add script for renewal of a self-signed cert by Philip Prindeville (#871566)

- allow X509_issuer_and_serial_hash() produce correct result in
  the FIPS mode (#881336)
This commit is contained in:
Tomas Mraz 2012-12-21 17:21:50 +01:00
parent 07ac3d216e
commit c67ea975b9
3 changed files with 63 additions and 1 deletions

View File

@ -0,0 +1,11 @@
diff -up openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1c/crypto/x509/x509_cmp.c
--- openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash 2011-06-22 04:18:06.000000000 +0200
+++ openssl-1.0.1c/crypto/x509/x509_cmp.c 2012-12-21 17:18:38.101308997 +0100
@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
char *f;
EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
ret=strlen(f);
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))

View File

@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
Name: openssl Name: openssl
Version: 1.0.1c Version: 1.0.1c
# Do not forget to bump SHLIB_VERSION on version upgrades # Do not forget to bump SHLIB_VERSION on version upgrades
Release: 10%{?dist} Release: 11%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -31,6 +31,7 @@ Source: openssl-%{version}-usa.tar.xz
Source1: hobble-openssl Source1: hobble-openssl
Source2: Makefile.certificate Source2: Makefile.certificate
Source6: make-dummy-cert Source6: make-dummy-cert
Source7: renew-dummy-cert
Source8: openssl-thread-test.c Source8: openssl-thread-test.c
Source9: opensslconf-new.h Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h Source10: opensslconf-new-warning.h
@ -46,6 +47,7 @@ Patch8: openssl-1.0.1c-perlfind.patch
Patch9: openssl-1.0.1c-aliasing.patch Patch9: openssl-1.0.1c-aliasing.patch
# Bug fixes # Bug fixes
Patch23: openssl-1.0.1c-default-paths.patch Patch23: openssl-1.0.1c-default-paths.patch
Patch24: openssl-1.0.1c-issuer-hash.patch
# Functionality changes # Functionality changes
Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch Patch34: openssl-0.9.6-x509.patch
@ -151,6 +153,7 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch9 -p1 -b .aliasing %patch9 -p1 -b .aliasing
%patch23 -p1 -b .default-paths %patch23 -p1 -b .default-paths
%patch24 -p1 -b .issuer-hash
%patch33 -p1 -b .ca-dir %patch33 -p1 -b .ca-dir
%patch34 -p1 -b .x509 %patch34 -p1 -b .x509
@ -300,6 +303,7 @@ done
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/renew-dummy-cert
# Make sure we actually include the headers we built against. # Make sure we actually include the headers we built against.
for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do
@ -431,6 +435,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Fri Dec 21 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-11
- add script for renewal of a self-signed cert by Philip Prindeville (#871566)
- allow X509_issuer_and_serial_hash() produce correct result in
the FIPS mode (#881336)
* Thu Dec 6 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-10 * Thu Dec 6 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-10
- do not load default verify paths if CApath or CAfile specified (#884305) - do not load default verify paths if CApath or CAfile specified (#884305)

42
renew-dummy-cert Executable file
View File

@ -0,0 +1,42 @@
#!/bin/bash
if [ $# -eq 0 ]; then
echo $"Usage: `basename $0` filename" 1>&2
exit 1
fi
PEM=$1
REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
NEW=${PEM}_
trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
if [ ! -f $PEM ]; then
echo "$PEM: file not found" 1>&2
exit 1
fi
let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial | cut -d= -f2)
let SERIAL++
umask 077
OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
openssl rsa -inform pem -in $PEM -out $KEY
openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \
-extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
(cat $KEY ; echo "" ; cat $CRT) > $NEW
chown $OWNER $NEW
mv -f $NEW $PEM
rm -f $REQ $KEY $CRT
exit 0