KeysInUse: re-introduce package back to 2.0.

SPECS/KeysInUse-OpenSSL/KeysInUse-OpenSSL.signatures.json

@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "KeysInUse-OpenSSL-0.3.1.tar.gz": "aff345b0d3b699fd4d0e8eeda67bdf4bdec04d1f2d409bf1bf6098a263ecab64"
+ }
+}

SPECS/KeysInUse-OpenSSL/KeysInUse-OpenSSL.spec

@@ -0,0 +1,83 @@
+Summary:        The KeysInUse Engine for OpenSSL allows the logging of private key usage through OpenSSL
+Name:           KeysInUse-OpenSSL
+Version:        0.3.1
+Release:        1%{?dist}
+License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System/Libraries
+URL:            https://github.com/microsoft/KeysInUse-OpenSSL
+#Source0:       https://github.com/microsoft/KeysInUse-OpenSSL/archive/v%{version}.tar.gz
+Source0:        %{name}-%{version}.tar.gz
+BuildRequires:  cmake
+BuildRequires:  gcc
+BuildRequires:  golang >= 1.16.6
+BuildRequires:  make
+BuildRequires:  openssl-devel
+Requires:       openssl < 1.1.2
+Requires:       openssl >= 1.1.1
+
+%description
+ The KeysInUse Engine for OpenSSL allows the logging of private key usage through OpenSSL
+
+%prep
+%setup -q
+
+%build
+export GO111MODULE=off
+
+cmake -DCMAKE_TOOLCHAIN_FILE=./cmake-toolchains/linux-amd64-glibc.cmake -H./ -B./build
+cmake --build ./build --target keysinuse
+
+cd ./packaging/util
+make $(realpath ../../bin/keysinuseutil)
+
+%define keysinuse_dir %{buildroot}/%{_libdir}/keysinuse/
+
+%install
+mkdir -p %{keysinuse_dir}
+mkdir -p %{buildroot}%{_bindir}/
+
+install -m 0644 ./bin/keysinuse.so %{keysinuse_dir}
+install -m 0744 ./bin/keysinuseutil %{buildroot}%{_bindir}/
+
+%files
+%license LICENSE
+%{_libdir}/keysinuse/keysinuse.so
+%{_bindir}/keysinuseutil
+
+%pre
+if [ -x %{_bindir}/keysinuseutil ]; then
+  echo "Disabling version $2 of keysinuse engine for OpenSSL"
+  %{_bindir}/keysinuseutil uninstall || echo "Failed to deconfigure old version"
+fi
+
+%post
+if [ ! -e %{_var}/log/keysinuse ]; then
+  mkdir %{_var}/log/keysinuse
+fi
+chown root:root %{_var}/log/keysinuse
+chmod 1733 %{_var}/log/keysinuse
+
+ln -s %{_lib}/keysinuse/keysinuse.so $(%{_bindir}/openssl version -e | awk '{gsub(/"/, "", $2); print $2}')/keysinuse.so
+
+if [ -x %{_bindir}/keysinuseutil ]; then
+  echo "Enabling keysinuse engine for OpenSSL"
+  %{_bindir}/keysinuseutil install || echo "Configuring engine failed"
+fi
+
+%preun
+if [ -x %{_bindir}/keysinuseutil ]; then
+  echo "Disabling keysinuse engine for OpenSSL"
+  %{_bindir}/keysinuseutil uninstall || echo "Deconfiguring keysinuse engine failed"
+fi
+with
+engine_link=$(%{_bindir}/openssl version -e | awk '{gsub(/"/, "", $2); print $2}')/keysinuse.so
+if [ -e $engine_link ]; then
+  rm $engine_link
+fi
+
+%changelog
+* Fri Jun 17 2022 Maxwell Moyer-McKee <[email protected]> - 0.3.1-1
+- Original version for CBL-Mariner
+- Verified license

SPECS/LICENSES-AND-NOTICES/data/licenses.json

@@ -1995,6 +1995,7 @@
                 "jx",
                 "keda",
                 "kernel-signed",
+                "KeysInUse-OpenSSL",
                 "kpatch",
                 "kubernetes-1.18.14",
                 "kubernetes-1.18.17",

SPECS/openssl/openssl-1.1.1-fips-SymCrypt.patch → SPECS/openssl/openssl-1.1.1-load-default-engines.patch

