[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][master] 2 commits: Fix build with OpenSSL 3.0. (Closes: #1001311)
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Fri Dec 10 14:51:34 GMT 2021
Timo Aaltonen pushed to branch master at FreeIPA packaging / certmonger
Commits:
fc447835 by Timo Aaltonen at 2021-12-10T15:13:38+02:00
Fix build with OpenSSL 3.0. (Closes: #1001311)
- - - - -
c151f442 by Timo Aaltonen at 2021-12-10T16:26:18+02:00
releasing package certmonger version 0.79.14+git20211010-3
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/0001-candidate-openssl-3.0-compat-fixes.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+certmonger (0.79.14+git20211010-3) experimental; urgency=medium
+
+ * Fix build with OpenSSL 3.0. (Closes: #1001311)
+
+ -- Timo Aaltonen <tjaalton at debian.org> Fri, 10 Dec 2021 15:13:59 +0200
+
certmonger (0.79.14+git20211010-2) unstable; urgency=medium
* control, rules: Build-depend on systemd instead of libsystemd-dev, and
=====================================
debian/patches/0001-candidate-openssl-3.0-compat-fixes.patch
=====================================
@@ -0,0 +1,573 @@
+From 3fb9420e843694567a4976c6d5fbe4551d6e0c99 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten at redhat.com>
+Date: Tue, 18 May 2021 15:40:53 -0400
+Subject: [PATCH 1/3] candidate openssl 3.0 compat fixes
+
+---
+ src/keyiread-o.c | 16 +++++--
+ src/util-o.c | 2 +
+ tests/001-keyiread-ec/run.sh | 2 +-
+ tests/001-keyiread-rsa/run.sh | 2 +-
+ tests/001-keyiread/run.sh | 2 +-
+ tests/002-keygen-sql/prequal.sh | 5 +++
+ tests/002-keygen/run.sh | 2 +-
+ tests/003-csrgen-ec/run.sh | 2 +-
+ tests/003-csrgen-rsa/run.sh | 2 +-
+ tests/003-csrgen/run.sh | 2 +-
+ tests/004-selfsign-ec/run.sh | 2 +-
+ tests/004-selfsign-rsa/run.sh | 2 +-
+ tests/004-selfsign/run.sh | 2 +-
+ tests/025-casave/run.sh | 2 +-
+ tests/026-local/expected.openssl1 | 73 ++++++++++++++++++++++++++++++
+ tests/026-local/expected.openssl3 | 68 ++++++++++++++++++++++++++++
+ tests/026-local/expected.out | 74 +------------------------------
+ tests/026-local/run.sh | 11 ++++-
+ tests/030-rekey/expected.out | 4 --
+ tests/030-rekey/run.sh | 10 +----
+ tests/036-getcert/run.sh | 2 +-
+ 21 files changed, 184 insertions(+), 103 deletions(-)
+ create mode 100755 tests/002-keygen-sql/prequal.sh
+ create mode 100644 tests/026-local/expected.openssl1
+ create mode 100644 tests/026-local/expected.openssl3
+
+diff --git a/src/keyiread-o.c b/src/keyiread-o.c
+index 9fceacf6..51f7f829 100644
+--- a/src/keyiread-o.c
++++ b/src/keyiread-o.c
+@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ pubikey = cm_store_hex_from_bin(NULL, tmp, length);
+ }
+ tmp = NULL;
+- length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
++ length = i2d_PublicKey(pkey, NULL);
+ if (length > 0) {
+- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
++ tmp = malloc(length);
++ if (tmp != NULL) {
++ length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
++ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
++ }
+ }
+ }
+ fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
+@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ pubikey = cm_store_hex_from_bin(NULL, tmp, length);
+ }
+ tmp = NULL;
+- length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
++ length = i2d_PublicKey(nextpkey, NULL);
+ if (length > 0) {
+- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
++ tmp = malloc(length);
++ if (tmp != NULL) {
++ length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
++ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
++ }
+ }
+ fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
+ } else {
+diff --git a/src/util-o.c b/src/util-o.c
+index 0415014a..2208ab64 100644
+--- a/src/util-o.c
++++ b/src/util-o.c
+@@ -46,6 +46,7 @@
+ void
+ util_o_init(void)
+ {
++#if OPENSSL_VERSION_MAJOR < 3
+ #if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
+ OpenSSL_add_all_algorithms();
+ #elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS
+@@ -53,6 +54,7 @@ util_o_init(void)
+ #else
+ SSL_library_init();
+ #endif
++#endif
+ }
+
+ char *
+diff --git a/tests/001-keyiread-ec/run.sh b/tests/001-keyiread-ec/run.sh
+index 3045f6d0..8a810d15 100755
+--- a/tests/001-keyiread-ec/run.sh
++++ b/tests/001-keyiread-ec/run.sh
+@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do
+ EOF
+ $toolsdir/keyiread entry.nss.$size
+ # Export the key.
