diff --git a/SOURCES/0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch b/SOURCES/0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch new file mode 100644 index 0000000..1c5f0cb --- /dev/null +++ b/SOURCES/0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch @@ -0,0 +1,29 @@ +From c4b456b2c7515fd896d2806d70f3ebc86c7a85ac Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 5 Mar 2018 10:18:38 -0500 +Subject: [PATCH] Set all bits to 1 in local CA Basic Constraint to set TRUE + +This was previously using the value of 1 which OpenSSL didn't +have an issue with but NSS is stricter when it comes to DER +encoding. Section 11.1 in X.690 requires that DER boolean set +all bits to 1 to indicate TRUE. +--- + src/local.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/local.c b/src/local.c +index 8450c9b5..48a9e360 100644 +--- a/src/local.c ++++ b/src/local.c +@@ -85,7 +85,7 @@ set_ca_extensions(void *parent, X509_REQ *req, EVP_PKEY *key) + exts = sk_X509_EXTENSION_new(NULL); + + memset(&basic, 0, sizeof(basic)); +- basic.ca = 1; ++ basic.ca = 255; // set all bits for TRUE + X509V3_add1_i2d(&exts, NID_basic_constraints, &basic, TRUE, 0); + + len = i2d_PUBKEY(key, NULL); +-- +2.13.6 + diff --git a/SOURCES/0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch b/SOURCES/0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch new file mode 100644 index 0000000..38e9115 --- /dev/null +++ b/SOURCES/0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch @@ -0,0 +1,38 @@ +From 42586b51e34519f18fadef2ad3c9c9d77fde0409 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 5 Mar 2018 15:54:10 -0400 +Subject: [PATCH] Fix conversions of bit lengths to byte lengths + +Fix a number of places where we weren't correctly converting from length +in bits to length in bytes, and one in the self-tests where the newest +version of NSS complains if the size of a signature was too large +because it was not converted at all. + +Based on upstream change dd537bcc644dea163b4c8f3de08d73a60876449d +--- + tests/tools/checksig.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/tools/checksig.c b/tests/tools/checksig.c +index e690911..ab8bb11 100644 +--- a/tests/tools/checksig.c ++++ b/tests/tools/checksig.c +@@ -18,6 +18,7 @@ + #include "../../src/config.h" + + #include ++#include + #include + #include + #include +@@ -101,6 +102,7 @@ main(int argc, char **argv) + printf("error finding public key\n"); + return 1; + } ++ signed_data.signature.len = howmany(signed_data.signature.len, 8); + if (VFY_VerifyDataWithAlgorithmID(signed_data.data.data, + signed_data.data.len, + pubkey, +-- +1.8.3.1 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 55b2f29..bb359aa 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -26,7 +26,7 @@ Name: certmonger Version: 0.78.4 -Release: 3%{?dist} +Release: 3%{?dist}.1 Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -45,6 +45,8 @@ Patch0006: 0006-ipa-submit-Retry-without-ca-on-OptionError.patch Patch0007: 0007-getcert-fix-a-potential-out-of-bounds.patch Patch0008: 0008-Document-the-X-option-in-the-ipa-submit-man-page.patch Patch0009: 0009-Fix-a-flakiness-in-the-028-dbus-test.patch +Patch0010: 0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch +Patch0011: 0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch Patch1001: 1001-Remove-rekey-feature.patch Patch1002: 1002-Fix-CA-option-name-for-ipa-cert-request.patch @@ -256,6 +258,11 @@ exit 0 %endif %changelog +* Tue Mar 27 2018 Rob Crittenden - 0.78.4-3.1 +- Use required DER encoding when setting CA basic constraint (#1560961) +- NSS 3.34 more strictly enforces length checking when verifying signatures + (#1560960) + * Tue Sep 6 2016 Jan Cholasta - 0.78.4-3 - Resolves: #1367683 getcert request command fails to use Sub CA using -X argument