From 9754e4fb59ffe054309b7ca7ed1a62ae40732d07 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 10 Sep 2024 16:30:06 +0200
Subject: [PATCH] Mark explicitly server cert with CA flag

Since OpenSSL 3.2 it did not connect from control to server cert. Create
server with indication is it CA.

Also use clientAuth trust for CA cert. That allows control cert to be
used for client authentication.

Resolves: rhbz#2310947
---
 dnssec-trigger-0.17-openssl-3.2.patch | 34 +++++++++++++++++++++++++++
 dnssec-trigger.spec                   |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 dnssec-trigger-0.17-openssl-3.2.patch

diff --git a/dnssec-trigger-0.17-openssl-3.2.patch b/dnssec-trigger-0.17-openssl-3.2.patch
new file mode 100644
index 0000000..d1b9474
--- /dev/null
+++ b/dnssec-trigger-0.17-openssl-3.2.patch
@@ -0,0 +1,34 @@
+From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 10 Sep 2024 16:22:07 +0200
+Subject: [PATCH] Mark explicitly server cert with CA flag
+
+Since OpenSSL 3.2 it did not connect from control to server cert. Create
+server with indication is it CA.
+
+Also use clientAuth trust for CA cert. That allows control cert to be
+used for client authentication.
+---
+ dnssec-trigger-control-setup.sh.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
+index 7cc305a..eede665 100644
+--- a/dnssec-trigger-control-setup.sh.in
++++ b/dnssec-trigger-control-setup.sh.in
+@@ -200,9 +200,9 @@ EOF
+ test -f request.cfg || error "could not create request.cfg"
+ 
+ echo "create $SVR_BASE.pem (self signed certificate)"
+-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+-# create trusted usage pem
+-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
++openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
++# create trusted usage pem for CA, what are signed certs allowed to do?
++openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
+ 
+ # create client request and sign it, piped
+ cat >request.cfg <<EOF
+-- 
+2.46.0
+
diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index 422708c..c96f581 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -33,6 +33,7 @@ Patch4: 0004-Add-options-edns0-and-trust-ad.patch
 Patch5: dnssec-trigger-configure-c99.patch
 # https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
 Patch6: dnssec-trigger-0.17-allowed-characters.patch
+Patch7: dnssec-trigger-0.17-openssl-3.2.patch
 
 # to obsolete the version in which the panel was in main package
 Obsoletes: %{name} < 0.12-22