09c057
import sscg-3.0.0-5.el9
Authored and Committed by 
centosrcm
2 years ago
SOURCES/0003-Truncate-IP-address-in-SAN.patch
ADDED
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
|
|
2
|
+
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
3
|
+
Date: Tue, 8 Mar 2022 16:33:35 -0500
|
|
4
|
+
Subject: [PATCH] Truncate IP address in SAN
|
|
5
|
+
|
|
6
|
+
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
|
|
7
|
+
but in OpenSSL 3.0 it is rejected as an invalid input.
|
|
8
|
+
|
|
9
|
+
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
10
|
+
---
|
|
11
|
+
src/x509.c | 15 ++++++++++++++-
|
|
12
|
+
1 file changed, 14 insertions(+), 1 deletion(-)
|
|
13
|
+
|
|
14
|
+
diff --git a/src/x509.c b/src/x509.c
|
|
15
|
+
index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
|
|
16
|
+
--- a/src/x509.c
|
|
17
|
+
+++ b/src/x509.c
|
|
18
|
+
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
|
19
|
+
size_t i;
|
|
20
|
+
X509_NAME *subject;
|
|
21
|
+
char *alt_name = NULL;
|
|
22
|
+
char *tmp = NULL;
|
|
23
|
+
char *san = NULL;
|
|
24
|
+
+ char *slash = NULL;
|
|
25
|
+
TALLOC_CTX *tmp_ctx;
|
|
26
|
+
X509_EXTENSION *ex = NULL;
|
|
27
|
+
struct sscg_x509_req *csr;
|
|
28
|
+
|
|
29
|
+
/* Make sure we have a key available */
|
|
30
|
+
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
|
31
|
+
tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
|
|
32
|
+
}
|
|
33
|
+
else
|
|
34
|
+
{
|
|
35
|
+
san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
|
|
36
|
+
+ /* SAN IP addresses cannot include the subnet mask */
|
|
37
|
+
+ if ((slash = strchr (san, '/')))
|
|
38
|
+
+ {
|
|
39
|
+
+ /* Truncate at the slash */
|
|
40
|
+
+ *slash = '\0';
|
|
41
|
+
+ }
|
|
42
|
+
}
|
|
43
|
+
CHECK_MEM (san);
|
|
44
|
+
|
|
45
|
+
if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
|
|
46
|
+
{
|
|
47
|
+
@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
|
48
|
+
alt_name = tmp;
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
|
|
53
|
+
- CHECK_MEM (ex);
|
|
54
|
+
+ if (!ex)
|
|
55
|
+
+ {
|
|
56
|
+
+ ret = EINVAL;
|
|
57
|
+
+ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
|
|
58
|
+
+ goto done;
|
|
59
|
+
+ }
|
|
60
|
+
+
|
|
61
|
+
sk_X509_EXTENSION_push (certinfo->extensions, ex);
|
|
62
|
+
|
|
63
|
+
/* Set the public key for the certificate */
|
|
64
|
+
sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
|
|
65
|
+
CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
|
|
66
|
+
--
|
|
67
|
+
2.35.1
|
|
68
|
+
|
SPECS/sscg.spec
CHANGED
|
@@ -9,7 +9,7 @@
|
|
|
9
9
|
|
|
10
10
|
Name: sscg
|
|
11
11
|
Version: 3.0.0
|
|
12
|
-
Release:
|
|
12
|
+
Release: 5%{?dist}
|
|
13
13
|
Summary: Simple SSL certificate generator
|
|
14
14
|
|
|
15
15
|
License: GPLv3+ with exceptions
|
|
@@ -28,6 +28,7 @@ BuildRequires: help2man
|
|
|
28
28
|
|
|
29
29
|
Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
|
|
30
30
|
Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
|
|
31
|
+
Patch0003: 0003-Truncate-IP-address-in-SAN.patch
|
|
31
32
|
|
|
32
33
|
|
|
33
34
|
%description
|
|
@@ -59,6 +60,10 @@ false signatures from the service certificate.
|
|
|
59
60
|
%{_mandir}/man8/%{name}.8*
|
|
60
61
|
|
|
61
62
|
%changelog
|
|
63
|
+
* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
|
|
64
|
+
- Handle IP addresses in subjectAlternativeName correctly
|
|
65
|
+
- Resolves: rhbz#2061923
|
|
66
|
+
|
|
62
67
|
* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
|
|
63
68
|
- Correct certificate lifetime calculation
|
|
64
69
|
- Resolves: rhbz#2017667
|