From f673a25e514983ab0fafc5c5f1c603e33682f694 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 8 Jun 2023 14:25:55 -0400 Subject: [PATCH 01/20] [packit] 3.0.4 upstream release Upstream tag: sscg-3.0.4 Upstream commit: e87dd74e --- .packit.yaml | 51 ++++++++++++++++++++++++++++++++++++++++++ README.packit | 3 +++ get_current_version.sh | 46 +++++++++++++++++++++++++++++++++++++ 3 files changed, 100 insertions(+) create mode 100644 .packit.yaml create mode 100644 README.packit create mode 100755 get_current_version.sh diff --git a/.packit.yaml b/.packit.yaml new file mode 100644 index 0000000..ad46396 --- /dev/null +++ b/.packit.yaml @@ -0,0 +1,51 @@ +# See the documentation for more information: +# https://packit.dev/docs/configuration/ + +specfile_path: .distro/sscg.spec + +files_to_sync: + - src: .distro/sscg.spec + dest: sscg.spec + - src: .packit.yaml + dest: .packit.yaml + - src: get_current_version.sh + dest: get_current_version.sh + +sync_changelog: true + +upstream_package_name: sscg +downstream_package_name: sscg + +upstream_tag_template: sscg-{version} + +archive_root_dir_template: "{upstream_pkg_name}-{upstream_pkg_name}-{version}" + +notifications: + pull_request: + successful_build: true + +srpm_build_deps: + - meson + - jq + +actions: + get-current-version: + - ./get_current_version.sh + +jobs: +- job: copr_build + trigger: pull_request + targets: + - fedora-all + - centos-stream-8 + - centos-stream-9 +- job: tests + trigger: pull_request + targets: + - fedora-all + - centos-stream-8 + - centos-stream-9 +- job: propose_downstream + trigger: release + dist_git_branches: + - fedora-all diff --git a/README.packit b/README.packit new file mode 100644 index 0000000..01582f6 --- /dev/null +++ b/README.packit @@ -0,0 +1,3 @@ +This repository is maintained by packit. +https://packit.dev/ +The file was generated using packit 0.76.0. diff --git a/get_current_version.sh b/get_current_version.sh new file mode 100755 index 0000000..6d959fe --- /dev/null +++ b/get_current_version.sh @@ -0,0 +1,46 @@ +#!/usr/bin/bash + +# This file is part of sscg. +# +# sscg is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# sscg is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with sscg. If not, see . +# +# In addition, as a special exception, the copyright holders give +# permission to link the code of portions of this program with the +# OpenSSL library under certain conditions as described in each +# individual source file, and distribute linked combinations +# including the two. +# You must obey the GNU General Public License in all respects +# for all of the code used other than OpenSSL. If you modify +# file(s) with this exception, you may extend this exception to your +# version of the file(s), but you are not obligated to do so. If you +# do not wish to do so, delete this exception statement from your +# version. If you delete this exception statement from all source +# files in the program, then also delete it here. +# +# Copyright 2023 by Stephen Gallagher + +set -e + +tmpdir=$(mktemp -d) + +function common_finalize { + exitcode=$? + rm -Rf "$tmpdir" + return $exitcode +} + +trap common_finalize EXIT + +meson setup ${tmpdir}/getcurrentversion 2>&1 > /dev/null +meson introspect ${tmpdir}/getcurrentversion --projectinfo | jq -r .version From 230ea67ffe8fca40a53fa4a6698c87297e716ab9 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 8 Jun 2023 14:26:02 -0400 Subject: [PATCH 02/20] [packit] 3.0.4 upstream release Upstream tag: sscg-3.0.4 Upstream commit: e87dd74e --- .packit.yaml | 51 ++++++++++++++++++++++++++++++++++++++++++ README.packit | 3 +++ get_current_version.sh | 46 +++++++++++++++++++++++++++++++++++++ 3 files changed, 100 insertions(+) create mode 100644 .packit.yaml create mode 100644 README.packit create mode 100755 get_current_version.sh diff --git a/.packit.yaml b/.packit.yaml new file mode 100644 index 0000000..ad46396 --- /dev/null +++ b/.packit.yaml @@ -0,0 +1,51 @@ +# See the documentation for more information: +# https://packit.dev/docs/configuration/ + +specfile_path: .distro/sscg.spec + +files_to_sync: + - src: .distro/sscg.spec + dest: sscg.spec + - src: .packit.yaml + dest: .packit.yaml + - src: get_current_version.sh + dest: get_current_version.sh + +sync_changelog: true + +upstream_package_name: sscg +downstream_package_name: sscg + +upstream_tag_template: sscg-{version} + +archive_root_dir_template: "{upstream_pkg_name}-{upstream_pkg_name}-{version}" + +notifications: + pull_request: + successful_build: true + +srpm_build_deps: + - meson + - jq + +actions: + get-current-version: + - ./get_current_version.sh + +jobs: +- job: copr_build + trigger: pull_request + targets: + - fedora-all + - centos-stream-8 + - centos-stream-9 +- job: tests + trigger: pull_request + targets: + - fedora-all + - centos-stream-8 + - centos-stream-9 +- job: propose_downstream + trigger: release + dist_git_branches: + - fedora-all diff --git a/README.packit b/README.packit new file mode 100644 index 0000000..01582f6 --- /dev/null +++ b/README.packit @@ -0,0 +1,3 @@ +This repository is maintained by packit. +https://packit.dev/ +The file was generated using packit 0.76.0. diff --git a/get_current_version.sh b/get_current_version.sh new file mode 100755 index 0000000..6d959fe --- /dev/null +++ b/get_current_version.sh @@ -0,0 +1,46 @@ +#!/usr/bin/bash + +# This file is part of sscg. +# +# sscg is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# sscg is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with sscg. If not, see . +# +# In addition, as a special exception, the copyright holders give +# permission to link the code of portions of this program with the +# OpenSSL library under certain conditions as described in each +# individual source file, and distribute linked combinations +# including the two. +# You must obey the GNU General Public License in all respects +# for all of the code used other than OpenSSL. If you modify +# file(s) with this exception, you may extend this exception to your +# version of the file(s), but you are not obligated to do so. If you +# do not wish to do so, delete this exception statement from your +# version. If you delete this exception statement from all source +# files in the program, then also delete it here. +# +# Copyright 2023 by Stephen Gallagher + +set -e + +tmpdir=$(mktemp -d) + +function common_finalize { + exitcode=$? + rm -Rf "$tmpdir" + return $exitcode +} + +trap common_finalize EXIT + +meson setup ${tmpdir}/getcurrentversion 2>&1 > /dev/null +meson introspect ${tmpdir}/getcurrentversion --projectinfo | jq -r .version From 6eccdf5e80dc9e84e72f4beba7042f4fee7c8d2d Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 20 Jun 2023 16:32:59 -0400 Subject: [PATCH 03/20] Release 3.0.5 From-source-git-commit: 1440fb807c4cecce3a3e52dca9489cec1a53cc4d --- .gitignore | 1 + sources | 2 +- sscg.spec | 6 +++--- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index d3a8c75..f46fa23 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ /sscg-3.0.1.tar.gz /sscg-3.0.2.tar.gz /sscg-3.0.3.tar.gz +/sscg-3.0.5.tar.gz diff --git a/sources b/sources index 261d5bb..e51b29d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sscg-3.0.3.tar.gz) = 5820a44deaabf67296bf218485a22a5b58fcf48c6c33e2617946d0edaded3554f1acb2fb170eb189cdf4f8a61bb29bcb0385dc54996f7d0acdc8f45048b8e081 +SHA512 (sscg-3.0.5.tar.gz) = da4db537096608683726084ea342cf3e06ec25da16c4475a29e83a466486a4ace8b58253520034eb263d8cefde14e21f3fe69d23fa75686cab5e3a7f8e170442 diff --git a/sscg.spec b/sscg.spec index 791b0c8..ddf1a43 100644 --- a/sscg.spec +++ b/sscg.spec @@ -9,13 +9,13 @@ %{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs} Name: sscg -Version: 3.0.3 +Version: 3.0.5 Release: %autorelease Summary: Simple SSL certificate generator License: GPLv3+ with exceptions URL: https://%{provider_prefix} -Source0: https://%{provider_prefix}/archive/refs/tags/%{repo}-%{version}.tar.gz +Source0: sscg-3.0.5.tar.gz BuildRequires: gcc BuildRequires: libtalloc-devel BuildRequires: openssl @@ -36,7 +36,7 @@ up a full PKI environment and without exposing the machine to a risk of false signatures from the service certificate. %prep -%autosetup -p1 -n %{name}-%{name}-%{version} +%autosetup -p1 -n sscg-3.0.5 %build From f20c1143a3249580e9385404bf2ea7679b5e36db Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 18 Jul 2023 20:25:15 -0400 Subject: [PATCH 04/20] Extend maximum DNS name to 256 From-source-git-commit: 00fb4ba6ae29ed94b88675fa752f1c3e5c6fa85f --- 0001-Extend-maximum-DNS-name-to-255.patch | 205 ++++++++++++++++++++++ sscg.spec | 3 + 2 files changed, 208 insertions(+) create mode 100644 0001-Extend-maximum-DNS-name-to-255.patch diff --git a/0001-Extend-maximum-DNS-name-to-255.patch b/0001-Extend-maximum-DNS-name-to-255.patch new file mode 100644 index 0000000..de809fa --- /dev/null +++ b/0001-Extend-maximum-DNS-name-to-255.patch @@ -0,0 +1,205 @@ +From 00fb4ba6ae29ed94b88675fa752f1c3e5c6fa85f Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Wed, 15 Feb 2023 15:49:38 -0500 +Subject: [PATCH] Extend maximum DNS name to 255 + +The hostname part is still restricted to 63 characters + +See RFC 1035, section 2.3.4 + +Signed-off-by: Stephen Gallagher +--- + include/sscg.h | 3 +++ + src/arguments.c | 35 +++++++++++++++++++++++++++-------- + src/authority.c | 26 +++++++++++++++++++++++--- + src/cert.c | 5 +++++ + src/x509.c | 6 +++--- + 5 files changed, 61 insertions(+), 14 deletions(-) + +diff --git a/include/sscg.h b/include/sscg.h +index 0f35631..f0c6d93 100644 +--- a/include/sscg.h ++++ b/include/sscg.h +@@ -313,6 +313,9 @@ enum sscg_cert_type + #define SSCG_MIN_KEY_PASS_LEN 4 + #define SSCG_MAX_KEY_PASS_LEN 1023 + ++/* RFC 1035, section 2.3.4 (Size Limits) */ ++#define MAX_HOST_LEN 63 ++#define MAX_FQDN_LEN 255 + + int + sscg_handle_arguments (TALLOC_CTX *mem_ctx, +diff --git a/src/arguments.c b/src/arguments.c +index 0b7a060..2f412be 100644 +--- a/src/arguments.c ++++ b/src/arguments.c +@@ -786,10 +786,19 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx, + } + CHECK_MEM (options->hostname); + +- if (strnlen (options->hostname, MAXHOSTNAMELEN + 1) > MAXHOSTNAMELEN) ++ if (strnlen (options->hostname, MAX_FQDN_LEN + 1) > MAX_FQDN_LEN) + { +- fprintf ( +- stderr, "Hostnames may not exceed %d characters\n", MAXHOSTNAMELEN); ++ fprintf (stderr, "FQDNs may not exceed %d characters\n", MAX_FQDN_LEN); ++ ret = EINVAL; ++ goto done; ++ } ++ ++ if ((strchr (options->hostname, '.') - options->hostname) > MAX_HOST_LEN + 4) ++ { ++ fprintf (stderr, ++ "Hostnames may not exceed %d characters in Subject " ++ "Alternative Names\n", ++ MAX_HOST_LEN); + ret = EINVAL; + goto done; + } +@@ -798,25 +807,35 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx, + options struct. It's not the most efficient approach, but + it's only done one time, so there is no sense in optimizing + it. */ ++ size_t i = 0; + if (alternative_names) + { +- size_t i = 0; + while (alternative_names[i] != NULL) + { + options->subject_alt_names = talloc_realloc ( +- options, options->subject_alt_names, char *, i + 2); ++ options, options->subject_alt_names, char *, i + 1); + CHECK_MEM (options->subject_alt_names); + + options->subject_alt_names[i] = + talloc_strdup (options->subject_alt_names, alternative_names[i]); + CHECK_MEM (options->subject_alt_names[i]); +- +- /* Add a NULL terminator to the end */ +- options->subject_alt_names[i + 1] = NULL; + i++; + } + } + ++ /* ++ The hostname must always be listed in SubjectAlternativeNames as well. ++ Note that the realloc also adds an extra entry for the NULL terminator ++ */ ++ options->subject_alt_names = ++ talloc_realloc (options, options->subject_alt_names, char *, i + 2); ++ CHECK_MEM (options->subject_alt_names); ++ options->subject_alt_names[i] = ++ talloc_strdup (options->subject_alt_names, options->hostname); ++ CHECK_MEM (options->subject_alt_names[i]); ++ /* Add a NULL terminator to the end */ ++ options->subject_alt_names[i + 1] = NULL; ++ + if (options->key_strength < options->minimum_key_strength) + { + fprintf (stderr, +diff --git a/src/authority.c b/src/authority.c +index 4efaa9e..f509fd4 100644 +--- a/src/authority.c ++++ b/src/authority.c +@@ -56,6 +56,7 @@ create_private_CA (TALLOC_CTX *mem_ctx, + char *name_constraint; + char *san; + char *tmp; ++ char *dot; + + tmp_ctx = talloc_new (NULL); + CHECK_MEM (tmp_ctx); +@@ -89,6 +90,26 @@ create_private_CA (TALLOC_CTX *mem_ctx, + + ca_certinfo->cn = talloc_strdup (ca_certinfo, options->hostname); + CHECK_MEM (ca_certinfo->cn); ++ /* Truncate the CN at the first dot */ ++ if ((dot = strchr (ca_certinfo->cn, '.'))) ++ *dot = '\0'; ++ ++ if (options->subject_alt_names) ++ { ++ for (i = 0; options->subject_alt_names[i]; i++) ++ { ++ ca_certinfo->subject_alt_names = talloc_realloc ( ++ ca_certinfo, ca_certinfo->subject_alt_names, char *, i + 2); ++ CHECK_MEM (ca_certinfo->subject_alt_names); ++ ++ ca_certinfo->subject_alt_names[i] = talloc_strdup ( ++ ca_certinfo->subject_alt_names, options->subject_alt_names[i]); ++ CHECK_MEM (ca_certinfo->subject_alt_names[i]); ++ ++ /* Add a NULL terminator to the end */ ++ ca_certinfo->subject_alt_names[i + 1] = NULL; ++ } ++ } + + /* Make this a CA certificate */ + +@@ -106,10 +127,9 @@ create_private_CA (TALLOC_CTX *mem_ctx, + CHECK_MEM (ex); + sk_X509_EXTENSION_push (ca_certinfo->extensions, ex); + +- /* Restrict signing to the hostname and subjectAltNames of the +- service certificate */ ++ /* Restrict signing to the CN and subjectAltNames of the service certificate */ + name_constraint = +- talloc_asprintf (tmp_ctx, "permitted;DNS:%s", options->hostname); ++ talloc_asprintf (tmp_ctx, "permitted;DNS:%s", ca_certinfo->cn); + CHECK_MEM (name_constraint); + + if (options->subject_alt_names) +diff --git a/src/cert.c b/src/cert.c +index 99d9109..e36de71 100644 +--- a/src/cert.c ++++ b/src/cert.c +@@ -31,6 +31,7 @@ + */ + + ++#include + #include "include/sscg.h" + #include "include/cert.h" + #include "include/x509.h" +@@ -52,6 +53,7 @@ create_cert (TALLOC_CTX *mem_ctx, + struct sscg_x509_req *csr; + struct sscg_evp_pkey *pkey; + struct sscg_x509_cert *cert; ++ char *dot; + X509_EXTENSION *ex = NULL; + EXTENDED_KEY_USAGE *extended; + TALLOC_CTX *tmp_ctx = NULL; +@@ -87,6 +89,9 @@ create_cert (TALLOC_CTX *mem_ctx, + + certinfo->cn = talloc_strdup (certinfo, options->hostname); + CHECK_MEM (certinfo->cn); ++ /* Truncate the CN at the first dot */ ++ if ((dot = strchr (certinfo->cn, '.'))) ++ *dot = '\0'; + + if (options->subject_alt_names) + { +diff --git a/src/x509.c b/src/x509.c +index 4f3f11c..9f6f21b 100644 +--- a/src/x509.c ++++ b/src/x509.c +@@ -290,12 +290,12 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, + } + CHECK_MEM (san); + +- if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4) ++ if (strnlen (san, MAX_FQDN_LEN + 5) > MAX_FQDN_LEN + 4) + { + fprintf (stderr, +- "Hostnames may not exceed %d characters in Subject " ++ "FQDNs may not exceed %d characters in Subject " + "Alternative Names\n", +- MAXHOSTNAMELEN); ++ MAX_FQDN_LEN); + ret = EINVAL; + goto done; + } +-- +2.41.0 + diff --git a/sscg.spec b/sscg.spec index ddf1a43..ffb54d3 100644 --- a/sscg.spec +++ b/sscg.spec @@ -16,6 +16,9 @@ Summary: Simple SSL certificate generator License: GPLv3+ with exceptions URL: https://%{provider_prefix} Source0: sscg-3.0.5.tar.gz +# Extend maximum DNS name to 255 +# Author: Stephen Gallagher +Patch1: 0001-Extend-maximum-DNS-name-to-255.patch BuildRequires: gcc BuildRequires: libtalloc-devel BuildRequires: openssl From 2da8e38627fbbafca5651c0be482176133743c3c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jul 2023 02:27:02 +0000 Subject: [PATCH 05/20] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering From 0cddb04217bec12fdebaeb034e6635f09a58b71b Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 1 Sep 2023 08:21:27 -0400 Subject: [PATCH 06/20] Update README.md with latest usage Signed-off-by: Stephen Gallagher --- 0001-Extend-maximum-DNS-name-to-255.patch | 14 +-- ...DME.md-with-latest-usage-information.patch | 109 ++++++++++++++++++ 2 files changed, 116 insertions(+), 7 deletions(-) create mode 100644 0002-Update-README.md-with-latest-usage-information.patch diff --git a/0001-Extend-maximum-DNS-name-to-255.patch b/0001-Extend-maximum-DNS-name-to-255.patch index de809fa..7ce5725 100644 --- a/0001-Extend-maximum-DNS-name-to-255.patch +++ b/0001-Extend-maximum-DNS-name-to-255.patch @@ -1,7 +1,7 @@ -From 00fb4ba6ae29ed94b88675fa752f1c3e5c6fa85f Mon Sep 17 00:00:00 2001 +From 750dee2eded3b1c16e0434fa387d35a869545d9e Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Wed, 15 Feb 2023 15:49:38 -0500 -Subject: [PATCH] Extend maximum DNS name to 255 +Subject: [PATCH 1/2] Extend maximum DNS name to 255 The hostname part is still restricted to 63 characters @@ -17,7 +17,7 @@ Signed-off-by: Stephen Gallagher 5 files changed, 61 insertions(+), 14 deletions(-) diff --git a/include/sscg.h b/include/sscg.h -index 0f35631..f0c6d93 100644 +index 0f35631018dc2745e986cd1e7e094e3e37be8e54..f0c6d93b871e4bd3f2c805be8dfa7485ec34746a 100644 --- a/include/sscg.h +++ b/include/sscg.h @@ -313,6 +313,9 @@ enum sscg_cert_type @@ -31,7 +31,7 @@ index 0f35631..f0c6d93 100644 int sscg_handle_arguments (TALLOC_CTX *mem_ctx, diff --git a/src/arguments.c b/src/arguments.c -index 0b7a060..2f412be 100644 +index 0b7a060d31bed97130c7cb9b7feacf0876e25c0d..2f412bee1bee9620f28b6e84aed4aef17aee3a6a 100644 --- a/src/arguments.c +++ b/src/arguments.c @@ -786,10 +786,19 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx, @@ -99,7 +99,7 @@ index 0b7a060..2f412be 100644 { fprintf (stderr, diff --git a/src/authority.c b/src/authority.c -index 4efaa9e..f509fd4 100644 +index 4efaa9e730964b9762b59d0e6698c1623901ccfe..f509fd4316c3b7b230f99de6464491c319fc5d45 100644 --- a/src/authority.c +++ b/src/authority.c @@ -56,6 +56,7 @@ create_private_CA (TALLOC_CTX *mem_ctx, @@ -151,7 +151,7 @@ index 4efaa9e..f509fd4 100644 if (options->subject_alt_names) diff --git a/src/cert.c b/src/cert.c -index 99d9109..e36de71 100644 +index 99d9109f5981ef408aeb7d05a8327e1a38d5700a..e36de71e7ca9b34f87734542d5646b466cd61d4c 100644 --- a/src/cert.c +++ b/src/cert.c @@ -31,6 +31,7 @@ @@ -181,7 +181,7 @@ index 99d9109..e36de71 100644 if (options->subject_alt_names) { diff --git a/src/x509.c b/src/x509.c -index 4f3f11c..9f6f21b 100644 +index 4f3f11cd3411f00cf6de3a72ba897adc97944e35..9f6f21b49c2dd70629fed67d327027374eb21b15 100644 --- a/src/x509.c +++ b/src/x509.c @@ -290,12 +290,12 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, diff --git a/0002-Update-README.md-with-latest-usage-information.patch b/0002-Update-README.md-with-latest-usage-information.patch new file mode 100644 index 0000000..4294050 --- /dev/null +++ b/0002-Update-README.md-with-latest-usage-information.patch @@ -0,0 +1,109 @@ +From ff2cf0e789cb62c1efbb95ee3f6ccd1958a9d10e Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Fri, 1 Sep 2023 08:19:01 -0400 +Subject: [PATCH 2/2] Update README.md with latest usage information + +Signed-off-by: Stephen Gallagher +--- + README.md | 55 +++++++++++++++++++++++++------------------------------ + 1 file changed, 25 insertions(+), 30 deletions(-) + +diff --git a/README.md b/README.md +index d15c3d955d03026e8a68c04870a5f97a20eb03d9..4d57138895443f228212a6c77209350432eecbd7 100644 +--- a/README.md ++++ b/README.md +@@ -26,8 +26,8 @@ Usage of sscg: + Usage: sscg [OPTION...] + -q, --quiet Display no output unless there is an error. + -v, --verbose Display progress messages. +- -d, --debug Enable logging of debug messages. Implies verbose. Warning! This will print +- private key information to the screen! ++ -d, --debug Enable logging of debug messages. Implies verbose. Warning! This will print private key information to the ++ screen! + -V, --version Display the version number and exit. + -f, --force Overwrite any pre-existing files in the requested locations + --lifetime=1-3650 Certificate lifetime (days). (default: 398) +@@ -37,57 +37,52 @@ Usage: sscg [OPTION...] + --organization=My Company Certificate DN: Organization (O). (default: "Unspecified") + --organizational-unit=Engineering, etc. Certificate DN: Organizational Unit (OU). + --email=myname@example.com Certificate DN: Email Address (Email). +- --hostname=server.example.com The valid hostname of the certificate. Must be an FQDN. (default: current system +- FQDN) +- --subject-alt-name alt.example.com Optional additional valid hostnames for the certificate. In addition to hostnames, +- this option also accepts explicit values supported by RFC 5280 such as +- IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy May be specified multiple times. ++ --hostname=server.example.com The valid hostname of the certificate. Must be an FQDN. (default: current system FQDN) ++ --subject-alt-name alt.example.com Optional additional valid hostnames for the certificate. In addition to hostnames, this option also accepts ++ explicit values supported by RFC 5280 such as IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy May be specified multiple ++ times. + --package=STRING Unused. Retained for compatibility with earlier versions of sscg. + --key-strength=2048 