+- if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
++ if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
+ echo Error exporting key for $size, continuing.
+ continue
+ fi
+diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
+index c6b4d38b..997ce000 100755
+--- a/tests/001-keyiread-rsa/run.sh
++++ b/tests/001-keyiread-rsa/run.sh
+@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
+ -s "cn=T$size" -c "cn=T$size" \
+ -x -t u -k rsa
+ # Export the key.
+- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
+ cat > entry.openssl.$size <<- EOF
+ key_storage_type=FILE
+diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
+index 25acdbd8..3a2502a6 100755
+--- a/tests/001-keyiread/run.sh
++++ b/tests/001-keyiread/run.sh
+@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
+ -s "cn=T$size" -c "cn=T$size" \
+ -x -t u
+ # Export the key.
+- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
+ cat > entry.openssl.$size <<- EOF
+ key_storage_type=FILE
+diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
+new file mode 100755
+index 00000000..d146a650
+--- /dev/null
++++ b/tests/002-keygen-sql/prequal.sh
+@@ -0,0 +1,5 @@
++#!/bin/sh
++if test `id -u` -eq 0 ; then
++ echo "This test won't work right if run as root."
++ exit 1
++fi
+diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
+index 8bb609c5..e7e6525f 100755
+--- a/tests/002-keygen/run.sh
++++ b/tests/002-keygen/run.sh
+@@ -2,7 +2,7 @@
+
+ cd "$tmpdir"
+
+-scheme="${scheme:-dbm:}"
++scheme="${scheme:-sql:}"
+
+ source "$srcdir"/functions
+ initnssdb "$scheme$tmpdir"
+diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
+index 91117ec8..408ea526 100755
+--- a/tests/003-csrgen-ec/run.sh
++++ b/tests/003-csrgen-ec/run.sh
+@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
+ -s "cn=T$size" -c "cn=T$size" \
+ -x -t u -k ec -q $size
+ # Export the key.
+-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
++pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : )
+ # Read the public key and cache it.
+ cat > entry.openssl.$size <<- EOF
+diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
+index bb8ebecb..9c11c708 100755
+--- a/tests/003-csrgen-rsa/run.sh
++++ b/tests/003-csrgen-rsa/run.sh
+@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
+ -s "cn=T$size" -c "cn=T$size" \
+ -x -t u -k rsa
+ # Export the key.
+- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+ openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : )
+ # Read the public key and cache it.
+ cat > entry.openssl.$size <<- EOF
+diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
+index d3dfbaf0..2a674679 100755
+--- a/tests/003-csrgen/run.sh
++++ b/tests/003-csrgen/run.sh
+@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
+ -s "cn=T$size" -c "cn=T$size" \
+ -x -t u
+ # Export the key.
+- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+ openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : )
+ # Read the public key and cache it.
+ cat > entry.openssl.$size <<- EOF
+diff --git a/tests/004-selfsign-ec/run.sh b/tests/004-selfsign-ec/run.sh
+index 9d5bd11f..d1161fe5 100755
+--- a/tests/004-selfsign-ec/run.sh
++++ b/tests/004-selfsign-ec/run.sh
+@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
+ -s "cn=T$size" -c "cn=T$size" \
+ -x -t u -k ec -q $size
+ # Export the certificate and key.
+-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
++pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
+ # Read that OpenSSL key.
+ cat > entry.$size <<- EOF
+diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
+index c1dd4c80..b0cc71d2 100755
+--- a/tests/004-selfsign-rsa/run.sh
++++ b/tests/004-selfsign-rsa/run.sh
+@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do
+ -s "cn=T$size" -c "cn=T$size" \
+ -x -t u -k rsa
+ # Export the certificate and key.
+- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
+ # Read that OpenSSL key.