@@ -1,8 +1,8 @@
 diff --git a/crypto/init.c b/crypto/init.c
-index 1b0d523bea..9482633c9b 100644
+index 1b0d523bea..86e31c193e 100644
 --- a/crypto/init.c
 +++ b/crypto/init.c
-@@ -402,6 +402,67 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_afalg)
+@@ -402,6 +402,128 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_afalg)
  }
  #  endif
  # endif
@@ -30,7 +30,7 @@ index 1b0d523bea..9482633c9b 100644
 +    dynamic = ENGINE_by_id("dynamic");
 +    if (!dynamic)
 +        goto err;
-+    
++
 +    // Add the engines directory to the list of directories to load from and specify that loading
 +    // from the directory list is mandatory (via DIR_LOAD = 2). Otherwise OpenSSL will try to load
 +    // the engine from the default ld search path, fail, and skip loading from the engines dir.
@@ -55,6 +55,7 @@ index 1b0d523bea..9482633c9b 100644
 +    if (!ENGINE_set_default_string(symcrypt, "ALL"))
 +        goto err;
 +
++    ret = 1;
 +err:
 +    ENGINE_free(symcrypt);
 +    ENGINE_free(dynamic);
@@ -66,11 +67,71 @@ index 1b0d523bea..9482633c9b 100644
 +
 +    return ret;
 +}
++# endif
++
++#ifndef OPENSSL_NO_KEYSINUSE_ENGINE
++static CRYPTO_ONCE engine_keysinuse = CRYPTO_ONCE_STATIC_INIT;
++DEFINE_RUN_ONCE_STATIC(ossl_init_engine_keysinuse)
++{
++    int ret = 0;
++
++    ENGINE *dynamic = NULL;
++    ENGINE *keysinuse = NULL;
++
++    dynamic = ENGINE_by_id("dynamic");
++    if (!dynamic)
++        goto err;
++
++    // Get the default engine directory from the environment - may be NULL
++    char *load_dir = ossl_safe_getenv("OPENSSL_ENGINES");
++
++    # ifdef ENGINESDIR
++    // Use the default engines directory, if defined
++    if (load_dir == NULL)
++    {
++        load_dir = ENGINESDIR;
++    }
++    # endif
++
++    if (!ENGINE_ctrl_cmd_string(dynamic, "DIR_ADD", load_dir, 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "DIR_LOAD", "2", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "SO_PATH", "keysinuse.so", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "ID", "keysinuse", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "LIST_ADD", "2", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "LOAD", NULL, 0))
++        goto err;
++
++    // Pass config values to keysinuse engine
++    keysinuse = ENGINE_by_id("keysinuse");
++    if (!keysinuse)
++        goto err;
++
++    // Make KeysInUse the default engine for RSA and EC algorithms
++    if (!ENGINE_set_default_string(keysinuse, "RSA,EC"))
++        goto err;
++
++    ret = 1;
++err:
++    ENGINE_free(keysinuse);
++    ENGINE_free(dynamic);
++
++#  ifdef OPENSSL_INIT_DEBUG
++    fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_keysinuse: %d \n",
++            ret);
++#  endif
++
++    return ret;
++}
 +# endif
  #endif
 
  #ifndef OPENSSL_NO_COMP
-@@ -723,9 +784,13 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+@@ -723,9 +845,14 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
              && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand))
          return 0;
  # endif
@@ -81,8 +142,9 @@ index 1b0d523bea..9482633c9b 100644
 +    {
 +        if (!RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
 +            return 0;
-+        
++
 +        RUN_ONCE(&engine_symcrypt, ossl_init_engine_symcrypt);
++        RUN_ONCE(&engine_keysinuse, ossl_init_engine_keysinuse);
 +    }
  # ifndef OPENSSL_NO_STATIC_ENGINE
  #  if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)

SPECS/openssl/openssl.spec

@@ -4,7 +4,7 @@
 Summary:        Utilities from the general purpose cryptography library with TLS implementation
 Name:           openssl
 Version:        1.1.1k
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        OpenSSL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -42,7 +42,7 @@ Patch18:        openssl-1.1.1-fips-curves.patch
 Patch19:        openssl-1.1.1-sp80056arev3.patch
 Patch20:        openssl-1.1.1-jitterentropy.patch
 Patch21:        openssl-1.1.1-drbg-seed.patch
-Patch22:        openssl-1.1.1-fips-SymCrypt.patch
+Patch22:        openssl-1.1.1-load-default-engines.patch
 Patch23:        CVE-2021-3711.patch
 Patch24:        CVE-2021-3712.patch
 Patch25:        CVE-2022-0778.patch
@@ -339,6 +339,9 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Aug 15 2022 Pawel Winogrodzki <[email protected]> - 1.1.1k-20
+- Bumping "Release" to sync spec versions across branches.
+
 * Wed Jul 13 2022 Maxwell Moyer-McKee <[email protected]> - 1.1.1k-19
 - Removed portion of load-default-engines test causing unit test failure
 

cgmanifest.json

@@ -7336,6 +7336,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "KeysInUse-OpenSSL",
+          "version": "0.3.1",
+          "downloadUrl": "https://github.com/microsoft/KeysInUse-OpenSSL/archive/v0.3.1.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-19.cm2.aarch64.rpm
-openssl-devel-1.1.1k-19.cm2.aarch64.rpm
-openssl-libs-1.1.1k-19.cm2.aarch64.rpm
-openssl-perl-1.1.1k-19.cm2.aarch64.rpm
-openssl-static-1.1.1k-19.cm2.aarch64.rpm
+openssl-1.1.1k-20.cm2.aarch64.rpm
+openssl-devel-1.1.1k-20.cm2.aarch64.rpm
+openssl-libs-1.1.1k-20.cm2.aarch64.rpm
+openssl-perl-1.1.1k-20.cm2.aarch64.rpm
+openssl-static-1.1.1k-20.cm2.aarch64.rpm
 libcap-2.60-1.cm2.aarch64.rpm
 libcap-devel-2.60-1.cm2.aarch64.rpm
 debugedit-5.0-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-19.cm2.x86_64.rpm
-openssl-devel-1.1.1k-19.cm2.x86_64.rpm
-openssl-libs-1.1.1k-19.cm2.x86_64.rpm
-openssl-perl-1.1.1k-19.cm2.x86_64.rpm
-openssl-static-1.1.1k-19.cm2.x86_64.rpm
+openssl-1.1.1k-20.cm2.x86_64.rpm
+openssl-devel-1.1.1k-20.cm2.x86_64.rpm
+openssl-libs-1.1.1k-20.cm2.x86_64.rpm
+openssl-perl-1.1.1k-20.cm2.x86_64.rpm
+openssl-static-1.1.1k-20.cm2.x86_64.rpm
 libcap-2.60-1.cm2.x86_64.rpm
 libcap-devel-2.60-1.cm2.x86_64.rpm
 debugedit-5.0-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -259,12 +259,12 @@ npth-1.6-4.cm2.aarch64.rpm
 npth-debuginfo-1.6-4.cm2.aarch64.rpm
 npth-devel-1.6-4.cm2.aarch64.rpm
 ntsysv-1.20-3.cm2.aarch64.rpm
-openssl-1.1.1k-19.cm2.aarch64.rpm
-openssl-debuginfo-1.1.1k-19.cm2.aarch64.rpm
-openssl-devel-1.1.1k-19.cm2.aarch64.rpm
-openssl-libs-1.1.1k-19.cm2.aarch64.rpm
-openssl-perl-1.1.1k-19.cm2.aarch64.rpm
-openssl-static-1.1.1k-19.cm2.aarch64.rpm
+openssl-1.1.1k-20.cm2.aarch64.rpm
+openssl-debuginfo-1.1.1k-20.cm2.aarch64.rpm
+openssl-devel-1.1.1k-20.cm2.aarch64.rpm
+openssl-libs-1.1.1k-20.cm2.aarch64.rpm
+openssl-perl-1.1.1k-20.cm2.aarch64.rpm
+openssl-static-1.1.1k-20.cm2.aarch64.rpm
 p11-kit-0.24.1-1.cm2.aarch64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm
 p11-kit-devel-0.24.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -259,12 +259,12 @@ npth-1.6-4.cm2.x86_64.rpm
 npth-debuginfo-1.6-4.cm2.x86_64.rpm
 npth-devel-1.6-4.cm2.x86_64.rpm
 ntsysv-1.20-3.cm2.x86_64.rpm
-openssl-1.1.1k-19.cm2.x86_64.rpm
-openssl-debuginfo-1.1.1k-19.cm2.x86_64.rpm
-openssl-devel-1.1.1k-19.cm2.x86_64.rpm
-openssl-libs-1.1.1k-19.cm2.x86_64.rpm
-openssl-perl-1.1.1k-19.cm2.x86_64.rpm
-openssl-static-1.1.1k-19.cm2.x86_64.rpm
+openssl-1.1.1k-20.cm2.x86_64.rpm
+openssl-debuginfo-1.1.1k-20.cm2.x86_64.rpm
+openssl-devel-1.1.1k-20.cm2.x86_64.rpm
+openssl-libs-1.1.1k-20.cm2.x86_64.rpm
+openssl-perl-1.1.1k-20.cm2.x86_64.rpm
+openssl-static-1.1.1k-20.cm2.x86_64.rpm
 p11-kit-0.24.1-1.cm2.x86_64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm
 p11-kit-devel-0.24.1-1.cm2.x86_64.rpm