or larger Strength of the certificate private keys in bits. (default: 2048) + --hash-alg={sha256,sha384,sha512} Hashing algorithm to use for signing. (default: "sha256") + --cipher-alg={des-ede3-cbc,aes-256-cbc} Cipher to use for encrypting key files. (default: "aes-256-cbc") + --ca-file=STRING Path where the public CA certificate will be stored. (default: "./ca.crt") + --ca-mode=0644 File mode of the created CA certificate. +- --ca-key-file=STRING Path where the CA's private key will be stored. If unspecified, the key will be +- destroyed rather than written to the disk. ++ --ca-key-file=STRING Path where the CA's private key will be stored. If unspecified, the key will be destroyed rather than written ++ to the disk. + --ca-key-mode=0600 File mode of the created CA key. +- --ca-key-password=STRING Provide a password for the CA key file. Note that this will be visible in the +- process table for all users, so it should be used for testing purposes only. Use +- --ca-keypassfile or --ca-key-password-prompt for secure password entry. ++ --ca-key-password=STRING Provide a password for the CA key file. Note that this will be visible in the process table for all users, so ++ it should be used for testing purposes only. Use --ca-keypassfile or --ca-key-password-prompt for secure ++ password entry. + --ca-key-passfile=STRING A file containing the password to encrypt the CA key file. + -C, --ca-key-password-prompt Prompt to enter a password for the CA key file. +- --crl-file=STRING Path where an (empty) Certificate Revocation List file will be created, for +- applications that expect such a file to exist. If unspecified, no such file will +- be created. ++ --crl-file=STRING Path where an (empty) Certificate Revocation List file will be created, for applications that expect such a ++ file to exist. If unspecified, no such file will be created. + --crl-mode=0644 File mode of the created Certificate Revocation List. + --cert-file=STRING Path where the public service certificate will be stored. (default "./service.pem") + --cert-mode=0644 File mode of the created certificate. + --cert-key-file=STRING Path where the service's private key will be stored. (default "service-key.pem") + --cert-key-mode=0600 File mode of the created certificate key. +- -p, --cert-key-password=STRING Provide a password for the service key file. Note that this will be visible in the +- process table for all users, so this flag should be used for testing purposes +- only. Use --cert-keypassfile or --cert-key-password-prompt for secure password +- entry. ++ -p, --cert-key-password=STRING Provide a password for the service key file. Note that this will be visible in the process table for all users, ++ so this flag should be used for testing purposes only. Use --cert-keypassfile or --cert-key-password-prompt for ++ secure password entry. + --cert-key-passfile=STRING A file containing the password to encrypt the service key file. + -P, --cert-key-password-prompt Prompt to enter a password for the service key file. + --client-file=STRING Path where a client authentication certificate will be stored. + --client-mode=0644 File mode of the created certificate. + --client-key-file=STRING Path where the client's private key will be stored. (default is the client-file) + --client-key-mode=0600 File mode of the created certificate key. +- --client-key-password=STRING Provide a password for the client key file. Note that this will be visible in the +- process table for all users, so this flag should be used for testing purposes +- only. Use --client-keypassfile or --client-key-password-prompt for secure password +- entry. ++ --client-key-password=STRING Provide a password for the client key file. Note that this will be visible in the process table for all users, ++ so this flag should be used for testing purposes only. Use --client-keypassfile or --client-key-password-prompt ++ for secure password entry. + --client-key-passfile=STRING A file containing the password to encrypt the client key file. + --client-key-password-prompt Prompt to enter a password for the client key file. + --dhparams-file=STRING A file to contain a set of Diffie-Hellman parameters. (Default: "./dhparams.pem") +- --dhparams-named-group=STRING Output well-known DH parameters. The available named groups are: ffdhe2048, +- ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp_2048, modp_3072, modp_4096, +- modp_6144, modp_8192, modp_1536, dh_1024_160, dh_2048_224, dh_2048_256. (Default: +- "ffdhe4096") +- --dhparams-prime-len=INT The length of the prime number to generate for dhparams, in bits. If set to +- non-zero, the parameters will be generated rather than using a well-known group. +- (default: 0) ++ --no-dhparams-file Do not create the dhparams file ++ --dhparams-named-group=STRING Output well-known DH parameters. The available named groups are: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ++ ffdhe8192, modp_2048, modp_3072, modp_4096, modp_6144, modp_8192, modp_1536, dh_1024_160, dh_2048_224, ++ dh_2048_256. (Default: "ffdhe4096") ++ --dhparams-prime-len=INT The length of the prime number to generate for dhparams, in bits. If set to non-zero, the parameters will be ++ generated rather than using a well-known group. (default: 0) + --dhparams-generator={2,3,5} The generator value for dhparams. (default: 2) + + Help options: +-- +2.41.0 + From 00ae4096624fe48a565c641bbc1e6582d46a09cd Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Thu, 16 Nov 2023 14:14:23 +0000 Subject: [PATCH 07/20] SPDX migration --- sscg.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sscg.spec b/sscg.spec index ffb54d3..eb71105 100644 --- a/sscg.spec +++ b/sscg.spec @@ -13,7 +13,7 @@ Version: 3.0.5 Release: %autorelease Summary: Simple SSL certificate generator -License: GPLv3+ with exceptions +License: GPL-3.0-or-later WITH cryptsetup-OpenSSL-exception URL: https://%{provider_prefix} Source0: sscg-3.0.5.tar.gz # Extend maximum DNS name to 255 From 31cf588afd570573a83d7f2c3104e97da68fc65b Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 27 Jan 2024 04:18:06 +0000 Subject: [PATCH 08/20] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From af6d350b20321995bea0869fb4c719242a0c2cdb Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 06:22:37 +0000 Subject: [PATCH 09/20] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 3e4e7c4ad9ca4cd0ed1a2a15761e9e31e5eaacd8 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sun, 19 Jan 2025 11:34:16 +0000 Subject: [PATCH 10/20] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 2f6d98b494e2964ef0a2f0fbbb1803c3d49f33cf Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 31 Mar 2025 11:15:44 -0400 Subject: [PATCH 11/20] Release 3.0.6 Fixes an incompatibility with OpenSSL 3.4+ when generating Certificate Signing Requests. Signed-off-by: Stephen Gallagher --- .gitignore | 1 + 0001-Extend-maximum-DNS-name-to-255.patch | 205 ------------------ ...DME.md-with-latest-usage-information.patch | 109 ---------- sources | 2 +- sscg.spec | 11 +- 5 files changed, 6 insertions(+), 322 deletions(-) delete mode 100644 0001-Extend-maximum-DNS-name-to-255.patch delete mode 100644 0002-Update-README.md-with-latest-usage-information.patch diff --git a/.gitignore b/.gitignore index f46fa23..fa4916e 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /sscg-3.0.2.tar.gz /sscg-3.0.3.tar.gz /sscg-3.0.5.tar.gz +/sscg-3.0.6.tar.gz diff --git a/0001-Extend-maximum-DNS-name-to-255.patch b/0001-Extend-maximum-DNS-name-to-255.patch deleted file mode 100644 index 7ce5725..0000000 --- a/0001-Extend-maximum-DNS-name-to-255.patch +++ /dev/null @@ -1,205 +0,0 @@ -From 750dee2eded3b1c16e0434fa387d35a869545d9e Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Wed, 15 Feb 2023 15:49:38 -0500 -Subject: [PATCH 1/2] Extend maximum DNS name to 255 - -The hostname part is still restricted to 63 characters - -See RFC 1035, section 2.3.4 - -Signed-off-by: Stephen Gallagher ---- - include/sscg.h | 3 +++ - src/arguments.c | 35 +++++++++++++++++++++++++++-------- - src/authority.c | 26 +++++++++++++++++++++++--- - src/cert.c | 5 +++++ - src/x509.c | 6 +++--- - 5 files changed, 61 insertions(+), 14 deletions(-) - -diff --git a/include/sscg.h b/include/sscg.h -index 0f35631018dc2745e986cd1e7e094e3e37be8e54..f0c6d93b871e4bd3f2c805be8dfa7485ec34746a 100644 ---- a/include/sscg.h -+++ b/include/sscg.h -@@ -313,6 +313,9 @@ enum sscg_cert_type - #define SSCG_MIN_KEY_PASS_LEN 4 - #define SSCG_MAX_KEY_PASS_LEN 1023 - -+/* RFC 1035, section 2.3.4 (Size Limits) */ -+#define MAX_HOST_LEN 63 -+#define MAX_FQDN_LEN 255 - - int - sscg_handle_arguments (TALLOC_CTX *mem_ctx, -diff --git a/src/arguments.c b/src/arguments.c -index 0b7a060d31bed97130c7cb9b7feacf0876e25c0d..2f412bee1bee9620f28b6e84aed4aef17aee3a6a 100644 ---- a/src/arguments.c -+++ b/src/arguments.c -@@ -786,10 +786,19 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx, - } - CHECK_MEM (options->hostname); - -- if (strnlen (options->hostname, MAXHOSTNAMELEN + 1) > MAXHOSTNAMELEN) -+ if (strnlen (options->hostname, MAX_FQDN_LEN + 1) > MAX_FQDN_LEN) - { -- fprintf ( -- stderr, "Hostnames may not exceed %d characters\n", MAXHOSTNAMELEN); -+ fprintf (stderr, "FQDNs may not exceed %d characters\n", MAX_FQDN_LEN); -+ ret = EINVAL; -+ goto done; -+ } -+ -+ if ((strchr (options->hostname, '.') - options->hostname) > MAX_HOST_LEN + 4) -+ { -+ fprintf (stderr, -+ "Hostnames may not exceed %d characters in Subject " -+ "Alternative Names\n", -+ MAX_HOST_LEN); - ret = EINVAL; - goto done; - } -@@ -798,25 +807,35 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx, - options struct. It's not the most efficient approach, but - it's only done one time, so there is no sense in optimizing - it. */ -+ size_t i = 0; - if (alternative_names) - { -- size_t i = 0; - while (alternative_names[i] != NULL) - { - options->subject_alt_names = talloc_realloc ( -- options, options->subject_alt_names, char *, i + 2); -+ options, options->subject_alt_names, char *, i + 1); - CHECK_MEM (options->subject_alt_names); - - options->subject_alt_names[i] = - talloc_strdup (options->subject_alt_names, alternative_names[i]); - CHECK_MEM (options->subject_alt_names[i]); -- -- /* Add a NULL terminator to the end */ -- options->subject_alt_names[i + 1] = NULL; - i++; - } - } - -+ /* -+ The hostname must always be listed in SubjectAlternativeNames as well. -+ Note that the realloc also adds an extra entry for the NULL terminator -+ */ -+ options->subject_alt_names = -+ talloc_realloc (options, options->subject_alt_names, char *, i + 2); -+ CHECK_MEM (options->subject_alt_names); -+ options->subject_alt_names[i] = -+ talloc_strdup (options->subject_alt_names, options->hostname); -+ CHECK_MEM (options->subject_alt_names[i]); -+ /* Add a NULL terminator to the end */ -+ options->subject_alt_names[i + 1] = NULL; -+ - if (options->key_strength < options->minimum_key_strength) - { - fprintf (stderr, -diff --git a/src/authority.c b/src/authority.c -index 4efaa9e730964b9762b59d0e6698c1623901ccfe..f509fd4316c3b7b230f99de6464491c319fc5d45 100644 ---- a/src/authority.c -+++ b/src/authority.c -@@ -56,6 +56,7 @@ create_private_CA (TALLOC_CTX *mem_ctx, - char *name_constraint; - char *san; - char *tmp; -+ char *dot; - - tmp_ctx = talloc_new (NULL); - CHECK_MEM (tmp_ctx); -@@ -89,6 +90,26 @@ create_private_CA (TALLOC_CTX *mem_ctx, - - ca_certinfo->cn = talloc_strdup (ca_certinfo, options->hostname); - CHECK_MEM (ca_certinfo->cn); -+ /* Truncate the CN at the first dot */ -+ if ((dot = strchr (ca_certinfo->cn, '.'))) -+ *dot = '\0'; -+ -+ if (options->subject_alt_names) -+ { -+ for (i = 0; options->subject_alt_names[i]; i++) -+ { -+ ca_certinfo->subject_alt_names = talloc_realloc ( -+ ca_certinfo, ca_certinfo->subject_alt_names, char *, i + 2); -+ CHECK_MEM (ca_certinfo->subject_alt_names); -+ -+ ca_certinfo->subject_alt_names[i] = talloc_strdup ( -+ ca_certinfo->subject_alt_names, options->subject_alt_names[i]); -+ CHECK_MEM (ca_certinfo->subject_alt_names[i]); -+ -+ /* Add a NULL terminator to the end */ -+ ca_certinfo->subject_alt_names[i + 1] = NULL; -+ } -+ } - - /* Make this a CA certificate */ - -@@ -106,10 +127,9 @@ create_private_CA (TALLOC_CTX *mem_ctx, - CHECK_MEM (ex); - sk_X509_EXTENSION_push (ca_certinfo->extensions, ex); - -- /* Restrict signing to the hostname and subjectAltNames of the -- service certificate */ -+ /* Restrict signing to the CN and subjectAltNames of the service certificate */ - name_constraint = -- talloc_asprintf (tmp_ctx, "permitted;DNS:%s", options->hostname); -+ talloc_asprintf (tmp_ctx, "permitted;DNS:%s", ca_certinfo->cn); - CHECK_MEM (name_constraint); - - if (options->subject_alt_names) -diff --git a/src/cert.c b/src/cert.c -index 99d9109f5981ef408aeb7d05a8327e1a38d5700a..e36de71e7ca9b34f87734542d5646b466cd61d4c 100644 ---- a/src/cert.c -+++ b/src/cert.c -@@ -31,6 +31,7 @@ - */ - - -+#include - #include "include/sscg.h" - #include "include/cert.h" - #include "include/x509.h" -@@ -52,6 +53,7 @@ create_cert (TALLOC_CTX *mem_ctx, - struct sscg_x509_req *csr; - struct sscg_evp_pkey *pkey; - struct sscg_x509_cert *cert; -+ char *dot; - X509_EXTENSION *ex = NULL; - EXTENDED_KEY_USAGE *extended; - TALLOC_CTX *tmp_ctx = NULL; -@@ -87,6 +89,9 @@ create_cert (TALLOC_CTX *mem_ctx, - - certinfo->cn = talloc_strdup (certinfo, options->hostname); - CHECK_MEM (certinfo->cn); -+ /* Truncate the CN at the first dot */ -+ if ((dot = strchr (certinfo->cn, '.'))) -+ *dot = '\0'; - - if (options->subject_alt_names) - { -diff --git a/src/x509.c b/src/x509.c -index 4f3f11cd3411f00cf6de3a72ba897adc97944e35..9f6f21b49c2dd70629fed67d327027374eb21b15 100644 ---- a/src/x509.c -+++ b/src/x509.c -@@ -290,12 +290,12 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, - } - CHECK_MEM (san); - -- if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4) -+ if (strnlen (san, MAX_FQDN_LEN + 5) > MAX_FQDN_LEN + 4) - { - fprintf (stderr, -- "Hostnames may not exceed %d characters in Subject " -+ "FQDNs may not exceed %d characters in Subject " - "Alternative Names\n", -- MAXHOSTNAMELEN); -+ MAX_FQDN_LEN); - ret = EINVAL; - goto done; - } --- -2.41.0 - diff --git a/0002-Update-README.md-with-latest-usage-information.patch b/0002-Update-README.md-with-latest-usage-information.patch deleted file mode 100644 index 4294050..0000000 --- a/0002-Update-README.md-with-latest-usage-information.patch +++ /dev/null @@ -1,109 +0,0 @@ -From ff2cf0e789cb62c1efbb95ee3f6ccd1958a9d10e Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 1 Sep 2023 08:19:01 -0400 -Subject: [PATCH 2/2] Update README.md with latest usage information - -Signed-off-by: Stephen Gallagher ---- - README.md | 55 +++++++++++++++++++++++++------------------------------ - 1 file changed, 25 insertions(+), 30 deletions(-) - -diff --git a/README.md b/README.md -index d15c3d955d03026e8a68c04870a5f97a20eb03d9..4d57138895443f228212a6c77209350432eecbd7 100644 ---- a/README.md -+++ b/README.md -@@ -26,8 +26,8 @@ Usage of sscg: - Usage: sscg [OPTION...] - -q, --quiet Display no output unless there is an error. - -v, --verbose Display progress messages. -- -d, --debug Enable logging of debug messages. Implies verbose. Warning! This will print -- private key information to the screen! -+ -d, --debug Enable logging of debug messages. Implies verbose. Warning! This will print private key information to the -+ screen! - -V, --version Display the version number and exit. - -f, --force Overwrite any pre-existing files in the requested locations - --lifetime=1-3650 Certificate lifetime (days). (default: 398) -@@ -37,57 +37,52 @@ Usage: sscg [OPTION...] - --organization=My Company Certificate DN: Organization (O). (default: "Unspecified") - --organizational-unit=Engineering, etc. Certificate DN: Organizational Unit (OU). - --email=myname@example.com Certificate DN: Email Address (Email). -- --hostname=server.example.com The valid hostname of the certificate. Must be an FQDN. (default: current system -- FQDN) -- --subject-alt-name alt.example.com Optional additional valid hostnames for the certificate. In addition to hostnames, -- this option also accepts explicit values supported by RFC 5280 such as -- IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy May be specified multiple times. -+ --hostname=server.example.com The valid hostname of the certificate. Must be an FQDN. (default: current system FQDN) -+ --subject-alt-name alt.example.com Optional additional valid hostnames for the certificate. In addition to hostnames, this option also accepts -+ explicit values supported by RFC 5280 such as IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy May be specified multiple -+ times. - --package=STRING Unused. Retained for compatibility with earlier versions of sscg. - --key-strength=2048 or larger Strength of the certificate private keys in bits. (default: 2048) - --hash-alg={sha256,sha384,sha512} Hashing algorithm to use for signing. (default: "sha256") - --cipher-alg={des-ede3-cbc,aes-256-cbc} Cipher to use for encrypting key files. (default: "aes-256-cbc") - --ca-file=STRING Path where the public CA certificate will be stored. (default: "./ca.crt") - --ca-mode=0644 File mode of the created CA certificate. -- --ca-key-file=STRING Path where the CA's private key will be stored. If unspecified, the key will be -- destroyed rather than written to the disk. -+ --ca-key-file=STRING Path where the CA's private key will be stored. If unspecified, the key will be destroyed rather than written -+ to the disk. - --ca-key-mode=0600 File mode of the created CA key. -- --ca-key-password=STRING Provide a password for the CA key file. Note that this will be visible in the -- process table for all users, so it should be used for testing purposes only. Use -- --ca-keypassfile or --ca-key-password-prompt for secure password entry. -+ --ca-key-password=STRING Provide a password for the CA key file. Note that this will be visible in the process table for all users, so -+ it should be used for testing purposes only. Use --ca-keypassfile or --ca-key-password-prompt for secure -+ password entry. - --ca-key-passfile=STRING A file containing the password to encrypt the CA key file. - -C, --ca-key-password-prompt Prompt to enter a password for the CA key file. -- --crl-file=STRING Path where an (empty) Certificate Revocation List file will be created, for -- applications that expect such a file to exist. If unspecified, no such file will -- be created. -+ --crl-file=STRING Path where an (empty) Certificate Revocation List file will be created, for applications that expect such a -+ file to exist. If unspecified, no such file will be created. - --crl-mode=0644 File mode of the created Certificate Revocation List. - --cert-file=STRING Path where the public service certificate will be stored. (default "./service.pem") - --cert-mode=0644 File mode of the created certificate. - --cert-key-file=STRING Path where the service's private key will be stored. (default "service-key.pem") - --cert-key-mode=0600 File mode of the created certificate key. -- -p, --cert-key-password=STRING Provide a password for the service key file. Note that this will be visible in the -- process table for all users, so this flag should be used for testing purposes -- only. Use --cert-keypassfile or --cert-key-password-prompt for secure password -- entry. -+ -p, --cert-key-password=STRING Provide a password for the service key file. Note that this will be visible in the process table for all users, -+ so this flag should be used for testing purposes only. Use --cert-keypassfile or --cert-key-password-prompt for -+ secure password entry. - --cert-key-passfile=STRING A file containing the password to encrypt the service key file. - -P, --cert-key-password-prompt Prompt to enter a password for the service key file. - --client-file=STRING Path where a client authentication certificate will be stored. - --client-mode=0644 File mode of the created certificate. - --client-key-file=STRING Path where the client's private key will be stored. (default is the client-file) - --client-key-mode=0600 File mode of the created certificate key. -- --client-key-password=STRING Provide a password for the client key file. Note that this will be visible in the -- process table for all users, so this flag should be used for testing purposes -- only. Use --client-keypassfile or --client-key-password-prompt for secure password -- entry. -+ --client-key-password=STRING Provide a password for the client key file. Note that this will be visible in the process table for all users, -+ so this flag should be used for testing purposes only. Use --client-keypassfile or --client-key-password-prompt -+ for secure password entry. - --client-key-passfile=STRING A file containing the password to encrypt the client key file. - --client-key-password-prompt Prompt to enter a password for the client key file. - --dhparams-file=STRING A file to contain a set of Diffie-Hellman parameters. (Default: "./dhparams.pem") -- --dhparams-named-group=STRING Output well-known DH parameters. The available named groups are: ffdhe2048, -- ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp_2048, modp_3072, modp_4096, -- modp_6144, modp_8192, modp_1536, dh_1024_160, dh_2048_224, dh_2048_256. (Default: -- "ffdhe4096") -- --dhparams-prime-len=INT The length of the prime number to generate for dhparams, in bits. If set to -- non-zero, the parameters will be generated rather than using a well-known group. -- (default: 0) -+ --no-dhparams-file Do not create the dhparams file -+ --dhparams-named-group=STRING Output well-known DH parameters. The available named groups are: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, -+ ffdhe8192, modp_2048, modp_3072, modp_4096, modp_6144, modp_8192, modp_1536, dh_1024_160, dh_2048_224, -+ dh_2048_256. (Default: "ffdhe4096") -+ --dhparams-prime-len=INT The length of the prime number to generate for dhparams, in bits. If set to non-zero, the parameters will be -+ generated rather than using a well-known group. (default: 0) - --dhparams-generator={2,3,5} The generator value for dhparams. (default: 2) - - Help options: --- -2.41.0 - diff --git a/sources b/sources index e51b29d..67818a9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sscg-3.0.5.tar.gz) = da4db537096608683726084ea342cf3e06ec25da16c4475a29e83a466486a4ace8b58253520034eb263d8cefde14e21f3fe69d23fa75686cab5e3a7f8e170442 +SHA512 (sscg-3.0.6.tar.gz) = cf3397488f143326c0cd04535d53fd5482066f2f6ec31e6a4d79ee0afcbbe4f68258ff7fa77c2f1b3a270b18dbd312d587d5a03e1a05ad1ffb40746d132f44c6 diff --git a/sscg.spec b/sscg.spec index eb71105..c3fc86f 100644 --- a/sscg.spec +++ b/sscg.spec @@ -9,16 +9,13 @@ %{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs} Name: sscg -Version: 3.0.5 +Version: 3.0.6 Release: %autorelease Summary: Simple SSL certificate generator -License: GPL-3.0-or-later WITH cryptsetup-OpenSSL-exception +License: GPLv3+ with exceptions URL: https://%{provider_prefix} -Source0: sscg-3.0.5.tar.gz -# Extend maximum DNS name to 255 -# Author: Stephen Gallagher -Patch1: 0001-Extend-maximum-DNS-name-to-255.patch +Source0: %{URL}/archive/refs/tags/sscg-%{version}.tar.gz BuildRequires: gcc BuildRequires: libtalloc-devel BuildRequires: openssl @@ -39,7 +36,7 @@ up a full PKI environment and without exposing the machine to a risk of false signatures from the service certificate. %prep -%autosetup -p1 -n sscg-3.0.5 +%autosetup -p1 -n sscg-sscg-%{version} %build From c5af5ba810ee194bb41f052f80c04707b3bee29d Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 3 Apr 2025 11:38:51 -0400 Subject: [PATCH 12/20] Fix accidentally-reverted License: field Signed-off-by: Stephen Gallagher --- sscg.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sscg.spec b/sscg.spec index c3fc86f..26f3fa1 100644 --- a/sscg.spec +++ b/sscg.spec @@ -13,7 +13,7 @@ Version: 3.0.6 Release: %autorelease Summary: Simple SSL certificate generator -License: GPLv3+ with exceptions +License: GPL-3.0-or-later WITH cryptsetup-OpenSSL-exception URL: https://%{provider_prefix} Source0: %{URL}/archive/refs/tags/sscg-%{version}.tar.gz BuildRequires: gcc From 670d5e43af8a5b671dd315354e05b30d54352299 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 22 Apr 2025 13:56:35 -0400 Subject: [PATCH 13/20] Update to 3.0.7 Ensure 'critical' basicConstraint for CA cert Signed-off-by: Stephen Gallagher --- .gitignore | 1 + sources | 2 +- sscg.spec | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index fa4916e..36b5c11 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ /sscg-3.0.3.tar.gz /sscg-3.0.5.tar.gz /sscg-3.0.6.tar.gz +/sscg-3.0.7.tar.gz diff --git a/sources b/sources index 67818a9..4d52610 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sscg-3.0.6.tar.gz) = cf3397488f143326c0cd04535d53fd5482066f2f6ec31e6a4d79ee0afcbbe4f68258ff7fa77c2f1b3a270b18dbd312d587d5a03e1a05ad1ffb40746d132f44c6 +SHA512 (sscg-3.0.7.tar.gz) = d9cb1700b835c5d4d358d821a1022f285bed1a199fdd140fe31339248c5e859a438a26bc8cd55f1d3a8eadaed77e1aa655a22d6a4e483d4fb26db007c4248009 diff --git a/sscg.spec b/sscg.spec index 26f3fa1..bf8137a 100644 --- a/sscg.spec +++ b/sscg.spec @@ -9,7 +9,7 @@ %{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs} Name: sscg -Version: 3.0.6 +Version: 3.0.7 Release: %autorelease Summary: Simple SSL certificate generator From 0954d1a211323c3cff529ac0506974134bbdca6e Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Wed, 23 Jul 2025 16:46:15 -0400 Subject: [PATCH 14/20] Update to SSCG 3.0.8 - Fix IP address handling in CA certificate SAN constraints * Add automatic single-IP subnet mask to IP addresses in CA name constraints * Update help text to show simplified IP format without subnet mask - Greatly expand the in-tree test suite Signed-off-by: Stephen Gallagher --- .gitignore | 1 + sources | 2 +- sscg.spec | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 36b5c11..95dcb45 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,4 @@ /sscg-3.0.5.tar.gz /sscg-3.0.6.tar.gz /sscg-3.0.7.tar.gz +/sscg-3.0.8.tar.gz diff --git a/sources b/sources index 4d52610..38fe736 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sscg-3.0.7.tar.gz) = d9cb1700b835c5d4d358d821a1022f285bed1a199fdd140fe31339248c5e859a438a26bc8cd55f1d3a8eadaed77e1aa655a22d6a4e483d4fb26db007c4248009 +SHA512 (sscg-3.0.8.tar.gz) = cc72ce3c3ee762c0f82d2e7dbbd2136bd343214336e6eb08f802bbcbde995e76a017ce498e6fd11ff081dda9b3e8e462c164905c2684ba550021bf261cf1814b diff --git a/sscg.spec b/sscg.spec index bf8137a..87eb0a0 100644 --- a/sscg.spec +++ b/sscg.spec @@ -9,7 +9,7 @@ %{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs} Name: sscg -Version: 3.0.7 +Version: 3.0.8 Release: %autorelease Summary: Simple SSL certificate generator From 9111b8538658d0008b02104689a1ab55ac25871f Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 11 Aug 2025 05:11:41 -0400 Subject: [PATCH 15/20] Fix Summary Upstream renamed the project years ago from "Simple SSL Certificate Generator" to "Simple Signed Certificate Generator" and we never updated the packaging to match. Signed-off-by: Stephen Gallagher --- sscg.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sscg.spec b/sscg.spec index 87eb0a0..78f604f 100644 --- a/sscg.spec +++ b/sscg.spec @@ -11,7 +11,7 @@ Name: sscg Version: 3.0.8 Release: %autorelease -Summary: Simple SSL certificate generator +Summary: Simple Signed Certificate Generator License: GPL-3.0-or-later WITH cryptsetup-OpenSSL-exception URL: https://%{provider_prefix} From 900e10c558a5d7fe2cc00d1c9a96a60616ecc321 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 23 Oct 2025 10:52:52 -0400 Subject: [PATCH 16/20] Release SSCG 4.0.0 - Support for ML-DSA keys for post-quantum cryptography (PQC) when built against OpenSSL 3.5 or later - Support for EC-DSA keys for elliptic curves - RSA certificate authority is now created with a minimum key strength of 4096 bits - Improved --help output - Deprecated support for generating custom DH parameters - Stopped producing the DH parameter file by default (it may be requested explicitly with the --dhparams-file argument) - Minimum OpenSSL version is now 3.0 Signed-off-by: Stephen Gallagher --- .gitignore | 1 + sources | 2 +- sscg.spec | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 95dcb45..b68ee09 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,4 @@ /sscg-3.0.6.tar.gz /sscg-3.0.7.tar.gz /sscg-3.0.8.tar.gz +/sscg-4.0.0.tar.gz diff --git a/sources b/sources index 38fe736..6dc9c06 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sscg-3.0.8.tar.gz) = cc72ce3c3ee762c0f82d2e7dbbd2136bd343214336e6eb08f802bbcbde995e76a017ce498e6fd11ff081dda9b3e8e462c164905c2684ba550021bf261cf1814b +SHA512 (sscg-4.0.0.tar.gz) = 163fd89520714a8e9643c0f83c84b3d602b77351e4094bb214a2545cacaef10a0b195fd7f176ac3c8bca975c3b96568eb802e562f13d5e94438f728cea6e8965 diff --git a/sscg.spec b/sscg.spec index 78f604f..6093d06 100644 --- a/sscg.spec +++ b/sscg.spec @@ -9,7 +9,7 @@ %{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs} Name: sscg -Version: 3.0.8 +Version: 4.0.0 Release: %autorelease Summary: Simple Signed Certificate Generator From 9017cd8b5add793e189d1a3752d9fbdf72fc3100 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 21 Nov 2025 15:24:57 -0500 Subject: [PATCH 17/20] Update to SSCG 4.0.1 * Drop dependency on libpath_utils * Minor fixes and code cleanups Signed-off-by: Stephen Gallagher --- .gitignore | 1 + sources | 2 +- sscg.spec | 3 +-- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index b68ee09..c0c0701 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,4 @@ /sscg-3.0.7.tar.gz /sscg-3.0.8.tar.gz /sscg-4.0.0.tar.gz +/sscg-4.0.1.tar.gz diff --git a/sources b/sources index 6dc9c06..2f64a75 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sscg-4.0.0.tar.gz) = 163fd89520714a8e9643c0f83c84b3d602b77351e4094bb214a2545cacaef10a0b195fd7f176ac3c8bca975c3b96568eb802e562f13d5e94438f728cea6e8965 +SHA512 (sscg-4.0.1.tar.gz) = 935ce6f22cb5fb8fd5cf325a6df296de5d8527c22e86f948b6b15b5e568c767fe26267aaaaf6d741dad02bfabf821eb6c8a5b729dcab3ed91af4f553478f7fd9 diff --git a/sscg.spec b/sscg.spec index 6093d06..858b703 100644 --- a/sscg.spec +++ b/sscg.spec @@ -9,7 +9,7 @@ %{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs} Name: sscg -Version: 4.0.0 +Version: 4.0.1 Release: %autorelease Summary: Simple Signed Certificate Generator @@ -21,7 +21,6 @@ BuildRequires: libtalloc-devel BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: popt-devel -BuildRequires: libpath_utils-devel BuildRequires: meson BuildRequires: ninja-build BuildRequires: help2man From 91a6bb94a604774a074de35c41ac704f15e077d7 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 1 Dec 2025 12:58:55 -0500 Subject: [PATCH 18/20] Update to SSCG 4.0.2 Fixes a regression when attempting to use the same output file for both the CA and service certificates. Signed-off-by: Stephen Gallagher --- .gitignore | 1 + sources | 2 +- sscg.spec | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index c0c0701..a236d72 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,4 @@ /sscg-3.0.8.tar.gz /sscg-4.0.0.tar.gz /sscg-4.0.1.tar.gz +/sscg-4.0.2.tar.gz diff --git a/sources b/sources index 2f64a75..752df69 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sscg-4.0.1.tar.gz) = 935ce6f22cb5fb8fd5cf325a6df296de5d8527c22e86f948b6b15b5e568c767fe26267aaaaf6d741dad02bfabf821eb6c8a5b729dcab3ed91af4f553478f7fd9 +SHA512 (sscg-4.0.2.tar.gz) = cefce5456d609cfe0a38ec734dd918bca65af53361ef44ad77ffdcbd10cd0848cf512707201b62fc15e1428231edd678cc9843ed59ecc79ba760307ad2b6a2b4 diff --git a/sscg.spec b/sscg.spec index 858b703..7224498 100644 --- a/sscg.spec +++ b/sscg.spec @@ -9,7 +9,7 @@ %{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs} Name: sscg -Version: 4.0.1 +Version: 4.0.2 Release: %autorelease Summary: Simple Signed Certificate Generator From 9a650699eb952217bce7e3049c17d5e7d8eaa206 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 1 Dec 2025 22:46:08 -0500 Subject: [PATCH 19/20] Update to 4.0.3 - Don't truncate destination files until just prior to writing. - Add test for file replacement - Use int type for POPT_ARG_NONE values to fix a bug on s390x Signed-off-by: Stephen Gallagher --- .gitignore | 1 + sources | 2 +- sscg.spec | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index a236d72..9d784f4 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,4 @@ /sscg-4.0.0.tar.gz /sscg-4.0.1.tar.gz /sscg-4.0.2.tar.gz +/sscg-4.0.3.tar.gz diff --git a/sources b/sources index 752df69..ebbdfd3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sscg-4.0.2.tar.gz) = cefce5456d609cfe0a38ec734dd918bca65af53361ef44ad77ffdcbd10cd0848cf512707201b62fc15e1428231edd678cc9843ed59ecc79ba760307ad2b6a2b4 +SHA512 (sscg-4.0.3.tar.gz) = f629cf7e32d4d4e7c1f58c4a53be925b96980e6fb3106e3a36a72f85c723bd79fba6aecdbf092b50f915a8833297bc7c6c1ccbe04fef488db38bbdc1e3a95b96 diff --git a/sscg.spec b/sscg.spec index 7224498..56ea1ed 100644 --- a/sscg.spec +++ b/sscg.spec @@ -9,7 +9,7 @@ %{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs} Name: sscg -Version: 4.0.2 +Version: 4.0.3 Release: %autorelease Summary: Simple Signed Certificate Generator From a03c0c7017911abcde50a8b9ff17ac80788b1600 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 2 Dec 2025 14:25:20 -0500 Subject: [PATCH 20/20] Fix segmentation fault when passed bad arguments Signed-off-by: Stephen Gallagher --- ...fault-on-receiving-bad-CLI-arguments.patch | 38 +++++++++++++++++++ sscg.spec | 4 ++ 2 files changed, 42 insertions(+) create mode 100644 0001-Avoid-segfault-on-receiving-bad-CLI-arguments.patch diff --git a/0001-Avoid-segfault-on-receiving-bad-CLI-arguments.patch b/0001-Avoid-segfault-on-receiving-bad-CLI-arguments.patch new file mode 100644 index 0000000..c80dc87 --- /dev/null +++ b/0001-Avoid-segfault-on-receiving-bad-CLI-arguments.patch @@ -0,0 +1,38 @@ +From 0c37e7ace585cfb550a0ffd9d5c331d059fd687f Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 2 Dec 2025 12:12:26 -0500 +Subject: [PATCH] Avoid segfault on receiving bad CLI arguments + +Signed-off-by: Stephen Gallagher +--- + src/sscg.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/sscg.c b/src/sscg.c +index b9b191f109300f6447262858f57a3a8321a14966..00e2862c2d6be5c44a4a362fc926e1a07d31d7bf 100644 +--- a/src/sscg.c ++++ b/src/sscg.c +@@ -59,7 +59,7 @@ int + main (int argc, const char **argv) + { + int ret, sret; +- struct sscg_options *options; ++ struct sscg_options *options = NULL; + bool build_client_cert = false; + char *dhparams_file = NULL; + +@@ -342,7 +342,10 @@ main (int argc, const char **argv) + done: + if (ret != EOK) + { +- sscg_io_utils_delete_output_files (options->streams); ++ if (options) ++ { ++ sscg_io_utils_delete_output_files (options->streams); ++ } + } + talloc_zfree (main_ctx); + if (getenv ("SSCG_TALLOC_REPORT")) +-- +2.52.0 + diff --git a/sscg.spec b/sscg.spec index 56ea1ed..4a60e76 100644 --- a/sscg.spec +++ b/sscg.spec @@ -25,6 +25,10 @@ BuildRequires: meson BuildRequires: ninja-build BuildRequires: help2man +# Upstream patch to avoid segfaults when receiving bad CLI arguments +# https://github.com/sgallagher/sscg/commit/0c37e7ace585cfb550a0ffd9d5c331d059fd687f +Patch: 0001-Avoid-segfault-on-receiving-bad-CLI-arguments.patch + %description A utility to aid in the creation of more secure "self-signed"