Bug#1025925: bullseye-pu: package python-acme/1.12.0-2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-acme@packages.debian.org, hlieberman@debian.org
Control: affects -1 + src:python-acme
Hello SRMs!
A bug, #1025891, was recently reported about the certbot package failing to
produce certificates when run against certain strictly-RFC-complying instances
of the ACME API. A fix is present upstream in later versions, however, stable is
still affected.
This is a simple backport, changing only the version number (and its associated
test), taken from upstream.
I have tested the updated version of certbot against the Let's Encrypt test
instances directly, and through the apache and nginx plugins. All were
successful. Note: the Let's Encrypt API is not strictly-RFC-complying in this
regard, so this proves only that the package is not broken further. However,
considering the simplicity of the patch, I'm not concerned about testing against
a stricter endpoint.
A source debdiff is attached. I await your thumbs-up before uploading.
Sincerely,
--
Harlan Lieberman-Berg
~hlieberman
diff -Nru python-acme-1.12.0/debian/changelog python-acme-1.12.0/debian/changelog
--- python-acme-1.12.0/debian/changelog 2021-02-02 16:37:28.000000000 -0500
+++ python-acme-1.12.0/debian/changelog 2022-12-11 16:44:00.000000000 -0500
@@ -1,3 +1,10 @@
+python-acme (1.12.0-2+deb11u1) bullseye; urgency=medium
+
+ * Fix CSR version to prevent problems with strictly RFC-complying
+ implementations of the ACME API (Closes: #1025891)
+
+ -- Harlan Lieberman-Berg <hlieberman@debian.org> Sun, 11 Dec 2022 16:44:00 -0500
+
python-acme (1.12.0-2) unstable; urgency=medium
* Commit missed changes to control file.
diff -Nru python-acme-1.12.0/debian/control python-acme-1.12.0/debian/control
--- python-acme-1.12.0/debian/control 2021-02-02 16:37:28.000000000 -0500
+++ python-acme-1.12.0/debian/control 2022-12-11 16:26:05.000000000 -0500
@@ -7,7 +7,6 @@
Build-Depends: debhelper-compat (= 13),
dh-python,
python3,
- python3-chardet,
python3-cryptography (>= 2.1.4),
python3-docutils,
python3-josepy,
@@ -18,6 +17,7 @@
python3-requests-toolbelt,
python3-rfc3339,
python3-setuptools (>= 11.3),
+ python3-six (>= 1.9),
python3-sphinx (>= 1.3.1-1~),
python3-sphinx-rtd-theme,
python3-tz
diff -Nru python-acme-1.12.0/debian/patches/fix-csr-version.patch python-acme-1.12.0/debian/patches/fix-csr-version.patch
--- python-acme-1.12.0/debian/patches/fix-csr-version.patch 1969-12-31 19:00:00.000000000 -0500
+++ python-acme-1.12.0/debian/patches/fix-csr-version.patch 2022-12-11 16:42:50.000000000 -0500
@@ -0,0 +1,40 @@
+Description: Fix incorrect CSR version
+ Certain strict implementations of the ACME API deny all version numbers except
+ that defined in the RFC (version 0). To accommodate, unilaterally set it to 0.
+Author: Amir Omidi
+Origin: https://github.com/certbot/certbot/pull/9334/
+Bug-Debian: https://bugs.debian.org/1025891
+Acked-By: Harlan Lieberman-Berg <hlieberman@debian.org>
+Index: python-acme/acme/crypto_util.py
+===================================================================
+--- python-acme.orig/acme/crypto_util.py
++++ python-acme/acme/crypto_util.py
+@@ -213,7 +213,8 @@ def make_csr(private_key_pem, domains, m
+ value=b"DER:30:03:02:01:05"))
+ csr.add_extensions(extensions)
+ csr.set_pubkey(private_key)
+- csr.set_version(2)
++ # RFC 2986 Section 4.1 only defines version 0
++ csr.set_version(0)
+ csr.sign(private_key, 'sha256')
+ return crypto.dump_certificate_request(
+ crypto.FILETYPE_PEM, csr)
+Index: python-acme/tests/crypto_util_test.py
+===================================================================
+--- python-acme.orig/tests/crypto_util_test.py
++++ python-acme/tests/crypto_util_test.py
+@@ -244,6 +244,14 @@ class MakeCSRTest(unittest.TestCase):
+ self.assertEqual(len(must_staple_exts), 1,
+ "Expected exactly one Must Staple extension")
+
++ def test_make_csr_correct_version(self):
++ csr_pem = self._call_with_key(["a.example"])
++ csr = OpenSSL.crypto.load_certificate_request(
++ OpenSSL.crypto.FILETYPE_PEM, csr_pem)
++
++ self.assertEqual(csr.get_version(), 0,
++ "Expected CSR version to be v1 (encoded as 0), per RFC 2986, section 4")
++
+
+ class DumpPyopensslChainTest(unittest.TestCase):
+ """Test for dump_pyopenssl_chain."""
diff -Nru python-acme-1.12.0/debian/patches/series python-acme-1.12.0/debian/patches/series
--- python-acme-1.12.0/debian/patches/series 2021-01-10 14:56:16.000000000 -0500
+++ python-acme-1.12.0/debian/patches/series 2022-12-11 16:38:15.000000000 -0500
@@ -1 +1,2 @@
disable-tls-alpn-test.patch
+fix-csr-version.patch
Reply to: