add script for renewal of a self-signed cert by Philip Prindeville (#871566)

- allow X509_issuer_and_serial_hash() produce correct result in
  the FIPS mode (#881336)

openssl-1.0.1c-issuer-hash.patch

@@ -0,0 +1,11 @@
+diff -up openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1c/crypto/x509/x509_cmp.c
+--- openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash	2011-06-22 04:18:06.000000000 +0200
++++ openssl-1.0.1c/crypto/x509/x509_cmp.c	2012-12-21 17:18:38.101308997 +0100
+@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
+ 	char *f;
+ 
+ 	EVP_MD_CTX_init(&ctx);
++	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ 	f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
+ 	ret=strlen(f);
+ 	if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))

openssl.spec

@@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
 Name: openssl
 Version: 1.0.1c
 # Do not forget to bump SHLIB_VERSION on version upgrades
-Release: 10%{?dist}
+Release: 11%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -31,6 +31,7 @@ Source: openssl-%{version}-usa.tar.xz
 Source1: hobble-openssl
 Source2: Makefile.certificate
 Source6: make-dummy-cert
+Source7: renew-dummy-cert
 Source8: openssl-thread-test.c
 Source9: opensslconf-new.h
 Source10: opensslconf-new-warning.h
@@ -46,6 +47,7 @@ Patch8: openssl-1.0.1c-perlfind.patch
 Patch9: openssl-1.0.1c-aliasing.patch
 # Bug fixes
 Patch23: openssl-1.0.1c-default-paths.patch
+Patch24: openssl-1.0.1c-issuer-hash.patch
 # Functionality changes
 Patch33: openssl-1.0.0-beta4-ca-dir.patch
 Patch34: openssl-0.9.6-x509.patch
@@ -151,6 +153,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch9 -p1 -b .aliasing
 
 %patch23 -p1 -b .default-paths
+%patch24 -p1 -b .issuer-hash
 
 %patch33 -p1 -b .ca-dir
 %patch34 -p1 -b .x509
@@ -300,6 +303,7 @@ done
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
 install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile
 install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert
+install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/renew-dummy-cert
 
 # Make sure we actually include the headers we built against.
 for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do
@@ -431,6 +435,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Fri Dec 21 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-11
+- add script for renewal of a self-signed cert by Philip Prindeville (#871566)
+- allow X509_issuer_and_serial_hash() produce correct result in
+  the FIPS mode (#881336)
+
 * Thu Dec  6 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-10
 - do not load default verify paths if CApath or CAfile specified (#884305)
 

renew-dummy-cert

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+if [ $# -eq 0 ]; then
+	echo $"Usage: `basename $0` filename" 1>&2
+	exit 1
+fi
+
+PEM=$1
+REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
+KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
+CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
+NEW=${PEM}_
+
+trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
+
+if [ ! -f $PEM ]; then
+	echo "$PEM: file not found" 1>&2
+	exit 1
+fi
+
+let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial | cut -d= -f2)
+let SERIAL++
+
+umask 077
+
+OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
+
+openssl rsa -inform pem -in $PEM -out $KEY
+openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
+openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \
+	-extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
+
+(cat $KEY ; echo "" ; cat $CRT) > $NEW
+
+chown $OWNER $NEW
+
+mv -f $NEW $PEM
+
+rm -f $REQ $KEY $CRT
+
+exit 0
+