import pkcs11-helper-1.27.0-6.el9

.gitignore

@@ -0,0 +1 @@
+SOURCES/pkcs11-helper-1.27.0.tar.bz2

.pkcs11-helper.metadata

@@ -0,0 +1 @@
+1f7046c25968004ef176c0aace90ca6488fbb987  SOURCES/pkcs11-helper-1.27.0.tar.bz2

SOURCES/pkcs11-helper-openssl3.patch

@@ -0,0 +1,24 @@
+From 086d551251cebb67cd74ab2e735427969bbf215f Mon Sep 17 00:00:00 2001
+From: Alon Bar-Lev <alon.barlev@gmail.com>
+Date: Wed, 4 Aug 2021 19:02:34 +0300
+Subject: [PATCH] build: openssl: remove RSA_SSLV23_PADDING constant usage
+
+Due to openssl-3 compatibility, thanks to t0b3
+---
+ lib/pkcs11h-openssl.c | 3 ---
+ 1 files changed, 3 deletions(-)
+
+diff --git a/lib/pkcs11h-openssl.c b/lib/pkcs11h-openssl.c
+index dfb00136..78bb7fc1 100644
+--- a/lib/pkcs11h-openssl.c
++++ b/lib/pkcs11h-openssl.c
+@@ -474,9 +474,6 @@ __pkcs11h_openssl_rsa_dec (
+ 		case RSA_PKCS1_OAEP_PADDING:
+ 			mech = CKM_RSA_PKCS_OAEP;
+ 		break;
+-		case RSA_SSLV23_PADDING:
+-			rv = CKR_MECHANISM_INVALID;
+-		break;
+ 		case RSA_NO_PADDING:
+ 			mech = CKM_RSA_X_509;
+ 		break;

SOURCES/pkcs11-helper-rfc7512.patch

@@ -0,0 +1,719 @@
+From 14e09211c3d50eb06825090c9765e4382cf52f19 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse@intel.com>
+Date: Sun, 14 Dec 2014 19:42:18 +0000
+Subject: [PATCH 1/3] Stop _pkcs11h_util_hexToBinary() checking for trailing
+ NUL
+
+We are going to want to use this for parsing %XX hex escapes in RFC7512
+PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only
+one existing caller at the moment, it's simple just to let the caller
+have responsibility for that check.
+
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+---
+ lib/pkcs11h-serialization.c | 8 +++++++-
+ lib/pkcs11h-util.c          | 7 +------
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c
+index 74b4ca7..a45a6c5 100644
+--- a/lib/pkcs11h-serialization.c
++++ b/lib/pkcs11h-serialization.c
+@@ -368,6 +368,7 @@ pkcs11h_certificate_deserializeCertificateId (
+ 	CK_RV rv = CKR_FUNCTION_FAILED;
+ 	char *p = NULL;
+ 	char *_sz = NULL;
++	size_t id_hex_len;
+ 
+ 	_PKCS11H_ASSERT (p_certificate_id!=NULL);
+ 	_PKCS11H_ASSERT (sz!=NULL);
+@@ -413,7 +414,12 @@ pkcs11h_certificate_deserializeCertificateId (
+ 		goto cleanup;
+ 	}
+ 
+-	certificate_id->attrCKA_ID_size = strlen (p)/2;
++	id_hex_len = strlen (p);
++	if (id_hex_len & 1) {
++		rv = CKR_ATTRIBUTE_VALUE_INVALID;
++		goto cleanup;
++	}
++	certificate_id->attrCKA_ID_size = id_hex_len/2;
+ 
+ 	if (
+ 		(rv = _pkcs11h_mem_malloc (
+diff --git a/lib/pkcs11h-util.c b/lib/pkcs11h-util.c
+index 7325db4..7dfe9a3 100644
+--- a/lib/pkcs11h-util.c
++++ b/lib/pkcs11h-util.c
+@@ -109,12 +109,7 @@ _pkcs11h_util_hexToBinary (
+ 		p++;
+ 	}
+ 
+-	if (*p != '\x0') {
+-		return CKR_ATTRIBUTE_VALUE_INVALID;
+-	}
+-	else {
+-		return CKR_OK;
+-	}
++	return CKR_OK;
+ }
+ 
+ CK_RV
+
+From 4d5280da8df591aab701dff4493d13a835a9b29c Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse@intel.com>
+Date: Wed, 10 Dec 2014 14:00:21 +0000
+Subject: [PATCH 2/3] Accept RFC7512-compliant PKCS#11 URIs as serialized
+ token/certificate IDs
+
+The old format is still accepted for compatibility.
