Hello community, here is the log from the commit of package uacme for openSUSE:Factory checked in at 2020-08-20 22:35:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/uacme (Old) and /work/SRC/openSUSE:Factory/.uacme.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "uacme" Thu Aug 20 22:35:24 2020 rev:8 rq:828248 version:1.5 Changes: -------- --- /work/SRC/openSUSE:Factory/uacme/uacme.changes 2020-06-04 17:55:20.572799713 +0200 +++ /work/SRC/openSUSE:Factory/.uacme.new.3399/uacme.changes 2020-08-20 22:35:37.960172197 +0200 @@ -1,0 +2,7 @@ +Mon Aug 17 11:58:57 UTC 2020 - Dirk Mueller <dmuel...@suse.com> + +- update to 1.5: + - uacme: -l option to allow selecting alternate chain + - ualpn: mbedtls_x509_crt_parse_der_with_ext_cb support + +------------------------------------------------------------------- Old: ---- uacme-1.4.1.tar.gz New: ---- uacme-1.5.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ uacme.spec ++++++ --- /var/tmp/diff_new_pack.MbQNef/_old 2020-08-20 22:35:39.112172724 +0200 +++ /var/tmp/diff_new_pack.MbQNef/_new 2020-08-20 22:35:39.116172726 +0200 @@ -18,7 +18,7 @@ Name: uacme -Version: 1.4.1 +Version: 1.5 Release: 0 Summary: A minimal ACMEv2 client License: GPL-3.0-or-later ++++++ uacme-1.4.1.tar.gz -> uacme-1.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/ChangeLog new/uacme-1.5/ChangeLog --- old/uacme-1.4.1/ChangeLog 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/ChangeLog 2020-07-26 16:31:07.000000000 +0200 @@ -1,3 +1,10 @@ +2020-07-26 Nicola Di Lieto <nicola.dili...@gmail.com> + * Release 1.5 + - uacme: add -l option to allow selecting alternate chain + - ualpn: move signal calls to beginning + - ualpn: add mbedtls_x509_crt_parse_der_with_ext_cb support + fixes https://github.com/ndilieto/uacme/issues/23 + 2020-05-30 Nicola Di Lieto <nicola.dili...@gmail.com> * Release 1.4.1 - fix SIGPIPE of parent process in daemon mode diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/NEWS new/uacme-1.5/NEWS --- old/uacme-1.4.1/NEWS 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/NEWS 2020-07-26 16:31:07.000000000 +0200 @@ -1,6 +1,15 @@ uacme NEWS Copyright (C) 2019,2020 Nicola Di Lieto <nicola.dili...@gmail.com> +## [1.5] - 2020-07-26 +### Added +- uacme: -l option to allow selecting alternate chain +- ualpn: mbedtls_x509_crt_parse_der_with_ext_cb support + fixes https://github.com/ndilieto/uacme/issues/23 + +### Changed +- ualpn: move signal calls to beginning + ## [1.4.1] - 2020-05-30 ### Changed - fix SIGPIPE of parent process in daemon mode diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/config.h.in new/uacme-1.5/config.h.in --- old/uacme-1.4.1/config.h.in 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/config.h.in 2020-07-26 16:31:07.000000000 +0200 @@ -63,6 +63,10 @@ /* if mmap("/dev/zero", MAP_SHARED) works */ #undef HAVE_MAP_DEVZERO +/* Define to 1 if you have the `mbedtls_x509_crt_parse_der_with_ext_cb' + function. */ +#undef HAVE_MBEDTLS_X509_CRT_PARSE_DER_WITH_EXT_CB + /* Define to 1 if you have the <memory.h> header file. */ #undef HAVE_MEMORY_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/configure new/uacme-1.5/configure --- old/uacme-1.4.1/configure 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/configure 2020-07-26 16:31:07.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for uacme 1.4.1. +# Generated by GNU Autoconf 2.69 for uacme 1.5. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ # Identity of this package. PACKAGE_NAME='uacme' PACKAGE_TARNAME='uacme' -PACKAGE_VERSION='1.4.1' -PACKAGE_STRING='uacme 1.4.1' +PACKAGE_VERSION='1.5' +PACKAGE_STRING='uacme 1.5' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1317,7 +1317,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures uacme 1.4.1 to adapt to many kinds of systems. +\`configure' configures uacme 1.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1384,7 +1384,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of uacme 1.4.1:";; + short | recursive ) echo "Configuration of uacme 1.5:";; esac cat <<\_ACEOF @@ -1501,7 +1501,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -uacme configure 1.4.1 +uacme configure 1.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1920,7 +1920,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by uacme $as_me 1.4.1, which was +It was created by uacme $as_me 1.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2785,7 +2785,7 @@ # Define the identity of the package. PACKAGE='uacme' - VERSION='1.4.1' + VERSION='1.5' cat >>confdefs.h <<_ACEOF @@ -6827,6 +6827,17 @@ if test "x$USE_MBEDTLS" = "xyes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: detected mbedTLS" >&5 $as_echo "$as_me: detected mbedTLS" >&6;} + for ac_func in mbedtls_x509_crt_parse_der_with_ext_cb +do : + ac_fn_c_check_func "$LINENO" "mbedtls_x509_crt_parse_der_with_ext_cb" "ac_cv_func_mbedtls_x509_crt_parse_der_with_ext_cb" +if test "x$ac_cv_func_mbedtls_x509_crt_parse_der_with_ext_cb" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_MBEDTLS_X509_CRT_PARSE_DER_WITH_EXT_CB 1 +_ACEOF + +fi +done + fi fi @@ -8306,7 +8317,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by uacme $as_me 1.4.1, which was +This file was extended by uacme $as_me 1.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8372,7 +8383,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -uacme config.status 1.4.1 +uacme config.status 1.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/configure.ac new/uacme-1.5/configure.ac --- old/uacme-1.4.1/configure.ac 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/configure.ac 2020-07-26 16:31:07.000000000 +0200 @@ -301,6 +301,7 @@ [AC_MSG_ERROR([mbedtls check failed])]) if test "x$USE_MBEDTLS" = "xyes"; then AC_MSG_NOTICE([detected mbedTLS]) + AC_CHECK_FUNCS([mbedtls_x509_crt_parse_der_with_ext_cb]) fi fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/docs/uacme.html new/uacme-1.5/docs/uacme.html --- old/uacme-1.4.1/docs/uacme.html 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/docs/uacme.html 2020-07-26 16:31:07.000000000 +0200 @@ -746,13 +746,13 @@ <div class="sect1"> <h2 id="_synopsis">SYNOPSIS</h2> <div class="sectionbody"> -<div class="paragraph"><p><strong>uacme</strong> [<strong>-a</strong>|<strong>--acme-url</strong> <em>URL</em>] [<strong>-b</strong>|<strong>--bits</strong> <em>BITS</em>] +<div class="paragraph"><p><strong>uacme</strong> [<strong>-?</strong>|<strong>--help</strong>] [<strong>-a</strong>|<strong>--acme-url</strong> <em>URL</em>] [<strong>-b</strong>|<strong>--bits</strong> <em>BITS</em>] [<strong>-c</strong>|<strong>--confdir</strong> <em>DIR</em>] [<strong>-d</strong>|<strong>--days</strong> <em>DAYS</em>] [<strong>-f</strong>|<strong>--force</strong>] - [<strong>-h</strong>|<strong>--hook</strong> <em>PROGRAM</em>] [<strong>-m</strong>|<strong>--must-staple</strong>] [<strong>-n</strong>|<strong>--never-create</strong>] - [<strong>-o</strong>|<strong>--no-ocsp</strong>] [<strong>-s</strong>|<strong>--staging</strong>] [<strong>-t</strong>|<strong>--type</strong> <strong>RSA</strong>|<strong>EC</strong>] - [<strong>-v</strong>|<strong>--verbose</strong> …] [<strong>-V</strong>|<strong>--version</strong>] [<strong>-y</strong>|<strong>--yes</strong>] [<strong>-?