Bug#1025925: bullseye-pu: package python-acme/1.12.0-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1025925: bullseye-pu: package python-acme/1.12.0-2
From: Harlan Lieberman-Berg <hlieberman@debian.org>
Date: Sun, 11 Dec 2022 17:46:47 -0500
Message-id: <[🔎] 167079880727.51053.10330206941690757637.reportbug@aztlan>
Reply-to: Harlan Lieberman-Berg <hlieberman@debian.org>, 1025925@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-acme@packages.debian.org, hlieberman@debian.org
Control: affects -1 + src:python-acme

Hello SRMs!

A bug, #1025891, was recently reported about the certbot package failing to
produce certificates when run against certain strictly-RFC-complying instances
of the ACME API. A fix is present upstream in later versions, however, stable is
still affected.

This is a simple backport, changing only the version number (and its associated
test), taken from upstream.

I have tested the updated version of certbot against the Let's Encrypt test
instances directly, and through the apache and nginx plugins. All were
successful. Note: the Let's Encrypt API is not strictly-RFC-complying in this
regard, so this proves only that the package is not broken further. However,
considering the simplicity of the patch, I'm not concerned about testing against
a stricter endpoint.

A source debdiff is attached.  I await your thumbs-up before uploading.

Sincerely,

--
Harlan Lieberman-Berg
~hlieberman

diff -Nru python-acme-1.12.0/debian/changelog python-acme-1.12.0/debian/changelog
--- python-acme-1.12.0/debian/changelog	2021-02-02 16:37:28.000000000 -0500
+++ python-acme-1.12.0/debian/changelog	2022-12-11 16:44:00.000000000 -0500
@@ -1,3 +1,10 @@
+python-acme (1.12.0-2+deb11u1) bullseye; urgency=medium
+
+  * Fix CSR version to prevent problems with strictly RFC-complying
+    implementations of the ACME API (Closes: #1025891)
+
+ -- Harlan Lieberman-Berg <hlieberman@debian.org>  Sun, 11 Dec 2022 16:44:00 -0500
+
 python-acme (1.12.0-2) unstable; urgency=medium
 
   * Commit missed changes to control file.
diff -Nru python-acme-1.12.0/debian/control python-acme-1.12.0/debian/control
--- python-acme-1.12.0/debian/control	2021-02-02 16:37:28.000000000 -0500
+++ python-acme-1.12.0/debian/control	2022-12-11 16:26:05.000000000 -0500
@@ -7,7 +7,6 @@
 Build-Depends: debhelper-compat (= 13),
                dh-python,
                python3,
-               python3-chardet,
                python3-cryptography (>= 2.1.4),
                python3-docutils,
                python3-josepy,
@@ -18,6 +17,7 @@
                python3-requests-toolbelt,
                python3-rfc3339,
                python3-setuptools (>= 11.3),
+               python3-six (>= 1.9),
                python3-sphinx (>= 1.3.1-1~),
                python3-sphinx-rtd-theme,
                python3-tz
diff -Nru python-acme-1.12.0/debian/patches/fix-csr-version.patch python-acme-1.12.0/debian/patches/fix-csr-version.patch
--- python-acme-1.12.0/debian/patches/fix-csr-version.patch	1969-12-31 19:00:00.000000000 -0500
+++ python-acme-1.12.0/debian/patches/fix-csr-version.patch	2022-12-11 16:42:50.000000000 -0500
@@ -0,0 +1,40 @@
+Description: Fix incorrect CSR version
+  Certain strict implementations of the ACME API deny all version numbers except
+  that defined in the RFC (version 0). To accommodate, unilaterally set it to 0.
+Author: Amir Omidi
+Origin: https://github.com/certbot/certbot/pull/9334/
+Bug-Debian: https://bugs.debian.org/1025891
+Acked-By: Harlan Lieberman-Berg <hlieberman@debian.org>
+Index: python-acme/acme/crypto_util.py
+===================================================================
+--- python-acme.orig/acme/crypto_util.py
++++ python-acme/acme/crypto_util.py
+@@ -213,7 +213,8 @@ def make_csr(private_key_pem, domains, m
+             value=b"DER:30:03:02:01:05"))
+     csr.add_extensions(extensions)
+     csr.set_pubkey(private_key)
+-    csr.set_version(2)
++    # RFC 2986 Section 4.1 only defines version 0
++    csr.set_version(0)
+     csr.sign(private_key, 'sha256')
+     return crypto.dump_certificate_request(
+         crypto.FILETYPE_PEM, csr)
+Index: python-acme/tests/crypto_util_test.py
+===================================================================
+--- python-acme.orig/tests/crypto_util_test.py
++++ python-acme/tests/crypto_util_test.py
+@@ -244,6 +244,14 @@ class MakeCSRTest(unittest.TestCase):
+             self.assertEqual(len(must_staple_exts), 1,
+                 "Expected exactly one Must Staple extension")
+ 
++    def test_make_csr_correct_version(self):
++        csr_pem = self._call_with_key(["a.example"])
++        csr = OpenSSL.crypto.load_certificate_request(
++            OpenSSL.crypto.FILETYPE_PEM, csr_pem)
++
++        self.assertEqual(csr.get_version(), 0,
++                         "Expected CSR version to be v1 (encoded as 0), per RFC 2986, section 4")
++
+ 
+ class DumpPyopensslChainTest(unittest.TestCase):
+     """Test for dump_pyopenssl_chain."""
diff -Nru python-acme-1.12.0/debian/patches/series python-acme-1.12.0/debian/patches/series
--- python-acme-1.12.0/debian/patches/series	2021-01-10 14:56:16.000000000 -0500
+++ python-acme-1.12.0/debian/patches/series	2022-12-11 16:38:15.000000000 -0500
@@ -1 +1,2 @@
 disable-tls-alpn-test.patch
+fix-csr-version.patch

Reply to:

Follow-Ups:
- Processed: bullseye-pu: package python-acme/1.12.0-2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: bullseye-pu: package python-acme/1.12.0-2
Next by Date: Bug#1025930: transition: openvdb
Previous by thread: Processed: libvirt 7.0.0-3+deb11u1 flagged for acceptance
Next by thread: Processed: bullseye-pu: package python-acme/1.12.0-2
Index(es):
- Date
- Thread