+ cat > entry.$size <<- EOF
+diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
+index eb1df4ee..ea00f4d7 100755
+--- a/tests/004-selfsign/run.sh
++++ b/tests/004-selfsign/run.sh
+@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do
+ -s "cn=T$size" -c "cn=T$size" \
+ -x -t u
+ # Export the certificate and key.
+- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
+ # Read that OpenSSL key.
+ cat > entry.$size <<- EOF
+diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh
+index d81df82f..089d8223 100755
+--- a/tests/025-casave/run.sh
++++ b/tests/025-casave/run.sh
+@@ -2,7 +2,7 @@
+
+ cd $tmpdir
+
+-scheme="${scheme:-dbm}"
++scheme="${scheme:-sql}"
+ cat > $tmpdir/entrycb1 <<- EOF
+ id=EntryCB1
+ ca_name=CAB1
+diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1
+new file mode 100644
+index 00000000..1f81c7ce
+--- /dev/null
++++ b/tests/026-local/expected.openssl1
+@@ -0,0 +1,73 @@
++[key]
++OK.
++[csr]
++Certificate Request:
++ Data:
++ Version: 1 (0x0)
++ Subject: CN=Babs Jensen's Signer
++ Attributes:
++ friendlyName :unable to print attribute
++ Requested Extensions:
++ X509v3 Key Usage:
++ Digital Signature, Certificate Sign, CRL Sign
++ X509v3 Subject Alternative Name:
++ email:root at localhost, email:root at localhost.localdomain
++ X509v3 Basic Constraints: critical
++ CA:TRUE
++ X509v3 Authority Key Identifier:
++ keyid:(160 bits)
++
++ X509v3 Subject Key Identifier:
++ (160 bits)
++ Authority Information Access:
++ OCSP - URI:http://ocsp-1.example.com:12345
++ OCSP - URI:http://ocsp-2.example.com:12345
++
++ OCSP No Check:
++
++[issue]
++[issuer]
++Certificate:
++ Data:
++ Version: 3 (0x2)
++ Signature Algorithm: sha256WithRSAEncryption
++ Issuer: CN=Local Signing Authority, CN=$UUID
++ Subject: CN=Local Signing Authority, CN=$UUID
++ X509v3 extensions:
++ X509v3 Basic Constraints: critical
++ CA:TRUE
++ X509v3 Subject Key Identifier:
++ (160 bits)
++ X509v3 Authority Key Identifier:
++ keyid:(160 bits)
++
++ X509v3 Key Usage: critical
++ Digital Signature, Certificate Sign, CRL Sign
++[subject]
++Certificate:
++ Data:
++ Version: 3 (0x2)
++ Signature Algorithm: sha256WithRSAEncryption
++ Issuer: CN=Local Signing Authority, CN=$UUID
++ Subject: CN=Babs Jensen's Signer
++ X509v3 extensions:
++ X509v3 Key Usage:
++ Digital Signature, Certificate Sign, CRL Sign
++ X509v3 Subject Alternative Name:
++ email:root at localhost, email:root at localhost.localdomain
++ X509v3 Basic Constraints: critical
++ CA:TRUE
++ X509v3 Authority Key Identifier:
++ keyid:(160 bits)
++
++ X509v3 Subject Key Identifier:
++ (160 bits)
++ Authority Information Access:
++ OCSP - URI:http://ocsp-1.example.com:12345
++ OCSP - URI:http://ocsp-2.example.com:12345
++
++ OCSP No Check:
++
++[verify]
++cert: OK
++OK.
+diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3
+new file mode 100644
+index 00000000..05666ccc
+--- /dev/null
++++ b/tests/026-local/expected.openssl3
+@@ -0,0 +1,68 @@
++[key]
++OK.