</strong>|<strong>--help</strong>] - <strong>new</strong> [<em>EMAIL</em>] | <strong>update</strong> [<em>EMAIL</em>] | <strong>deactivate</strong> | <strong>newkey</strong> | - <strong>issue</strong> <em>IDENTIFIER</em> [<em>ALTNAME</em> …]] | <strong>issue</strong> <em>CSRFILE</em> | + [<strong>-h</strong>|<strong>--hook</strong> <em>PROGRAM</em>] [<strong>-l</strong>|<strong>--alternate</strong> <em>N</em>] [<strong>-m</strong>|<strong>--must-staple</strong>] + [<strong>-n</strong>|<strong>--never-create</strong>] [<strong>-o</strong>|<strong>--no-ocsp</strong>] [<strong>-s</strong>|<strong>--staging</strong>] + [<strong>-t</strong>|<strong>--type</strong> <strong>RSA</strong>|<strong>EC</strong>] [<strong>-v</strong>|<strong>--verbose</strong> …] [<strong>-V</strong>|<strong>--version</strong>] + [<strong>-y</strong>|<strong>--yes</strong>] <strong>new</strong> [<em>EMAIL</em>] | <strong>update</strong> [<em>EMAIL</em>] | <strong>deactivate</strong> | + <strong>newkey</strong> | <strong>issue</strong> <em>IDENTIFIER</em> [<em>ALTNAME</em> …]] | <strong>issue</strong> <em>CSRFILE</em> | <strong>revoke</strong> <em>CERTFILE</em> [<em>CERTKEYFILE</em>]</p></div> </div> </div> @@ -774,7 +774,15 @@ <div class="sectionbody"> <div class="dlist"><dl> <dt class="hdlist1"> -<strong>-a, --acme-url</strong>=<em>URL</em> +<strong>-?, --help</strong> +</dt> +<dd> +<p> + Print a brief usage text on stderr and exit. +</p> +</dd> +<dt class="hdlist1"> +<strong>-a, --acme-url</strong> <em>URL</em> </dt> <dd> <p> @@ -801,7 +809,7 @@ </dl></div> </dd> <dt class="hdlist1"> -<strong>-b, --bits</strong>=<em>BITS</em> +<strong>-b, --bits</strong> <em>BITS</em> </dt> <dd> <p> @@ -812,7 +820,7 @@ </p> </dd> <dt class="hdlist1"> -<strong>-c, --confdir</strong>=<em>CONFDIR</em> +<strong>-c, --confdir</strong> <em>CONFDIR</em> </dt> <dd> <p> @@ -848,7 +856,7 @@ </dl></div> </dd> <dt class="hdlist1"> -<strong>-d, --days</strong>=<em>DAYS</em> +<strong>-d, --days</strong> <em>DAYS</em> </dt> <dd> <p> @@ -865,7 +873,7 @@ </p> </dd> <dt class="hdlist1"> -<strong>-h, --hook</strong>=<em>PROGRAM</em> +<strong>-h, --hook</strong> <em>PROGRAM</em> </dt> <dd> <p> @@ -951,6 +959,19 @@ </dl></div> </dd> <dt class="hdlist1"> +<strong>-l, --alternate</strong> <em>N</em> +</dt> +<dd> +<p> + According to <a href="https://tools.ietf.org/html/rfc8555#section-7.4.2">https://tools.ietf.org/html/rfc8555#section-7.4.2</a> + the server MAY provide one or more additional certificate download URLs, + each pointing to an alternative certificate chain starting with the same + end-entity certificate. Specifying this option makes <strong>uacme</strong> choose the + Nth alternate link. If the server does not provide it or the download + fails, <strong>uacme</strong> falls back to the main certificate URL. +</p> +</dd> +<dt class="hdlist1"> <strong>-m, --must-staple</strong> </dt> <dd> @@ -1029,14 +1050,6 @@ Autoaccept ACME server terms (if any) upon new account creation. </p> </dd> -<dt class="hdlist1"> -<strong>-?, --help</strong> -</dt> -<dd> -<p> - Print a brief usage text on stderr and exit. -</p> -</dd> </dl></div> </div> </div> @@ -1294,9 +1307,9 @@ <div id="footnotes"><hr></div> <div id="footer"> <div id="footer-text"> -Version 1.4.1<br> +Version 1.5<br> Last updated - 