+
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+---
+ lib/pkcs11h-serialization.c | 305 ++++++++++++++++++++++++++++++------
+ 1 file changed, 256 insertions(+), 49 deletions(-)
+
+diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c
+index a45a6c5..390ac0e 100644
+--- a/lib/pkcs11h-serialization.c
++++ b/lib/pkcs11h-serialization.c
+@@ -60,6 +60,26 @@
+ 
+ #if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE)
+ 
++#define URI_SCHEME "pkcs11:"
++
++#define token_field_ofs(field) ((unsigned long)&(((struct pkcs11h_token_id_s *)0)->field))
++#define token_field_size(field) sizeof((((struct pkcs11h_token_id_s *)0)->field))
++#define token_field(name, field) { name "=", sizeof(name), \
++				   token_field_ofs(field), token_field_size(field) }
++
++static struct {
++	const char const *name;
++	size_t namelen;
++	unsigned long field_ofs;
++	size_t field_size;
++} __token_fields[] = {
++	token_field ("model", model),
++	token_field ("token", label),
++	token_field ("manufacturer", manufacturerID ),
++	token_field ("serial", serialNumber ),
++	{ NULL },
++};
++
+ CK_RV
+ pkcs11h_token_serializeTokenId (
+ 	OUT char * const sz,
+@@ -149,9 +169,147 @@ pkcs11h_token_serializeTokenId (
+ 	return rv;
+ }
+ 
++static
+ CK_RV
+-pkcs11h_token_deserializeTokenId (
+-	OUT pkcs11h_token_id_t *p_token_id,
++__parse_token_uri_attr (
++	const char *uri,
++	size_t urilen,
++	char *tokstr,
++	size_t toklen,
++	size_t *parsed_len
++) {
++	size_t orig_toklen = toklen;
++	CK_RV rv = CKR_OK;
++
++	while (urilen && toklen > 1) {
++		if (*uri == '%') {
++			size_t size = 1;
++
++			if (urilen < 3) {
++				rv = CKR_ATTRIBUTE_VALUE_INVALID;
++				goto done;
++			}
++
++			rv = _pkcs11h_util_hexToBinary ((unsigned char *)tokstr,
++							uri + 1, &size);
++			if (rv != CKR_OK) {
++				goto done;
++			}
++
++			uri += 2;
++			urilen -= 2;
++		} else {
++			*tokstr = *uri;
++		}
++		tokstr++;
++		uri++;
++		toklen--;
++		urilen--;
++		tokstr[0] = 0;
++	}
++
++	if (urilen) {
++		rv = CKR_ATTRIBUTE_VALUE_INVALID;
++	} else if (parsed_len) {
++		*parsed_len = orig_toklen - toklen;
++	}
++
++ done:
++	return rv;
++}
++
++static
++CK_RV
++__parse_pkcs11_uri (
++	OUT pkcs11h_token_id_t token_id,
++	OUT pkcs11h_certificate_id_t certificate_id,
++	IN const char * const sz
++) {
++	const char *end, *p;
++	CK_RV rv = CKR_OK;
++
++	_PKCS11H_ASSERT (token_id!=NULL);
++	_PKCS11H_ASSERT (sz!=NULL);
++
++	if (strncmp (sz, URI_SCHEME, strlen (URI_SCHEME)))
++		return CKR_ATTRIBUTE_VALUE_INVALID;
++
++	end = sz + strlen (URI_SCHEME) - 1;
++	while (rv == CKR_OK && end[0] && end[1]) {
++		int i;
++
++		p = end + 1;
++	        end = strchr (p, ';');
++		if (!end)
++			end = p + strlen(p);
++
++		for (i = 0; __token_fields[i].name; i++) {
++			/* Parse the token=, label=, manufacturer= and serial= fields */
++			if (!strncmp(p, __token_fields[i].name, __token_fields[i].namelen)) {
++				char *field = ((char *)token_id) + __token_fields[i].field_ofs;
++
++				p += __token_fields[i].namelen;
++				rv = __parse_token_uri_attr (p, end - p, field,
++							     __token_fields[i].field_size,
++							     NULL);
++				if (rv != CKR_OK) {
++					goto cleanup;
++				}
++
++				goto matched;
++			}
++		}
++		if (certificate_id && !strncmp(p, "id=", 3)) {
++			p += 3;
++
++			rv = _pkcs11h_mem_malloc ((void *)&certificate_id->attrCKA_ID,
++						  end - p + 1);
++			if (rv != CKR_OK) {
++				goto cleanup;
++			}
++
++			rv = __parse_token_uri_attr (p, end - p,
++						     (char *)certificate_id->attrCKA_ID,
++						     end - p + 1,
++						     &certificate_id->attrCKA_ID_size);
++			if (rv != CKR_OK) {
++				goto cleanup;
++			}
++
++			goto matched;
++		}
++
++		/* We don't parse object= because the match code doesn't support
++		   matching by label. */
++
++		/* Failed to parse PKCS#11 URI element. */
++		return CKR_ATTRIBUTE_VALUE_INVALID;
++
++		matched:
++		    ;
++	}
++cleanup:
++	/* The matching code doesn't support support partial matches; it needs
++	 * *all* of manufacturer, model, serial and label attributes to be
++	 * defined. So reject partial URIs early instead of letting it do the
++	 * wrong thing. We can maybe improve this later. */
++	if (!token_id->model[0] || !token_id->label[0] ||
++	    !token_id->manufacturerID[0] || !token_id->serialNumber[0]) {
++		return CKR_ATTRIBUTE_VALUE_INVALID;
++	}
++
++	/* For a certificate ID we need CKA_ID */
++	if (certificate_id && !certificate_id->attrCKA_ID_size) {
++		return CKR_ATTRIBUTE_VALUE_INVALID;
++	}
++
++	return rv;
++}
++
++static
++CK_RV
++__pkcs11h_token_legacy_deserializeTokenId (
++	OUT pkcs11h_token_id_t token_id,
+ 	IN const char * const sz
+ ) {
+ #define __PKCS11H_TARGETS_NUMBER 4
+@@ -160,24 +318,11 @@ pkcs11h_token_deserializeTokenId (
+ 		size_t s;
+ 	} targets[__PKCS11H_TARGETS_NUMBER];
+ 
+-	pkcs11h_token_id_t token_id = NULL;
+ 	char *p1 = NULL;
+ 	char *_sz = NULL;
+ 	int e;
+ 	CK_RV rv = CKR_FUNCTION_FAILED;
+ 
+-	_PKCS11H_ASSERT (p_token_id!=NULL);
+-	_PKCS11H_ASSERT (sz!=NULL);
+-
+-	_PKCS11H_DEBUG (
+-		PKCS11H_LOG_DEBUG2,
+-		"PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'",
+-		(void *)p_token_id,
+-		sz
+-	);
+-
+-	*p_token_id = NULL;
+-
+ 	if (
+ 		(rv = _pkcs11h_mem_strdup (
+ 			(void *)&_sz,
+@@ -189,10 +334,6 @@ pkcs11h_token_deserializeTokenId (
+ 
+ 	p1 = _sz;
+ 
+-	if ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) {
+-		goto cleanup;
+-	}
+-
+ 	targets[0].p = token_id->manufacturerID;
+ 	targets[0].s = sizeof (token_id->manufacturerID);
+ 	targets[1].p = token_id->model;
+@@ -251,6 +392,51 @@ pkcs11h_token_deserializeTokenId (
+ 		p1 = p2+1;
+ 	}
+ 
++	rv = CKR_OK;
++
++cleanup:
++
++	if (_sz != NULL) {
++		_pkcs11h_mem_free ((void *)&_sz);
++	}
++
++	return rv;
++#undef __PKCS11H_TARGETS_NUMBER
++}
++
++CK_RV
++pkcs11h_token_deserializeTokenId (
++	OUT pkcs11h_token_id_t *p_token_id,
++	IN const char * const sz
++) {
++	pkcs11h_token_id_t token_id = NULL;
++	CK_RV rv = CKR_FUNCTION_FAILED;
++
++	_PKCS11H_ASSERT (p_token_id!=NULL);
++	_PKCS11H_ASSERT (sz!=NULL);
++
++	_PKCS11H_DEBUG (
++		PKCS11H_LOG_DEBUG2,
++		"PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'",
++		(void *)p_token_id,
++		sz
++	);
++
++	*p_token_id = NULL;
++
++	if ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) {
++		goto cleanup;
++	}
++
++	if (!strncmp (sz, URI_SCHEME, strlen (URI_SCHEME))) {
++		rv = __parse_pkcs11_uri(token_id, NULL, sz);
++	} else {
++		rv = __pkcs11h_token_legacy_deserializeTokenId(token_id, sz);
++	}
++	if (rv != CKR_OK) {
++		goto cleanup;
++	}
++
+ 	strncpy (
+ 		token_id->display,
+ 		token_id->label,
+@@ -263,11 +449,6 @@ pkcs11h_token_deserializeTokenId (
+ 	rv = CKR_OK;
+ 
+ cleanup:
+-
+-	if (_sz != NULL) {
+-		_pkcs11h_mem_free ((void *)&_sz);
+-	}
+-
+ 	if (token_id != NULL) {
+ 		pkcs11h_token_freeTokenId (token_id);
+ 	}
+@@ -280,7 +461,6 @@ pkcs11h_token_deserializeTokenId (
+ 	);
+ 
+ 	return rv;
+-#undef __PKCS11H_TARGETS_NUMBER
+ }
+ 
+ #endif				/* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */
+@@ -359,29 +539,17 @@ pkcs11h_certificate_serializeCertificateId (
+ 	return rv;
+ }
+ 
++static
+ CK_RV
+-pkcs11h_certificate_deserializeCertificateId (
+-	OUT pkcs11h_certificate_id_t * const p_certificate_id,
++__pkcs11h_certificate_legacy_deserializeCertificateId (
++	OUT pkcs11h_certificate_id_t certificate_id,
+ 	IN const char * const sz
+ ) {
+-	pkcs11h_certificate_id_t certificate_id = NULL;
+ 	CK_RV rv = CKR_FUNCTION_FAILED;
+ 	char *p = NULL;
+ 	char *_sz = NULL;
+ 	size_t id_hex_len;
+ 
+-	_PKCS11H_ASSERT (p_certificate_id!=NULL);
+-	_PKCS11H_ASSERT (sz!=NULL);
+-
+-	*p_certificate_id = NULL;
+-
+-	_PKCS11H_DEBUG (
+-		PKCS11H_LOG_DEBUG2,
+-		"PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'",
+-		(void *)p_certificate_id,
+-		sz
+-	);
+-
+ 	if (
+ 		(rv = _pkcs11h_mem_strdup (
+ 			(void *)&_sz,
+@@ -393,10 +561,6 @@ pkcs11h_certificate_deserializeCertificateId (
+ 
+ 	p = _sz;
+ 
+-	if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) {
+-		goto cleanup;
+-	}
+-
+ 	if ((p = strrchr (_sz, '/')) == NULL) {
+ 		rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ 		goto cleanup;
+@@ -435,21 +599,64 @@ pkcs11h_certificate_deserializeCertificateId (
+ 		goto cleanup;
+ 	}
+ 
++	rv = CKR_OK;
++
++cleanup:
++
++	if (_sz != NULL) {
++		_pkcs11h_mem_free ((void *)&_sz);
++	}
++
++	return rv;
++
++}
++
++CK_RV
++pkcs11h_certificate_deserializeCertificateId (
++	OUT pkcs11h_certificate_id_t * const p_certificate_id,
++	IN const char * const sz
++) {
++	pkcs11h_certificate_id_t certificate_id = NULL;
++	CK_RV rv = CKR_FUNCTION_FAILED;
++
++	_PKCS11H_ASSERT (p_certificate_id!=NULL);
++	_PKCS11H_ASSERT (sz!=NULL);
++
++	*p_certificate_id = NULL;
++
++	_PKCS11H_DEBUG (
++		PKCS11H_LOG_DEBUG2,
++		"PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'",
++		(void *)p_certificate_id,
++		sz
++	);
++
