Bug#1061869: sssd: Drop -extensions from openssl command if there is no -x509.

[Sebastian Andrzej Siewior]

Package: src:sssd
Version: 2.9.4-1
Severity: important
Tags: sid patch
control: affects -1 src:openssl
control: forwarded -1 https://github.com/SSSD/sssd/pull/7151
User: pkg-openssl-de...@lists.alioth.debian.org
Usertags: openssl-3.2

tests: Drop -extensions from openssl command if there is no -x509

The 'openssl req' ignores the '-extensions' option without '-x509'.
OpenSSL versions prior 3.2 simply ignored it. Starting with version 3.2
an error is generated.

There are two patches attached: One against sssd and one against
debian/tests for debci.

Sebastian

From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Date: Wed, 24 Jan 2024 23:03:04 +0100
Subject: [PATCH] tests: Drop -extensions from openssl command if there is no
 -x509
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The 'openssl req' ignores the '-extensions' option without '-x509'.
OpenSSL versions prior 3.2 simply ignored it. Starting with version 3.2
an error is generated:

| /usr/bin/openssl req -batch -config
| ../../../../../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA.config
| -new -nodes -key
| …/build/../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_key.pem
-sha256 -extensions v3_ca -out SSSD_test_intermediate_CA_req.pem
| Error adding request extensions from section v3_ca
| 003163BAB27F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509/v3_akid.c:156:
| 003163BAB27F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=keyid:always,issuer:always
|

Remove the '-extensions' option.

Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
 src/tests/test_CA/intermediate_CA/Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tests/test_CA/intermediate_CA/Makefile.am b/src/tests/test_CA/intermediate_CA/Makefile.am
index b439f82cb03e5..50fcddb8d2221 100644
--- a/src/tests/test_CA/intermediate_CA/Makefile.am
+++ b/src/tests/test_CA/intermediate_CA/Makefile.am
@@ -33,7 +33,7 @@ ca_all: clean SSSD_test_intermediate_CA.pem SSSD_test_intermediate_CA_full_db.pe
 	ln -s $(builddir)/../$@
 
 SSSD_test_intermediate_CA_req.pem: $(openssl_intermediate_ca_key) $(openssl_intermediate_ca_config) SSSD_test_CA.pem
-	$(OPENSSL) req -batch -config ${openssl_intermediate_ca_config} -new -nodes -key $< -sha256 -extensions v3_ca -out $@
+	$(OPENSSL) req -batch -config ${openssl_intermediate_ca_config} -new -nodes -key $< -sha256 -out $@
 
 SSSD_test_intermediate_CA.pem: SSSD_test_intermediate_CA_req.pem $(openssl_root_ca_config) $(openssl_root_ca_key)
 	cd .. && $(OPENSSL) ca -config ${openssl_root_ca_config} -batch -notext -keyfile $(openssl_root_ca_key) -in $(abs_builddir)/$< -days 200 -extensions v3_intermediate_ca -out $(abs_builddir)/$@
-- 
2.43.0


From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Date: Mon, 29 Jan 2024 23:18:39 +0100
Subject: [PATCH] debian: tests: Drop -extensions from openssl command if there
 is no -x509.

The 'openssl req' ignores the '-extensions' option without '-x509'.
OpenSSL versions prior 3.2 simply ignored it. Starting with version 3.2
an error is generated.

Remove the '-extensions' option.

Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
 debian/tests/sssd-softhism2-certificates-tests.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/debian/tests/sssd-softhism2-certificates-tests.sh b/debian/tests/sssd-softhism2-certificates-tests.sh
index a0676740e11d..2c3d167414a6 100644
--- a/debian/tests/sssd-softhism2-certificates-tests.sh
+++ b/debian/tests/sssd-softhism2-certificates-tests.sh
@@ -222,7 +222,6 @@ openssl req \
   -key "$tmpdir/test-intermediate-CA-key.pem" \
   -passout "$root_ca_key_pass" \
   -sha256 \
-  -extensions v3_ca \
   -out "$tmpdir/test-intermediate-CA-certificate-request.pem"
 
 openssl req -text -noout -in "$tmpdir/test-intermediate-CA-certificate-request.pem"
@@ -311,7 +310,6 @@ openssl req \
   -key "$tmpdir/test-sub-intermediate-CA-key.pem" \
   -passout "$intermediate_ca_key_pass" \
   -sha256 \
-  -extensions v3_ca \
   -out "$tmpdir/test-sub-intermediate-CA-certificate-request.pem"
 
 openssl req -text -noout -in "$tmpdir/test-sub-intermediate-CA-certificate-request.pem"
-- 
2.43.0