Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
S
sscg
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
staging
rpms
sscg
Commits
60f053bc
Commit
60f053bc
authored
1 year ago
by
Rocky Automation
Browse files
Options
Downloads
Patches
Plain Diff
import sscg-3.0.5-1.el10
parents
No related branches found
Branches containing commit
Tags
imports/r10s/sscg-3.0.5-1.el10
Tags containing commit
No related merge requests found
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
.sscg.checksum
+1
-0
1 addition, 0 deletions
.sscg.checksum
.sscg.metadata
+1
-0
1 addition, 0 deletions
.sscg.metadata
SOURCES/0001-Extend-maximum-DNS-name-to-255.patch
+205
-0
205 additions, 0 deletions
SOURCES/0001-Extend-maximum-DNS-name-to-255.patch
SPECS/sscg.spec
+62
-0
62 additions, 0 deletions
SPECS/sscg.spec
with
269 additions
and
0 deletions
.sscg.checksum
0 → 100644
+
1
−
0
View file @
60f053bc
Direct Git Import
This diff is collapsed.
Click to expand it.
.sscg.metadata
0 → 100644
+
1
−
0
View file @
60f053bc
19a7a10acbc99c629206253363cea899bd975e6e28d1f26200b6596aa8f0b055 SOURCES/sscg-3.0.5.tar.gz
This diff is collapsed.
Click to expand it.
SOURCES/0001-Extend-maximum-DNS-name-to-255.patch
0 → 100644
+
205
−
0
View file @
60f053bc
From 750dee2eded3b1c16e0434fa387d35a869545d9e Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 15 Feb 2023 15:49:38 -0500
Subject: [PATCH 1/2] Extend maximum DNS name to 255
The hostname part is still restricted to 63 characters
See RFC 1035, section 2.3.4
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
include/sscg.h | 3 +++
src/arguments.c | 35 +++++++++++++++++++++++++++--------
src/authority.c | 26 +++++++++++++++++++++++---
src/cert.c | 5 +++++
src/x509.c | 6 +++---
5 files changed, 61 insertions(+), 14 deletions(-)
diff --git a/include/sscg.h b/include/sscg.h
index 0f35631018dc2745e986cd1e7e094e3e37be8e54..f0c6d93b871e4bd3f2c805be8dfa7485ec34746a 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -313,6 +313,9 @@
enum sscg_cert_type
#define SSCG_MIN_KEY_PASS_LEN 4
#define SSCG_MAX_KEY_PASS_LEN 1023
+/* RFC 1035, section 2.3.4 (Size Limits) */
+#define MAX_HOST_LEN 63
+#define MAX_FQDN_LEN 255
int
sscg_handle_arguments (TALLOC_CTX *mem_ctx,
diff --git a/src/arguments.c b/src/arguments.c
index 0b7a060d31bed97130c7cb9b7feacf0876e25c0d..2f412bee1bee9620f28b6e84aed4aef17aee3a6a 100644
--- a/src/arguments.c
+++ b/src/arguments.c
@@ -786,10 +786,19 @@
sscg_handle_arguments (TALLOC_CTX *mem_ctx,
}
CHECK_MEM (options->hostname);
- if (strnlen (options->hostname, MAXHOSTNAMELEN + 1) > MAXHOSTNAMELEN)
+ if (strnlen (options->hostname, MAX_FQDN_LEN + 1) > MAX_FQDN_LEN)
{
- fprintf (
- stderr, "Hostnames may not exceed %d characters\n", MAXHOSTNAMELEN);
+ fprintf (stderr, "FQDNs may not exceed %d characters\n", MAX_FQDN_LEN);
+ ret = EINVAL;
+ goto done;
+ }
+
+ if ((strchr (options->hostname, '.') - options->hostname) > MAX_HOST_LEN + 4)
+ {
+ fprintf (stderr,
+ "Hostnames may not exceed %d characters in Subject "
+ "Alternative Names\n",
+ MAX_HOST_LEN);
ret = EINVAL;
goto done;
}
@@ -798,25 +807,35 @@
sscg_handle_arguments (TALLOC_CTX *mem_ctx,
options struct. It's not the most efficient approach, but
it's only done one time, so there is no sense in optimizing
it. */
+ size_t i = 0;
if (alternative_names)
{
- size_t i = 0;
while (alternative_names[i] != NULL)
{
options->subject_alt_names = talloc_realloc (
- options, options->subject_alt_names, char *, i + 2);
+ options, options->subject_alt_names, char *, i + 1);
CHECK_MEM (options->subject_alt_names);
options->subject_alt_names[i] =
talloc_strdup (options->subject_alt_names, alternative_names[i]);
CHECK_MEM (options->subject_alt_names[i]);
-
- /* Add a NULL terminator to the end */
- options->subject_alt_names[i + 1] = NULL;
i++;
}
}
+ /*
+ The hostname must always be listed in SubjectAlternativeNames as well.
+ Note that the realloc also adds an extra entry for the NULL terminator
+ */
+ options->subject_alt_names =
+ talloc_realloc (options, options->subject_alt_names, char *, i + 2);
+ CHECK_MEM (options->subject_alt_names);
+ options->subject_alt_names[i] =
+ talloc_strdup (options->subject_alt_names, options->hostname);
+ CHECK_MEM (options->subject_alt_names[i]);
+ /* Add a NULL terminator to the end */
+ options->subject_alt_names[i + 1] = NULL;
+
if (options->key_strength < options->minimum_key_strength)
{
fprintf (stderr,
diff --git a/src/authority.c b/src/authority.c
index 4efaa9e730964b9762b59d0e6698c1623901ccfe..f509fd4316c3b7b230f99de6464491c319fc5d45 100644
--- a/src/authority.c
+++ b/src/authority.c
@@ -56,6 +56,7 @@
create_private_CA (TALLOC_CTX *mem_ctx,
char *name_constraint;
char *san;
char *tmp;
+ char *dot;
tmp_ctx = talloc_new (NULL);
CHECK_MEM (tmp_ctx);
@@ -89,6 +90,26 @@
create_private_CA (TALLOC_CTX *mem_ctx,
ca_certinfo->cn = talloc_strdup (ca_certinfo, options->hostname);
CHECK_MEM (ca_certinfo->cn);
+ /* Truncate the CN at the first dot */
+ if ((dot = strchr (ca_certinfo->cn, '.')))
+ *dot = '\0';
+
+ if (options->subject_alt_names)
+ {
+ for (i = 0; options->subject_alt_names[i]; i++)
+ {
+ ca_certinfo->subject_alt_names = talloc_realloc (
+ ca_certinfo, ca_certinfo->subject_alt_names, char *, i + 2);
+ CHECK_MEM (ca_certinfo->subject_alt_names);
+
+ ca_certinfo->subject_alt_names[i] = talloc_strdup (
+ ca_certinfo->subject_alt_names, options->subject_alt_names[i]);
+ CHECK_MEM (ca_certinfo->subject_alt_names[i]);
+
+ /* Add a NULL terminator to the end */
+ ca_certinfo->subject_alt_names[i + 1] = NULL;
+ }
+ }
/* Make this a CA certificate */
@@ -106,10 +127,9 @@
create_private_CA (TALLOC_CTX *mem_ctx,
CHECK_MEM (ex);
sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
- /* Restrict signing to the hostname and subjectAltNames of the
- service certificate */
+ /* Restrict signing to the CN and subjectAltNames of the service certificate */
name_constraint =
- talloc_asprintf (tmp_ctx, "permitted;DNS:%s", options->hostname);
+ talloc_asprintf (tmp_ctx, "permitted;DNS:%s", ca_certinfo->cn);
CHECK_MEM (name_constraint);
if (options->subject_alt_names)
diff --git a/src/cert.c b/src/cert.c
index 99d9109f5981ef408aeb7d05a8327e1a38d5700a..e36de71e7ca9b34f87734542d5646b466cd61d4c 100644
--- a/src/cert.c
+++ b/src/cert.c
@@ -31,6 +31,7 @@
*/
+#include <string.h>
#include "include/sscg.h"
#include "include/cert.h"
#include "include/x509.h"
@@ -52,6 +53,7 @@
create_cert (TALLOC_CTX *mem_ctx,
struct sscg_x509_req *csr;
struct sscg_evp_pkey *pkey;
struct sscg_x509_cert *cert;
+ char *dot;
X509_EXTENSION *ex = NULL;
EXTENDED_KEY_USAGE *extended;
TALLOC_CTX *tmp_ctx = NULL;
@@ -87,6 +89,9 @@
create_cert (TALLOC_CTX *mem_ctx,
certinfo->cn = talloc_strdup (certinfo, options->hostname);
CHECK_MEM (certinfo->cn);
+ /* Truncate the CN at the first dot */
+ if ((dot = strchr (certinfo->cn, '.')))
+ *dot = '\0';
if (options->subject_alt_names)
{
diff --git a/src/x509.c b/src/x509.c
index 4f3f11cd3411f00cf6de3a72ba897adc97944e35..9f6f21b49c2dd70629fed67d327027374eb21b15 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -290,12 +290,12 @@
sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
}
CHECK_MEM (san);
- if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
+ if (strnlen (san, MAX_FQDN_LEN + 5) > MAX_FQDN_LEN + 4)
{
fprintf (stderr,
- "Hostnames may not exceed %d characters in Subject "
+ "FQDNs may not exceed %d characters in Subject "
"Alternative Names\n",
- MAXHOSTNAMELEN);
+ MAX_FQDN_LEN);
ret = EINVAL;
goto done;
}
--
2.41.0
This diff is collapsed.
Click to expand it.
SPECS/sscg.spec
0 → 100644
+
62
−
0
View file @
60f053bc
%global provider github
%global provider_tld com
%global project sgallagher
%global repo sscg
# https://github.com/sgallagher/sscg
%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
%global import_path %{provider_prefix}
%{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs}
Name: sscg
Version: 3.0.5
Release: %autorelease
Summary: Simple SSL certificate generator
License: GPL-3.0-or-later WITH cryptsetup-OpenSSL-exception
URL: https://%{provider_prefix}
Source0: sscg-3.0.5.tar.gz
# Extend maximum DNS name to 255
# Author: Stephen Gallagher <sgallagh@redhat.com>
Patch1: 0001-Extend-maximum-DNS-name-to-255.patch
BuildRequires: gcc
BuildRequires: libtalloc-devel
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: popt-devel
BuildRequires: libpath_utils-devel
BuildRequires: meson
BuildRequires: ninja-build
BuildRequires: help2man
%description
A utility to aid in the creation of more secure "self-signed"
certificates. The certificates created by this tool are generated in a
way so as to create a CA certificate that can be safely imported into a
client machine to trust the service certificate without needing to set
up a full PKI environment and without exposing the machine to a risk of
false signatures from the service certificate.
%prep
%autosetup -p1 -n sscg-3.0.5
%build
%meson
%meson_build
%install
%meson_install
%check
%meson_test -t 10
%files
%license COPYING
%doc README.md
%{_bindir}/%{name}
%{_mandir}/man8/%{name}.8*
%changelog
%autochangelog
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
