From 6beaffbad608cb207b6e8901edd85c5e521f0b2a Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Tue, 5 Sep 2023 20:06:23 +0800 Subject: [PATCH] regenerate certs Signed-off-by: Liwei Ge --- 1000-generate-pubkey-pinned-certs.patch | 30 +++++++++++++++++++++++++ curl.spec | 15 ++++++++++++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 1000-generate-pubkey-pinned-certs.patch diff --git a/1000-generate-pubkey-pinned-certs.patch b/1000-generate-pubkey-pinned-certs.patch new file mode 100644 index 0000000..ac76341 --- /dev/null +++ b/1000-generate-pubkey-pinned-certs.patch @@ -0,0 +1,30 @@ +diff --git a/tests/certs/scripts/genroot.sh b/tests/certs/scripts/genroot.sh +index 6d0bd880a07a9..994550453e2e7 100755 +--- a/tests/certs/scripts/genroot.sh ++++ b/tests/certs/scripts/genroot.sh +@@ -63,8 +63,8 @@ set -e + + echo SERIAL=$SERIAL PREFIX=$PREFIX DURATION=$DURATION KEYSIZE=$KEYSIZE + +-echo "openssl genrsa -out $PREFIX-ca.key $KEYSIZE -passout XXX" +-openssl genrsa -out $PREFIX-ca.key $KEYSIZE -passout pass:secret ++echo "openssl genrsa -out $PREFIX-ca.key -passout XXX $KEYSIZE" ++openssl genrsa -out $PREFIX-ca.key -passout pass:secret $KEYSIZE + + echo "openssl req -config $PREFIX-ca.prm -new -key $PREFIX-ca.key -out $PREFIX-ca.csr" + $OPENSSL req -config $PREFIX-ca.prm -new -key $PREFIX-ca.key -out $PREFIX-ca.csr -passin pass:secret +diff --git a/tests/certs/scripts/genserv.sh b/tests/certs/scripts/genserv.sh +index 24fb395f6faac..969ae4c712d1a 100755 +--- a/tests/certs/scripts/genserv.sh ++++ b/tests/certs/scripts/genserv.sh +@@ -133,6 +136,10 @@ touch $PREFIX-sv.dhp + cat $PREFIX-sv.prm $PREFIX-sv.key $PREFIX-sv.crt $PREFIX-sv.dhp >$PREFIX-sv.pem + chmod o-r $PREFIX-sv.prm + ++$OPENSSL x509 -in $PREFIX-sv.pem -pubkey -noout | \ ++$OPENSSL pkey -pubin -outform der | $OPENSSL dgst -sha256 -binary | \ ++$OPENSSL enc -base64 >$PREFIX-sv.pubkey-pinned ++ + echo "$PREFIX-sv.pem done" + + diff --git a/curl.spec b/curl.spec index 0dfe4ec..dd04abf 100644 --- a/curl.spec +++ b/curl.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.2 +%define anolis_release .0.3 Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 @@ -158,12 +158,15 @@ Patch104: 0104-curl-7.19.7-localhost6.patch # tests: do not hard-wire ports of test servers Patch105: 0105-curl-7.61.1-test-ports.patch +Patch1000: 1000-generate-pubkey-pinned-certs.patch + Provides: curl-full = %{version}-%{release} Provides: webclient Provides: /usr/bin/curl Requires: glibc URL: https://curl.haxx.se/ BuildRequires: automake +BuildRequires: openssl BuildRequires: brotli-devel BuildRequires: coreutils BuildRequires: gcc @@ -376,6 +379,8 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6} %patch48 -p1 %patch50 -p1 +%patch1000 -p1 + # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -449,10 +454,15 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \ -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \ -i build-{full,minimal}/libtool +make -C build-minimal/tests/certs clean-certs +make -C build-minimal/tests/certs build-certs make %{?_smp_mflags} V=1 -C build-minimal make %{?_smp_mflags} V=1 -C build-full %check +hash_id=$(cat tests/certs/Server-localhost-sv.pubkey-pinned) +sed -i "s@sha256//.* @sha256//$hash_id @g" tests/data/test2041 + # we have to override LD_LIBRARY_PATH because we eliminated rpath LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" export LD_LIBRARY_PATH @@ -538,6 +548,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting docs/TODO %changelog +* Tue Sep 5 2023 Liwei Ge - 7.61.1-30.0.3.2 +- Generate pubkey pinned certs + * Wed May 24 2023 Weisson - 7.61.1-30.0.1.2 - Add doc sub package -- Gitee