2020-05-30 21:05:25 CEST + 2020-07-26 15:54:53 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/docs/ualpn.html new/uacme-1.5/docs/ualpn.html --- old/uacme-1.4.1/docs/ualpn.html 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/docs/ualpn.html 2020-07-26 16:31:07.000000000 +0200 @@ -1186,7 +1186,7 @@ <div id="footnotes"><hr></div> <div id="footer"> <div id="footer-text"> -Version 1.4.1<br> +Version 1.5<br> Last updated 2020-05-30 21:05:20 CEST </div> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/uacme.1 new/uacme-1.5/uacme.1 --- old/uacme-1.4.1/uacme.1 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/uacme.1 2020-07-26 16:31:07.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: uacme .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 05/30/2020 +.\" Date: 07/26/2020 .\" Manual: User Commands -.\" Source: uacme 1.4.1 +.\" Source: uacme 1.5 .\" Language: English .\" -.TH "UACME" "1" "05/30/2020" "uacme 1\&.4\&.1" "User Commands" +.TH "UACME" "1" "07/26/2020" "uacme 1\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,13 +31,18 @@ uacme \- ACMEv2 client written in plain C code with minimal dependencies .SH "SYNOPSIS" .sp -\fBuacme\fR [\fB\-a\fR|\fB\-\-acme\-url\fR \fIURL\fR] [\fB\-b\fR|\fB\-\-bits\fR \fIBITS\fR] [\fB\-c\fR|\fB\-\-confdir\fR \fIDIR\fR] [\fB\-d\fR|\fB\-\-days\fR \fIDAYS\fR] [\fB\-f\fR|\fB\-\-force\fR] [\fB\-h\fR|\fB\-\-hook\fR \fIPROGRAM\fR] [\fB\-m\fR|\fB\-\-must\-staple\fR] [\fB\-n\fR|\fB\-\-never\-create\fR] [\fB\-o\fR|\fB\-\-no\-ocsp\fR] [\fB\-s\fR|\fB\-\-staging\fR] [\fB\-t\fR|\fB\-\-type\fR \fBRSA\fR|\fBEC\fR] [\fB\-v\fR|\fB\-\-verbose\fR \&...] [\fB\-V\fR|\fB\-\-version\fR] [\fB\-y\fR|\fB\-\-yes\fR] [\fB\-?\fR|\fB\-\-help\fR] \fBnew\fR [\fIEMAIL\fR] | \fBupdate\fR [\fIEMAIL\fR] | \fBdeactivate\fR | \fBnewkey\fR | \fBissue\fR \fIIDENTIFIER\fR [\fIALTNAME\fR \&...]] | \fBissue\fR \fICSRFILE\fR | \fBrevoke\fR \fICERTFILE\fR [\fICERTKEYFILE\fR] +\fBuacme\fR [\fB\-?\fR|\fB\-\-help\fR] [\fB\-a\fR|\fB\-\-acme\-url\fR \fIURL\fR] [\fB\-b\fR|\fB\-\-bits\fR \fIBITS\fR] [\fB\-c\fR|\fB\-\-confdir\fR \fIDIR\fR] [\fB\-d\fR|\fB\-\-days\fR \fIDAYS\fR] [\fB\-f\fR|\fB\-\-force\fR] [\fB\-h\fR|\fB\-\-hook\fR \fIPROGRAM\fR] [\fB\-l\fR|\fB\-\-alternate\fR \fIN\fR] [\fB\-m\fR|\fB\-\-must\-staple\fR] [\fB\-n\fR|\fB\-\-never\-create\fR] [\fB\-o\fR|\fB\-\-no\-ocsp\fR] [\fB\-s\fR|\fB\-\-staging\fR] [\fB\-t\fR|\fB\-\-type\fR \fBRSA\fR|\fBEC\fR] [\fB\-v\fR|\fB\-\-verbose\fR \&...] [\fB\-V\fR|\fB\-\-version\fR] [\fB\-y\fR|\fB\-\-yes\fR] \fBnew\fR [\fIEMAIL\fR] | \fBupdate\fR [\fIEMAIL\fR] | \fBdeactivate\fR | \fBnewkey\fR | \fBissue\fR \fIIDENTIFIER\fR [\fIALTNAME\fR \&...]] | \fBissue\fR \fICSRFILE\fR | \fBrevoke\fR \fICERTFILE\fR [\fICERTKEYFILE\fR] .SH "DESCRIPTION" .sp \fBuacme\fR is a client for the ACMEv2 protocol described in RFC8555, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS)\&. The ACMEv2 protocol allows a Certificate Authority (https://letsencrypt\&.org is a popular one) and an applicant to automate the process of verification and certificate issuance\&. The protocol also provides facilities for other certificate management functions, such as certificate revocation\&. For more information see https://tools\&.ietf\&.org/html/rfc8555 .SH "OPTIONS" .PP -\fB\-a, \-\-acme\-url\fR=\fIURL\fR +\fB\-?, \-\-help\fR +.RS 4 +Print a brief usage text on stderr and exit\&. +.RE +.PP +\fB\-a, \-\-acme\-url\fR \fIURL\fR .RS 4 ACMEv2 server directory object \fIURL\fR\&. If not specified @@ -57,14 +62,14 @@ .RE .RE .PP -\fB\-b, \-\-bits\fR=\fIBITS\fR +\fB\-b, \-\-bits\fR \fIBITS\fR .RS 4 key bit length (default 2048 for RSA, 256 for EC)\&. Only applies to newly generated keys\&. RSA key length must be a multiple of 8 between 2048 and 8192\&. EC key length must be either 256 (\fBNID_X9_62_prime256v1\fR curve) or 384 (\fBNID_secp384r1\fR curve)\&. .RE .PP -\fB\-c, \-\-confdir\fR=\fICONFDIR\fR +\fB\-c, \-\-confdir\fR \fICONFDIR\fR .RS 4 Use configuration directory \fICONFDIR\fR @@ -91,7 +96,7 @@ .RE .RE .PP -\fB\-d, \-\-days\fR=\fIDAYS\fR +\fB\-d, \-\-days\fR \fIDAYS\fR .RS 4 Do not reissue certificates that are still valid for longer than \fIDAYS\fR @@ -104,7 +109,7 @@ Force certificate reissuance regardless of expiration date\&. .RE .PP -\fB\-h, \-\-hook\fR=\fIPROGRAM\fR +\fB\-h, \-\-hook\fR \fIPROGRAM\fR .RS 4 Challenge hook program\&. If not specified \fBuacme\fR @@ -172,6 +177,17 @@ .RE .RE .PP +\fB\-l, \-\-alternate\fR \fIN\fR +.RS 4 +According to +https://tools\&.ietf\&.org/html/rfc8555#section\-7\&.4\&.2 +the server MAY provide one or more additional certificate download URLs, each pointing to an alternative certificate chain starting with the same end\-entity certificate\&. Specifying this option makes +\fBuacme\fR +choose the Nth alternate link\&. If the server does not provide it or the download fails, +\fBuacme\fR +falls back to the main certificate URL\&. +.RE +.PP \fB\-m, \-\-must\-staple\fR .RS 4 Request certificates with the RFC7633 Certificate Status Request TLS Feature Extension, informally also known as "OCSP Must\-Staple"\&. This option is ignored when using an externally supplied Certificate Signing Request file (see USAGE below)\&. @@ -232,11 +248,6 @@ .RS 4 Autoaccept ACME server terms (if any) upon new account creation\&. .RE -.PP -\fB\-?, \-\-help\fR -.RS 4 -Print a brief usage text on stderr and exit\&. -.RE .SH "USAGE" .PP \fBuacme\fR [\fIOPTIONS\fR \&...] \fBnew\fR [\fIEMAIL\fR] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/uacme.1.txt new/uacme-1.5/uacme.1.txt --- old/uacme-1.4.1/uacme.1.txt 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/uacme.1.txt 2020-07-26 16:31:07.000000000 +0200 @@ -13,13 +13,13 @@ SYNOPSIS -------- -*uacme* [*-a*|*--acme-url* 'URL'] [*-b*|*--bits* 'BITS'] +*uacme* [*-?*|*--help*] [*-a*|*--acme-url* 'URL'] [*-b*|*--bits* 'BITS'] [*-c*|*--confdir* 'DIR'] [*-d*|*--days* 'DAYS'] [*-f*|*--force*] - [*-h*|*--hook* 'PROGRAM'] [*-m*|*--must-staple*] [*-n*|*--never-create*] - [*-o*|*--no-ocsp*] [*-s*|*--staging*] [*-t*|*--type* *RSA*|*EC*] - [*-v*|*--verbose* ...] [*-V*|*--version*] [*-y*|*--yes*] [*-?*|*--help*] - *new* ['EMAIL'] | *update* ['EMAIL'] | *deactivate* | *newkey* | - *issue* 'IDENTIFIER' ['ALTNAME' ...]] | *issue* 'CSRFILE' | + [*-h*|*--hook* 'PROGRAM'] [*-l*|*--alternate* 'N'] [*-m*|*--must-staple*] + [*-n*|*--never-create*] [*-o*|*--no-ocsp*] [*-s*|*--staging*] + [*-t*|*--type* *RSA*|*EC*] [*-v*|*--verbose* ...] [*-V*|*--version*] + [*-y*|*--yes*] *new* ['EMAIL'] | *update* ['EMAIL'] | *deactivate* | + *newkey* | *issue* 'IDENTIFIER' ['ALTNAME' ...]] | *issue* 'CSRFILE' | *revoke* 'CERTFILE' ['CERTKEYFILE'] @@ -37,20 +37,23 @@ OPTIONS ------- -*-a, --acme-url*='URL':: +*-?, --help*:: + Print a brief usage text on stderr and exit. + +*-a, --acme-url* 'URL':: ACMEv2 server directory object 'URL'. If not specified *uacme* uses one of the following: 'https://acme-v02.api.letsencrypt.org/directory'::: production URL 'https://acme-staging-v02.api.letsencrypt.org/directory'::: staging URL (see *-s, --staging* below) -*-b, --bits*='BITS':: +*-b, --bits* 'BITS':: key bit length (default 2048 for RSA, 256 for EC). Only applies to newly generated keys. RSA key length must be a multiple of 8 between 2048 and 8192. EC key length must be either 256 (*NID_X9_62_prime256v1* curve) or 384 (*NID_secp384r1* curve). -*-c, --confdir*='CONFDIR':: +*-c, --confdir* 'CONFDIR':: Use configuration directory 'CONFDIR' (default '{sysconfdir}/ssl/uacme'). The structure is as follows (multiple 'IDENTIFIERs' allowed) 'CONFDIR/private/key.pem'::: ACME account private key @@ -58,14 +61,14 @@ 'IDENTIFIER' 'CONFDIR/IDENTIFIER/cert.pem'::: certificate for 'IDENTIFIER' -*-d, --days*='DAYS':: +*-d, --days* 'DAYS':: Do not reissue certificates that are still valid for longer than 'DAYS' (default 30). See also *-o, --no-ocsp*. *-f, --force*:: Force certificate reissuance regardless of expiration date. -*-h, --hook*='PROGRAM':: +*-h, --hook* 'PROGRAM':: Challenge hook program. If not specified *uacme* interacts with the user for every ACME challenge, printing information about the challenge type, token and authorization on stderr. If specified @@ -86,6 +89,14 @@ 'AUTH'::: The key authorization (for *dns-01* and *tls-alpn-01* already converted to the base64-encoded SHA256 digest format) +*-l, --alternate* 'N':: + According to <https://tools.ietf.org/html/rfc8555#section-7.4.2> + the server MAY provide one or more additional certificate download URLs, + each pointing to an alternative certificate chain starting with the same + end-entity certificate. Specifying this option makes *uacme* choose the + Nth alternate link. If the server does not provide it or the download + fails, *uacme* falls back to the main certificate URL. + *-m, --must-staple*:: Request certificates with the RFC7633 Certificate Status Request TLS Feature Extension, informally also known as "OCSP Must-Staple". @@ -125,9 +136,6 @@ *-y, --yes*:: Autoaccept ACME server terms (if any) upon new account creation. -*-?, --help*:: - Print a brief usage text on stderr and exit. - USAGE ----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/uacme.c new/uacme-1.5/uacme.c --- old/uacme-1.4.1/uacme.c 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/uacme.c 2020-07-26 16:31:07.000000000 +0200 @@ -873,13 +873,14 @@ return success; } -bool cert_issue(acme_t *a, char * const *names, const char *csr) +bool cert_issue(acme_t *a, char * const *names, const char *csr, int alt) { bool success = false; char *orderurl = NULL; char *certfile = NULL; char *bakfile = NULL; char *tmpfile = NULL; + char *cert = NULL; time_t t = time(NULL); int fd = -1; char *ids = identifiers(names); @@ -999,6 +1000,46 @@ } else if (acme_error(a)) { goto out; } + cert = a->body; + a->body = NULL; + + if (alt) { + const char *regex = "^Link:[ \t]*<(.*)>[ \t]*.*;[ \t]*" + "rel[ \t]*=[ \t]*\"?alternate(\"|[ \t]*;).*\r\n"; + regex_t reg; + if (regcomp(®, regex, REG_EXTENDED | REG_ICASE | REG_NEWLINE)) { + warnx("cert_issue: regcomp failed"); + goto out; + } else { + char *h = a->headers; + regmatch_t m[2]; + int i; + for (i = 0; i < alt && regexec(®, h, 2, m, 0) == 0; i++) { + if (i < alt - 1) { + h += m[1].rm_eo; + continue; + } + h[m[1].rm_eo] = '\0'; + h += m[1].rm_so; + } + regfree(®); + if (i != alt) { + warnx("alternate certificate number %d not found", alt); + warnx("falling back to main certificate"); + } else { + msg(1, "retrieving alternate certificate at %s", h); + if (acme_post(a, h, "") != 200) { + warnx("failed to retrieve alternate