for the service key file.
+       --client-file=STRING                              Path where a client authentication certificate will be stored.
+       --client-mode=0644                                File mode of the created certificate.
+       --client-key-file=STRING                          Path where the client's private key will be stored. (default is the client-file)
+       --client-key-mode=0600                            File mode of the created certificate key.
+-      --client-key-password=STRING                      Provide a password for the client key file. Note that this will be visible in the
+-                                                        process table for all users, so this flag should be used for testing purposes
+-                                                        only. Use --client-keypassfile or --client-key-password-prompt for secure password
+-                                                        entry.
+      --client-key-password=STRING                      Provide a password for the client key file. Note that this will be visible in the process table for all users,
+                                                        so this flag should be used for testing purposes only. Use --client-keypassfile or --client-key-password-prompt
+                                                        for secure password entry.
+       --client-key-passfile=STRING                      A file containing the password to encrypt the client key file.
+       --client-key-password-prompt                      Prompt to enter a password for the client key file.
+       --dhparams-file=STRING                            A file to contain a set of Diffie-Hellman parameters. (Default: "./dhparams.pem")
+-      --dhparams-named-group=STRING                     Output well-known DH parameters. The available named groups are: ffdhe2048,
+-                                                        ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp_2048, modp_3072, modp_4096,
+-                                                        modp_6144, modp_8192, modp_1536, dh_1024_160, dh_2048_224, dh_2048_256. (Default:
+-                                                        "ffdhe4096")
+-      --dhparams-prime-len=INT                          The length of the prime number to generate for dhparams, in bits. If set to
+-                                                        non-zero, the parameters will be generated rather than using a well-known group.
+-                                                        (default: 0)
+      --no-dhparams-file                                Do not create the dhparams file
+      --dhparams-named-group=STRING                     Output well-known DH parameters. The available named groups are: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144,
+                                                        ffdhe8192, modp_2048, modp_3072, modp_4096, modp_6144, modp_8192, modp_1536, dh_1024_160, dh_2048_224,
+                                                        dh_2048_256. (Default: "ffdhe4096")
+      --dhparams-prime-len=INT                          The length of the prime number to generate for dhparams, in bits. If set to non-zero, the parameters will be
+                                                        generated rather than using a well-known group. (default: 0)
+       --dhparams-generator={2,3,5}                      The generator value for dhparams. (default: 2)
+ 
+ Help options:
+-- 
+2.49.0
+
--- a/SOURCES/0003-x509-Use-proper-version-for-CSR.patch
+++ b/SOURCES/0003-x509-Use-proper-version-for-CSR.patch
+From 70b0a4742a67616a5223a0cdc2067effccf081e9 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Sat, 19 Oct 2024 15:43:20 +0200
+Subject: [PATCH 3/3] x509: Use proper version for CSR.
+
+RFC 2986 only defines a single version for CSRs: X509_VERSION_1 (0).
+OpenSSL starting with 3.4 rejects everything else.
+
+Use X509_VERSION_1 as version for X509_REQ_set_version.
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ src/x509.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/x509.c b/src/x509.c
+index 9f6f21b49c2dd70629fed67d327027374eb21b15..503b7b1b51ed45909104d1b5e593129ee9e8dee2 100644
+--- a/src/x509.c
+++ b/src/x509.c
+@@ -169,7 +169,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+   talloc_set_destructor ((TALLOC_CTX *)csr, _sscg_csr_destructor);
+ 
+   /* We will generate only x509v3 certificates */
+-  sslret = X509_REQ_set_version (csr->x509_req, 2);
+  sslret = X509_REQ_set_version (csr->x509_req, X509_VERSION_1);
+   CHECK_SSL (sslret, X509_REQ_set_version);
+ 
+   subject = X509_REQ_get_subject_name (csr->x509_req);
+-- 
+2.49.0
+
--- a/SPECS/sscg.spec
+++ b/SPECS/sscg.spec
 ## START: Set by rpmautospec
-## (rpmautospec version 0.7.2)
+## (rpmautospec version 0.7.3)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 9;
+    release_number = 10;
    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
    print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -28,7 +28,12 @@ URL:            https://%{provider_prefix}
 Source0:        sscg-3.0.5.tar.gz
 # Extend maximum DNS name to 255
 # Author: Stephen Gallagher <sgallagh@redhat.com>
-Patch1:         0001-Extend-maximum-DNS-name-to-255.patch
+Patch:          0001-Extend-maximum-DNS-name-to-255.patch
+# Update the README documentation
+Patch:          0002-Update-README.md-with-latest-usage-information.patch
+# Set Certificate Signing Request version to 1 instead of 3(which doesn't exist)
+Patch:          0003-x509-Use-proper-version-for-CSR.patch
+
 BuildRequires:  gcc
 BuildRequires:  libtalloc-devel
 BuildRequires:  openssl
@@ -70,6 +75,9 @@ false signatures from the service certificate.

 %changelog
 ## START: Generated by rpmautospec
+* Thu Apr 03 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.5-10
+- x509: Use proper version for CSR
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.0.5-9
 - Bump release for October 2024 mass rebuild: