[openssl] add script for renewal of a self-signed cert by Philip Prindeville (#871566)
Tomáš Mráz
tmraz at fedoraproject.org
Fri Dec 21 16:21:55 UTC 2012
commit c67ea975b97c39fa52b5d0e24b451ad1156816c5
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Fri Dec 21 17:21:50 2012 +0100
add script for renewal of a self-signed cert by Philip Prindeville (#871566)
- allow X509_issuer_and_serial_hash() produce correct result in
the FIPS mode (#881336)
openssl-1.0.1c-issuer-hash.patch | 11 ++++++++++
openssl.spec | 11 +++++++++-
renew-dummy-cert | 42 ++++++++++++++++++++++++++++++++++++++
3 files changed, 63 insertions(+), 1 deletions(-)
---
diff --git a/openssl-1.0.1c-issuer-hash.patch b/openssl-1.0.1c-issuer-hash.patch
new file mode 100644
index 0000000..f911501
--- /dev/null
+++ b/openssl-1.0.1c-issuer-hash.patch
@@ -0,0 +1,11 @@
+diff -up openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1c/crypto/x509/x509_cmp.c
+--- openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash 2011-06-22 04:18:06.000000000 +0200
++++ openssl-1.0.1c/crypto/x509/x509_cmp.c 2012-12-21 17:18:38.101308997 +0100
+@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
+ char *f;
+
+ EVP_MD_CTX_init(&ctx);
++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
+ ret=strlen(f);
+ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
diff --git a/openssl.spec b/openssl.spec
index 984d1b0..78af27f 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
Name: openssl
Version: 1.0.1c
# Do not forget to bump SHLIB_VERSION on version upgrades
-Release: 10%{?dist}
+Release: 11%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -31,6 +31,7 @@ Source: openssl-%{version}-usa.tar.xz
Source1: hobble-openssl
Source2: Makefile.certificate
Source6: make-dummy-cert
+Source7: renew-dummy-cert
Source8: openssl-thread-test.c
Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h
@@ -46,6 +47,7 @@ Patch8: openssl-1.0.1c-perlfind.patch
Patch9: openssl-1.0.1c-aliasing.patch
# Bug fixes
Patch23: openssl-1.0.1c-default-paths.patch
+Patch24: openssl-1.0.1c-issuer-hash.patch
# Functionality changes
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
@@ -151,6 +153,7 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch9 -p1 -b .aliasing
%patch23 -p1 -b .default-paths
+%patch24 -p1 -b .issuer-hash
%patch33 -p1 -b .ca-dir
%patch34 -p1 -b .x509
@@ -300,6 +303,7 @@ done
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert
+install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/renew-dummy-cert
# Make sure we actually include the headers we built against.
for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do
@@ -431,6 +435,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Fri Dec 21 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1c-11
+- add script for renewal of a self-signed cert by Philip Prindeville (#871566)
+- allow X509_issuer_and_serial_hash() produce correct result in
+ the FIPS mode (#881336)
+
* Thu Dec 6 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1c-10
- do not load default verify paths if CApath or CAfile specified (#884305)
diff --git a/renew-dummy-cert b/renew-dummy-cert
new file mode 100755
index 0000000..50f9931
--- /dev/null
+++ b/renew-dummy-cert
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+if [ $# -eq 0 ]; then
+ echo $"Usage: `basename $0` filename" 1>&2
+ exit 1
+fi
+
+PEM=$1
+REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
+KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
+CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
+NEW=${PEM}_
+
+trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
+
+if [ ! -f $PEM ]; then
+ echo "$PEM: file not found" 1>&2
+ exit 1
+fi
+
+let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial | cut -d= -f2)
+let SERIAL++
+
+umask 077
+
+OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
+
+openssl rsa -inform pem -in $PEM -out $KEY
+openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
+openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \
+ -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
+
+(cat $KEY ; echo "" ; cat $CRT) > $NEW
+
+chown $OWNER $NEW
+
+mv -f $NEW $PEM
+
+rm -f $REQ $KEY $CRT
+
+exit 0
+
More information about the scm-commits
mailing list