Version in base suite: 1.12.0-2 Base version: python-acme_1.12.0-2 Target version: python-acme_1.12.0-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-acme/python-acme_1.12.0-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-acme/python-acme_1.12.0-2+deb11u1.dsc changelog | 7 +++++++ patches/fix-csr-version.patch | 40 ++++++++++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 48 insertions(+) diff -Nru python-acme-1.12.0/debian/changelog python-acme-1.12.0/debian/changelog --- python-acme-1.12.0/debian/changelog 2021-02-02 21:37:28.000000000 +0000 +++ python-acme-1.12.0/debian/changelog 2022-12-11 21:44:00.000000000 +0000 @@ -1,3 +1,10 @@ +python-acme (1.12.0-2+deb11u1) bullseye; urgency=medium + + * Fix CSR version to prevent problems with strictly RFC-complying + implementations of the ACME API (Closes: #1025891) + + -- Harlan Lieberman-Berg Sun, 11 Dec 2022 16:44:00 -0500 + python-acme (1.12.0-2) unstable; urgency=medium * Commit missed changes to control file. diff -Nru python-acme-1.12.0/debian/patches/fix-csr-version.patch python-acme-1.12.0/debian/patches/fix-csr-version.patch --- python-acme-1.12.0/debian/patches/fix-csr-version.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-acme-1.12.0/debian/patches/fix-csr-version.patch 2022-12-11 21:42:50.000000000 +0000 @@ -0,0 +1,40 @@ +Description: Fix incorrect CSR version + Certain strict implementations of the ACME API deny all version numbers except + that defined in the RFC (version 0). To accommodate, unilaterally set it to 0. +Author: Amir Omidi +Origin: https://github.com/certbot/certbot/pull/9334/ +Bug-Debian: https://bugs.debian.org/1025891 +Acked-By: Harlan Lieberman-Berg +Index: python-acme/acme/crypto_util.py +=================================================================== +--- python-acme.orig/acme/crypto_util.py ++++ python-acme/acme/crypto_util.py +@@ -213,7 +213,8 @@ def make_csr(private_key_pem, domains, m + value=b"DER:30:03:02:01:05")) + csr.add_extensions(extensions) + csr.set_pubkey(private_key) +- csr.set_version(2) ++ # RFC 2986 Section 4.1 only defines version 0 ++ csr.set_version(0) + csr.sign(private_key, 'sha256') + return crypto.dump_certificate_request( + crypto.FILETYPE_PEM, csr) +Index: python-acme/tests/crypto_util_test.py +=================================================================== +--- python-acme.orig/tests/crypto_util_test.py ++++ python-acme/tests/crypto_util_test.py +@@ -244,6 +244,14 @@ class MakeCSRTest(unittest.TestCase): + self.assertEqual(len(must_staple_exts), 1, + "Expected exactly one Must Staple extension") + ++ def test_make_csr_correct_version(self): ++ csr_pem = self._call_with_key(["a.example"]) ++ csr = OpenSSL.crypto.load_certificate_request( ++ OpenSSL.crypto.FILETYPE_PEM, csr_pem) ++ ++ self.assertEqual(csr.get_version(), 0, ++ "Expected CSR version to be v1 (encoded as 0), per RFC 2986, section 4") ++ + + class DumpPyopensslChainTest(unittest.TestCase): + """Test for dump_pyopenssl_chain.""" diff -Nru python-acme-1.12.0/debian/patches/series python-acme-1.12.0/debian/patches/series --- python-acme-1.12.0/debian/patches/series 2021-01-10 19:56:16.000000000 +0000 +++ python-acme-1.12.0/debian/patches/series 2022-12-11 21:38:15.000000000 +0000 @@ -1 +1,2 @@ disable-tls-alpn-test.patch +fix-csr-version.patch