| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhSZ7bfyKvUxmN+0P-XSN-FC6CH44PTKB5nj5mS32vRNHg@mail.gmail.com>
Date: Wed, 9 Jul 2025 11:29:27 -0400
From: Paul Moore <paul@...l-moore.com>
To: Mickaël Salaün <mic@...ikod.net>
Cc: David Howells <dhowells@...hat.com>, David Woodhouse <dwmw2@...radead.org>, keyrings@...r.kernel.org,
Eric Snowberg <eric.snowberg@...cle.com>, Jarkko Sakkinen <jarkko@...nel.org>,
Daniel Urbonas <t-durbonas@...rosoft.com>, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tools/certs: Make print-cert-tbs-hash.sh compatible with
recent OpenSSL
On Wed, Jul 9, 2025 at 9:20 AM Mickaël Salaün <mic@...ikod.net> wrote:
>
> I can take it but I'd like an Acked-by please.
% openssl -v
OpenSSL 3.5.1 1 Jul 2025 (Library: OpenSSL 3.5.1 1 Jul 2025)
With Linus' current tree:
% ./print-cert-tbs-hash.sh ./LVFS-CA.pem
Could not open file or uri for loading certificate from -: No such file or direc
tory
tbs:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
With the patch below:
% ./print-cert-tbs-hash.sh ./LVFS-CA.pem
tbs:b11d0663606508a8510b760d68acb599f1911726f7c06c01df4d122fce8b957b
Tested-by: Paul Moore <paul@...l-moore.com>
> On Mon, Oct 07, 2024 at 08:42:16PM +0200, Mickaël Salaün wrote:
> > Could someone please take this patch?
> >
> > On Mon, Jul 29, 2024 at 08:02:32PM +0200, Mickaël Salaün wrote:
> > > Recent OpenSSL versions (2 or 3) broke the "x509" argument parsing by
> > > not handling "-in -" (unlike OpenSSL 1.1):
> > > Could not open file or uri for loading certificate from -: No such
> > > file or directory
> > >
> > > Avoid this issue and still make this script work with older versions of
> > > OpenSSL by using implicit arguments instead.
> > >
> > > To hopefully make it more future-proof, apply the same simplifications
> > > for other OpenSSL commands.
> > >
> > > Cc: David Howells <dhowells@...hat.com>
> > > Cc: David Woodhouse <dwmw2@...radead.org>
> > > Cc: Eric Snowberg <eric.snowberg@...cle.com>
> > > Cc: Jarkko Sakkinen <jarkko@...nel.org>
> > > Reported-by: Daniel Urbonas <t-durbonas@...rosoft.com>
> > > Fixes: 58d416351e6d ("tools/certs: Add print-cert-tbs-hash.sh")
> > > Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> > > ---
> > > tools/certs/print-cert-tbs-hash.sh | 6 +++---
> > > 1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/tools/certs/print-cert-tbs-hash.sh b/tools/certs/print-cert-tbs-hash.sh
> > > index c93df5387ec9..22bdeec4d286 100755
> > > --- a/tools/certs/print-cert-tbs-hash.sh
> > > +++ b/tools/certs/print-cert-tbs-hash.sh
> > > @@ -54,7 +54,7 @@ RANGE_AND_DIGEST_RE='
> > > '
> > >
> > > RANGE_AND_DIGEST=($(echo "${PEM}" | \
> > > - openssl asn1parse -in - | \
> > > + openssl asn1parse | \
> > > sed -n -e "${RANGE_AND_DIGEST_RE}"))
> > >
> > > if [ "${#RANGE_AND_DIGEST[@]}" != 3 ]; then
> > > @@ -85,7 +85,7 @@ if [ -z "${DIGEST_MATCH}" ]; then
> > > fi
> > >
> > > echo "${PEM}" | \
> > > - openssl x509 -in - -outform DER | \
> > > + openssl x509 -outform DER | \
> > > dd "bs=1" "skip=${OFFSET}" "count=${END}" "status=none" | \
> > > - openssl dgst "-${DIGEST_MATCH}" - | \
> > > + openssl dgst "-${DIGEST_MATCH}" | \
> > > awk '{printf "tbs:" $2}'
> > > --
> > > 2.45.2
--
paul-moore.com
Powered by blists - more mailing lists