certificate at %s", h); + acme_error(a); + warnx("falling back to main certificate"); + } else { + free(cert); + cert = a->body; + a->body = NULL; + } + } + } + } if (asprintf(&certfile, "%scert.pem", a->certprefix) < 0) { certfile = NULL; @@ -1026,7 +1067,7 @@ goto out; } - if (write(fd, a->body, strlen(a->body)) != (ssize_t)strlen(a->body)) { + if (write(fd, cert, strlen(cert)) != (ssize_t)strlen(cert)) { warn("failed to write to %s", tmpfile); goto out; } @@ -1061,6 +1102,7 @@ free(certfile); free(ids); free(orderurl); + free(cert); return success; } @@ -1163,10 +1205,10 @@ void usage(const char *progname) { fprintf(stderr, - "usage: %s [-a|--acme-url URL] [-b|--bits BITS] [-c|--confdir DIR]\n" - "\t[-d|--days DAYS] [-f|--force] [-h|--hook PROGRAM] [-m|--must-staple]\n" - "\t[-n|--never-create] [-o|--no-ocsp] [-s|--staging] [-t|--type RSA | EC]\n" - "\t[-v|--verbose ...] [-V|--version] [-y|--yes] [-?|--help]\n" + "usage: %s [-?|--help] [-a|--acme-url URL] [-b|--bits BITS] [-c|--confdir DIR]\n" + "\t[-d|--days DAYS] [-f|--force] [-h|--hook PROGRAM] [-l|--alternate N]\n" + "\t[-m|--must-staple] [-n|--never-create] [-o|--no-ocsp] [-s|--staging]\n" + "\t[-t|--type RSA | EC] [-v|--verbose ...] [-V|--version] [-y|--yes]\n" "\tnew [EMAIL] | update [EMAIL] | deactivate | newkey |\n" "\tissue IDENTIFIER [ALTNAME ...]] | issue CSRFILE |\n" "\trevoke CERTFILE [CERTKEYFILE]\n", progname); @@ -1183,6 +1225,7 @@ {"force", no_argument, NULL, 'f'}, {"help", no_argument, NULL, '?'}, {"hook", required_argument, NULL, 'h'}, + {"alternate", required_argument, NULL, 'l'}, {"must-staple", no_argument, NULL, 'm'}, {"never-create", no_argument, NULL, 'n'}, {"no-ocsp", no_argument, NULL, 'o'}, @@ -1203,6 +1246,7 @@ bool custom_directory = false; bool status_req = false; bool status_check = true; + int alt = 0; int days = 30; int bits = 0; keytype_t type = PK_RSA; @@ -1245,7 +1289,7 @@ while (1) { char *endptr; int option_index; - int c = getopt_long(argc, argv, "a:b:c:d:f?h:mnost:vVy", + int c = getopt_long(argc, argv, "a:b:c:d:f?h:l:mnost:vVy", options, &option_index); if (c == -1) break; switch (c) { @@ -1286,6 +1330,14 @@ a.hook = optarg; break; + case 'l': + alt = strtol(optarg, &endptr, 10); + if (*endptr != 0 || alt < 0) { + warnx("-l requires a positive argument"); + goto out; + } + break; + case 'm': status_req = true; break; @@ -1594,7 +1646,7 @@ } if (acme_bootstrap(&a) && account_retrieve(&a) - && cert_issue(&a, names, csr)) + && cert_issue(&a, names, csr, alt)) ret = 0; } else if (strcmp(action, "revoke") == 0) { if (acme_bootstrap(&a) && (!a.keyprefix || account_retrieve(&a)) && diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/ualpn.1 new/uacme-1.5/ualpn.1 --- old/uacme-1.4.1/ualpn.1 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/ualpn.1 2020-07-26 16:31:07.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: ualpn .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 05/30/2020 +.\" Date: 07/26/2020 .\" Manual: User Commands -.\" Source: ualpn 1.4.1 +.\" Source: ualpn 1.5 .\" Language: English .\" -.TH "UALPN" "1" "05/30/2020" "ualpn 1\&.4\&.1" "User Commands" +.TH "UALPN" "1" "07/26/2020" "ualpn 1\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uacme-1.4.1/ualpn.c new/uacme-1.5/ualpn.c --- old/uacme-1.4.1/ualpn.c 2020-05-30 21:08:49.000000000 +0200 +++ new/uacme-1.5/ualpn.c 2020-07-26 16:31:07.000000000 +0200 @@ -106,9 +106,10 @@ #if MBEDTLS_VERSION_NUMBER < 0x02100000 #error mbedTLS version 2.16 or later is required #endif -#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) -#error mbedTLS was configured without \ - MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION +#if !HAVE_MBEDTLS_X509_CRT_PARSE_DER_WITH_EXT_CB && \ + !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) +#error mbedtls_x509_crt_parse_der_with_ext_cb is not available and mbedTLS \ + was configured without MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION #endif static const char *_mbedtls_strerror(int code) { @@ -2251,6 +2252,24 @@ return 0; } +#if HAVE_MBEDTLS_X509_CRT_PARSE_DER_WITH_EXT_CB +int ext_callback(void *ctx, mbedtls_x509_crt const *crt, + mbedtls_x509_buf const *oid, int critical, const unsigned char *p, + const unsigned char *end) +{ + (void) ctx; + (void) crt; + (void) critical; + (void) p; + (void) end; + + if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKIX "\x01\x1F", oid)) + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; + else + return 0; +} +#endif + static int do_handshake(client_t *c) { int rc = 0; @@ -2271,6 +2290,16 @@ } mbedtls_x509_crt_free(&c->crt); +#if HAVE_MBEDTLS_X509_CRT_PARSE_DER_WITH_EXT_CB + rc = mbedtls_x509_crt_parse_der_with_ext_cb(&c->crt, auth->crt, + auth->crt_size, 1, ext_callback, NULL); + if (rc) { + warnx("client %08x: mbedtls_x509_crt_parse_der_with_ext_cb" + " for %s: %s", + c->id, c->ident, _mbedtls_strerror(rc)); + return -1; + } +#else rc = mbedtls_x509_crt_parse_der(&c->crt, auth->crt, auth->crt_size); if (rc) { @@ -2278,7 +2307,7 @@ c->id, c->ident, _mbedtls_strerror(rc)); return -1; } - +#endif mbedtls_pk_free(&c->key); rc = mbedtls_pk_parse_key(&c->key, auth->key, auth->key_size, NULL, 0); @@ -2397,6 +2426,15 @@ mbedtls_ssl_conf_rng(&c->cnf, mbedtls_ctr_drbg_random, &g.ctr_drbg); mbedtls_ssl_conf_sni(&c->cnf, sni_callback, c); mbedtls_x509_crt_init(&c->crt); +#if HAVE_MBEDTLS_X509_CRT_PARSE_DER_WITH_EXT_CB + rc = mbedtls_x509_crt_parse_der_with_ext_cb(&c->crt, g.crt, g.crt_len, + 1, ext_callback, NULL); + if (rc) { + warnx("client %08x: mbedtls_x509_crt_parse_der_with_ext_cb: %s", c->id, + _mbedtls_strerror(rc)); + return -1; + } +#else rc = mbedtls_x509_crt_parse_der(&c->crt, g.crt, g.crt_len); if (rc == MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { @@ -2410,6 +2448,7 @@ _mbedtls_strerror(rc)); return -1; } +#endif mbedtls_pk_init(&c->key); rc = mbedtls_pk_parse_key(&c->key, g.key, g.key_len, NULL, 0); if (rc) { @@ -3986,6 +4025,9 @@ g.logfile = stderr; set_log_func(log_function); + signal(SIGPIPE, SIG_IGN); + signal(SIGABRT, SIG_IGN); + while (1) { char *endptr; @@ -4431,9 +4473,6 @@ } } - signal(SIGPIPE, SIG_IGN); - signal(SIGABRT, SIG_IGN); - #if defined(USE_GNUTLS) if (!gnutls_check_version("3.3.30")) { @@ -4473,10 +4512,12 @@ errx("mbedTLS version 2.16 or later is required"); cleanup_and_exit(0, EXIT_FAILURE); } +#if !HAVE_MBEDTLS_X509_CRT_PARSE_DER_WITH_EXT_CB #if defined(MBEDTLS_VERSION_FEATURES) if (mbedtls_version_check_feature( "MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION")) { - errx("mbedTLS needs to be built with " + errx("mbedtls_x509_crt_parse_der_with_ext_cb is not available " + "and mbedTLS was configured without " "MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION"); cleanup_and_exit(0, EXIT_FAILURE); } @@ -4484,6 +4525,7 @@ #warning mbedTLS runtime feature check disabled. Consider reconfiguring \ mbedTLS with MBEDTLS_VERSION_FEATURES #endif +#endif #else #warning mbedTLS runtime version check disabled. Consider reconfiguring \ mbedTLS with MBEDTLS_VERSION_C