++[csr]
++Certificate Request:
++ Data:
++ Version: 1 (0x0)
++ Subject: CN=Babs Jensen's Signer
++ Attributes:
++ friendlyName :unable to print attribute
++ Requested Extensions:
++ X509v3 Key Usage:
++ Digital Signature, Certificate Sign, CRL Sign
++ X509v3 Subject Alternative Name:
++ email:root at localhost, email:root at localhost.localdomain
++ X509v3 Basic Constraints: critical
++ CA:TRUE
++ X509v3 Authority Key Identifier:
++ (160 bits)
++ X509v3 Subject Key Identifier:
++ (160 bits)
++ Authority Information Access:
++ OCSP - URI:http://ocsp-1.example.com:12345
++ OCSP - URI:http://ocsp-2.example.com:12345
++ OCSP No Check:
++
++[issue]
++[issuer]
++Certificate:
++ Data:
++ Version: 3 (0x2)
++ Signature Algorithm: sha256WithRSAEncryption
++ Issuer: CN=Local Signing Authority, CN=$UUID
++ Subject: CN=Local Signing Authority, CN=$UUID
++ X509v3 extensions:
++ X509v3 Basic Constraints: critical
++ CA:TRUE
++ X509v3 Subject Key Identifier:
++ (160 bits)
++ X509v3 Authority Key Identifier:
++ (160 bits)
++ X509v3 Key Usage: critical
++ Digital Signature, Certificate Sign, CRL Sign
++[subject]
++Certificate:
++ Data:
++ Version: 3 (0x2)
++ Signature Algorithm: sha256WithRSAEncryption
++ Issuer: CN=Local Signing Authority, CN=$UUID
++ Subject: CN=Babs Jensen's Signer
++ X509v3 extensions:
++ X509v3 Key Usage:
++ Digital Signature, Certificate Sign, CRL Sign
++ X509v3 Subject Alternative Name:
++ email:root at localhost, email:root at localhost.localdomain
++ X509v3 Basic Constraints: critical
++ CA:TRUE
++ X509v3 Authority Key Identifier:
++ (160 bits)
++ X509v3 Subject Key Identifier:
++ (160 bits)
++ Authority Information Access:
++ OCSP - URI:http://ocsp-1.example.com:12345
++ OCSP - URI:http://ocsp-2.example.com:12345
++ OCSP No Check:
++
++[verify]
++cert: OK
++OK.
+diff --git a/tests/026-local/expected.out b/tests/026-local/expected.out
+index 1f81c7ce..64afb8f5 100644
+--- a/tests/026-local/expected.out
++++ b/tests/026-local/expected.out
+@@ -1,73 +1 @@
+-[key]
+-OK.
+-[csr]
+-Certificate Request:
+- Data:
+- Version: 1 (0x0)
+- Subject: CN=Babs Jensen's Signer
+- Attributes:
+- friendlyName :unable to print attribute
+- Requested Extensions:
+- X509v3 Key Usage:
+- Digital Signature, Certificate Sign, CRL Sign
+- X509v3 Subject Alternative Name:
+- email:root at localhost, email:root at localhost.localdomain
+- X509v3 Basic Constraints: critical
+- CA:TRUE
+- X509v3 Authority Key Identifier:
+- keyid:(160 bits)
+-
+- X509v3 Subject Key Identifier:
+- (160 bits)
+- Authority Information Access:
+- OCSP - URI:http://ocsp-1.example.com:12345
+- OCSP - URI:http://ocsp-2.example.com:12345
+-
+- OCSP No Check:
+-
+-[issue]
+-[issuer]
+-Certificate:
+- Data:
+- Version: 3 (0x2)
+- Signature Algorithm: sha256WithRSAEncryption
+- Issuer: CN=Local Signing Authority, CN=$UUID
+- Subject: CN=Local Signing Authority, CN=$UUID
+- X509v3 extensions:
+- X509v3 Basic Constraints: critical
+- CA:TRUE
+- X509v3 Subject Key Identifier:
+- (160 bits)
+- X509v3 Authority Key Identifier:
+- keyid:(160 bits)
+-
+- X509v3 Key Usage: critical
+- Digital Signature, Certificate Sign, CRL Sign
+-[subject]
+-Certificate:
+- Data:
+- Version: 3 (0x2)
+- Signature Algorithm: sha256WithRSAEncryption
+- Issuer: CN=Local Signing Authority, CN=$UUID
+- Subject: CN=Babs Jensen's Signer
+- X509v3 extensions:
+- X509v3 Key Usage:
+- Digital Signature, Certificate Sign, CRL Sign
+- X509v3 Subject Alternative Name:
+- email:root at localhost, email:root at localhost.localdomain
+- X509v3 Basic Constraints: critical
+- CA:TRUE
+- X509v3 Authority Key Identifier:
+- keyid:(160 bits)
+-
+- X509v3 Subject Key Identifier:
+- (160 bits)
+- Authority Information Access:
+- OCSP - URI:http://ocsp-1.example.com:12345
+- OCSP - URI:http://ocsp-2.example.com:12345
+-
+- OCSP No Check:
+-
+-[verify]
+-cert: OK
+-OK.
++# purposely empty
+diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh
+index 6f0e74c9..3e7ade56 100755
+--- a/tests/026-local/run.sh
++++ b/tests/026-local/run.sh
+@@ -1,4 +1,13 @@
+-#!/bin/bash -e
++#!/bin/bash
++
++openssl cmp -h > /dev/null 2>&1
++if [ $? == 1 ]; then
++ cp expected.openssl1 expected.out
++else
++ cp expected.openssl3 expected.out
++fi
++
++set -e
+
+ cd $tmpdir
+
+diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out
+index e9a04221..8a9ac3fa 100644
+--- a/tests/030-rekey/expected.out
++++ b/tests/030-rekey/expected.out
+@@ -11,7 +11,6 @@ key_requested_count=0
+ (submit OpenSSL)
+ key_issued_count=0
+ key_requested_count=1
+-First round certificates OK.
+ NSS keys before re-keygen (preserve=1,pin=""):
+ <-> rsa originalhex NSS Certificate DB:i2048
+ key_issued_count=0
+@@ -98,7 +97,6 @@ key_requested_count=0
+ (submit OpenSSL)
+ key_issued_count=0
+ key_requested_count=1
+-First round certificates OK.
+ NSS keys before re-keygen (preserve=1,pin="password"):
+ <-> rsa originalhex NSS Certificate DB:i2048
+ key_issued_count=0
+@@ -185,7 +183,6 @@ key_requested_count=0
+ (submit OpenSSL)
+ key_issued_count=0
+ key_requested_count=1
+-First round certificates OK.
+ NSS keys before re-keygen (preserve=0,pin=""):
+ <-> rsa originalhex NSS Certificate DB:i2048
+ key_issued_count=0
+@@ -270,7 +267,6 @@ key_requested_count=0
+ (submit OpenSSL)
+ key_issued_count=0
+ key_requested_count=1
+-First round certificates OK.
+ NSS keys before re-keygen (preserve=0,pin="password"):
+ <-> rsa originalhex NSS Certificate DB:i2048
+ key_issued_count=0
+diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh
+index 07fea683..7b9125ec 100755
+--- a/tests/030-rekey/run.sh
++++ b/tests/030-rekey/run.sh
+@@ -31,7 +31,7 @@ for preserve in 1 0 ; do
+ -s "cn=T$size" -c "cn=T$size" \
+ -x -t u -m 4660 -f pinfile
+ # Export the certificate and key.
+- pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
+ openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size
+ openssl pkcs12 -in $size.p12 -passin pass: -nokeys -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size
+ # Grab a copy of the public key.
+@@ -101,14 +101,6 @@ for preserve in 1 0 ; do
+ echo '(submit OpenSSL)'
+ $toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size
+ grep ^key.\*count= entry.openssl.$size | LANG=C sort
+- # Now compare the self-signed certificates built from the keys.
+- if ! cmp cert.nss.$size cert.openssl.$size ; then
+- echo First round certificates differ:
+- cat cert.nss.$size cert.openssl.$size
+- exit 1
+- else
+- echo First round certificates OK.
+- fi
+
+ # Now generate new keys, CSRs, and certificates (NSS).
+ echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"
+diff --git a/tests/036-getcert/run.sh b/tests/036-getcert/run.sh
+index 1c99803d..bcb821d7 100755
+--- a/tests/036-getcert/run.sh
++++ b/tests/036-getcert/run.sh
+@@ -51,7 +51,7 @@ listdb() {
+ }
+
+ extract() {
+- pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
++ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
+ openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert
+ openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key
+ echo -n cert:
+--
+2.26.3
+
=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
fix-keythi-h-path.diff
fix-service-environment.diff
use-dbus-run-session.diff
+0001-candidate-openssl-3.0-compat-fixes.patch
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/2bdb2f480178efd76e1e215df01983a9a8426546...c151f44278e5e750c1d311bc01cc80e162cf2533
--
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/2bdb2f480178efd76e1e215df01983a9a8426546...c151f44278e5e750c1d311bc01cc80e162cf2533
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20211210/5b1168e8/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list