++	if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) {
++		goto cleanup;
++	}
++	if ((rv = _pkcs11h_token_newTokenId (&certificate_id->token_id)) != CKR_OK) {
++		goto cleanup;
++	}
++
++	if (!strncmp(sz, URI_SCHEME, strlen (URI_SCHEME))) {
++		rv = __parse_pkcs11_uri (certificate_id->token_id, certificate_id, sz);
++	} else {
++		rv = __pkcs11h_certificate_legacy_deserializeCertificateId (certificate_id, sz);
++	}
++	if (rv != CKR_OK) {
++		goto cleanup;
++	}
++
+ 	*p_certificate_id = certificate_id;
+ 	certificate_id = NULL;
+ 	rv = CKR_OK;
+ 
+ cleanup:
+-
+ 	if (certificate_id != NULL) {
+ 		pkcs11h_certificate_freeCertificateId (certificate_id);
+ 		certificate_id = NULL;
+ 	}
+ 
+-	if (_sz != NULL) {
+-		_pkcs11h_mem_free ((void *)&_sz);
+-	}
+-
+ 	_PKCS11H_DEBUG (
+ 		PKCS11H_LOG_DEBUG2,
+ 		"PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=%lu-'%s'",
+
+From 90590b02085edc3830bdfe0942a46c4e7bf3f1ab Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse@intel.com>
+Date: Thu, 30 Apr 2015 14:58:24 +0100
+Subject: [PATCH 3/3] Serialize to RFC7512-compliant PKCS#11 URIs
+
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+---
+ lib/pkcs11h-serialization.c | 186 ++++++++++++++++++------------------
+ 1 file changed, 91 insertions(+), 95 deletions(-)
+
+diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c
+index 390ac0e..0ea1861 100644
+--- a/lib/pkcs11h-serialization.c
++++ b/lib/pkcs11h-serialization.c
+@@ -80,29 +80,107 @@ static struct {
+ 	{ NULL },
+ };
+ 
++#define               P11_URL_VERBATIM      "abcdefghijklmnopqrstuvwxyz" \
++                                            "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
++                                            "0123456789_-."
++
++static
++int
++__token_attr_escape(char *uri, char *attr, size_t attrlen)
++{
++	int len = 0, i;
++
++	for (i = 0; i < attrlen; i++) {
++		if ((attr[i] != '\x0') && strchr(P11_URL_VERBATIM, attr[i])) {
++			if (uri) {
++				*(uri++) = attr[i];
++			}
++			len++;
++		} else {
++			if (uri) {
++				sprintf(uri, "%%%02x", (unsigned char)attr[i]);
++				uri += 3;
++			}
++			len += 3;
++		}
++	}
++	return len;
++}
++
++static
++CK_RV
++__generate_pkcs11_uri (
++	OUT char * const sz,
++	IN OUT size_t *max,
++	IN const pkcs11h_certificate_id_t certificate_id,
++	IN const pkcs11h_token_id_t token_id
++) {
++	size_t _max;
++	char *p = sz;
++	int i;
++
++	_PKCS11H_ASSERT (max!=NULL);
++	_PKCS11H_ASSERT (token_id!=NULL);
++
++	_max = strlen(URI_SCHEME);
++	for (i = 0; __token_fields[i].name; i++) {
++		char *field = ((char *)token_id) + __token_fields[i].field_ofs;
++
++		_max += __token_fields[i].namelen;
++		_max += __token_attr_escape (NULL, field, strlen(field));
++		_max++; /* For a semicolon or trailing NUL */
++	}
++	if (certificate_id) {
++		_max += strlen (";id=");
++		_max += __token_attr_escape (NULL,
++					     (char *)certificate_id->attrCKA_ID,
++					     certificate_id->attrCKA_ID_size);
++	}
++
++	if (!sz) {
++		*max = _max;
++		return CKR_OK;
++	}
++
++	if (sz && *max < _max)
++		return CKR_ATTRIBUTE_VALUE_INVALID;
++
++	p += sprintf(p, URI_SCHEME);
++	for (i = 0; __token_fields[i].name; i++) {
++		char *field = ((char *)token_id) + __token_fields[i].field_ofs;
++
++		p += sprintf (p, "%s", __token_fields[i].name);
++		p += __token_attr_escape (p, field, strlen(field));
++		*(p++) = ';';
++	}
++	if (certificate_id) {
++		p += sprintf (p, "id=");
++		p += __token_attr_escape (p,
++					  (char *)certificate_id->attrCKA_ID,
++					  certificate_id->attrCKA_ID_size);
++	} else {
++		/* Remove the unneeded trailing semicolon */
++		p--;
++	}
++	*(p++) = 0;
++
++	*max = _max;
++
++	return CKR_OK;
++}
++
+ CK_RV
+ pkcs11h_token_serializeTokenId (
+ 	OUT char * const sz,
+ 	IN OUT size_t *max,
+ 	IN const pkcs11h_token_id_t token_id
+ ) {
+-	const char *sources[5];
+ 	CK_RV rv = CKR_FUNCTION_FAILED;
+-	size_t n;
+-	int e;
+ 
+ 	/*_PKCS11H_ASSERT (sz!=NULL); Not required*/
+ 	_PKCS11H_ASSERT (max!=NULL);
+ 	_PKCS11H_ASSERT (token_id!=NULL);
+ 
+-	{ /* Must be after assert */
+-		sources[0] = token_id->manufacturerID;
+-		sources[1] = token_id->model;
+-		sources[2] = token_id->serialNumber;
+-		sources[3] = token_id->label;
+-		sources[4] = NULL;
+-	}
+-
+ 	_PKCS11H_DEBUG (
+ 		PKCS11H_LOG_DEBUG2,
+ 		"PKCS#11: pkcs11h_token_serializeTokenId entry sz=%p, *max="P_Z", token_id=%p",
+@@ -111,51 +189,7 @@ pkcs11h_token_serializeTokenId (
+ 		(void *)token_id
+ 	);
+ 
+-	n = 0;
+-	for (e=0;sources[e] != NULL;e++) {
+-		size_t t;
+-		if (
+-			(rv = _pkcs11h_util_escapeString (
+-				NULL,
+-				sources[e],
+-				&t,
+-				__PKCS11H_SERIALIZE_INVALID_CHARS
+-			)) != CKR_OK
+-		) {
+-			goto cleanup;
+-		}
+-		n+=t;
+-	}
+-
+-	if (sz != NULL) {
+-		if (*max < n) {
+-			rv = CKR_ATTRIBUTE_VALUE_INVALID;
+-			goto cleanup;
+-		}
+-
+-		n = 0;
+-		for (e=0;sources[e] != NULL;e++) {
+-			size_t t = *max-n;
+-			if (
+-				(rv = _pkcs11h_util_escapeString (
+-					sz+n,
+-					sources[e],
+-					&t,
+-					__PKCS11H_SERIALIZE_INVALID_CHARS
+-				)) != CKR_OK
+-			) {
+-				goto cleanup;
+-			}
+-			n+=t;
+-			sz[n-1] = '/';
+-		}
+-		sz[n-1] = '\x0';
+-	}
+-
+-	*max = n;
+-	rv = CKR_OK;
+-
+-cleanup:
++	rv = __generate_pkcs11_uri(sz, max, NULL, token_id);
+ 
+ 	_PKCS11H_DEBUG (
+ 		PKCS11H_LOG_DEBUG2,
+@@ -474,9 +508,6 @@ pkcs11h_certificate_serializeCertificateId (
+ 	IN const pkcs11h_certificate_id_t certificate_id
+ ) {
+ 	CK_RV rv = CKR_FUNCTION_FAILED;
+-	size_t saved_max = 0;
+-	size_t n = 0;
+-	size_t _max = 0;
+ 
+ 	/*_PKCS11H_ASSERT (sz!=NULL); Not required */
+ 	_PKCS11H_ASSERT (max!=NULL);
+@@ -490,42 +521,7 @@ pkcs11h_certificate_serializeCertificateId (
+ 		(void *)certificate_id
+ 	);
+ 
+-	if (sz != NULL) {
+-		saved_max = n = *max;
+-	}
+-	*max = 0;
+-
+-	if (
+-		(rv = pkcs11h_token_serializeTokenId (
+-			sz,
+-			&n,
+-			certificate_id->token_id
+-		)) != CKR_OK
+-	) {
+-		goto cleanup;
+-	}
+-
+-	_max = n + certificate_id->attrCKA_ID_size*2 + 1;
+-
+-	if (sz != NULL) {
+-		if (saved_max < _max) {
+-			rv = CKR_ATTRIBUTE_VALUE_INVALID;
+-			goto cleanup;
+-		}
+-
+-		sz[n-1] = '/';
+-		rv = _pkcs11h_util_binaryToHex (
+-			sz+n,
+-			saved_max-n,
+-			certificate_id->attrCKA_ID,
+-			certificate_id->attrCKA_ID_size
+-		);
+-	}
+-
+-	*max = _max;
+-	rv = CKR_OK;
+-
+-cleanup:
++	rv = __generate_pkcs11_uri(sz, max, certificate_id, certificate_id->token_id);
+ 
+ 	_PKCS11H_DEBUG (
+ 		PKCS11H_LOG_DEBUG2,

SPECS/pkcs11-helper.spec

@@ -0,0 +1,205 @@
+Name:           pkcs11-helper
+Version:        1.27.0
+Release:        6%{?dist}
+Summary:        A library for using PKCS#11 providers
+
+License:        GPLv2 or BSD
+URL:            http://www.opensc-project.org/opensc/wiki/pkcs11-helper
+Source0:        https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-1.27/pkcs11-helper-%{version}.tar.bz2
+# https://github.com/OpenSC/pkcs11-helper/pull/4
+Patch2:         pkcs11-helper-rfc7512.patch
+# https://github.com/OpenSC/pkcs11-helper/commit/086d551251cebb67cd74ab2e735427969bbf215f
+Patch3:         pkcs11-helper-openssl3.patch
+
+BuildRequires: make
+BuildRequires:  gcc
+BuildRequires:  doxygen graphviz
+BuildRequires:  openssl-devel
+
+%description
+pkcs11-helper is a library that simplifies the interaction with PKCS#11
+providers for end-user applications using a simple API and optional OpenSSL
+engine. The library allows using multiple PKCS#11 providers at the same time,
+enumerating available token certificates, or selecting a certificate directly
+by serialized id, handling card removal and card insert events, handling card
+re-insert to a different slot, supporting session expiration and much more all
+using a simple API. 
+
+%package        devel
+Summary:        Development files for pkcs11-helper
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       openssl-devel
+# for /usr/share/aclocal
+Requires:       automake
+
+%description    devel
+This package contains header files and documentation necessary for developing
+programs using the pkcs11-helper library.
+
+
+%prep
+%autosetup -p1
+
+%build
+%configure --disable-static --enable-doc
+%make_build
+
+
+%install
+%make_install
+
+# Use %%doc to install documentation in a standard location
+mkdir apidocdir
+mv $RPM_BUILD_ROOT%{_datadir}/doc/%{name}/api/ apidocdir/
+rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/%{name}/
+
+# Remove libtool .la files
+rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
+
+
+%ldconfig_scriptlets
+
+
+%files
+%license COPYING*
+%doc AUTHORS ChangeLog README THANKS
+%{_libdir}/libpkcs11-helper.so.1*
+
+
+%files devel
+%doc apidocdir/*
+%{_includedir}/pkcs11-helper-1.0/
+%{_libdir}/libpkcs11-helper.so
+%{_libdir}/pkgconfig/libpkcs11-helper-1.pc
+%{_datadir}/aclocal/pkcs11-helper-1.m4
+%{_mandir}/man8/pkcs11-helper-1.8*
+
+
+%changelog
+* Mon Jul 17 2023 Arkady L. Shane <ashejn@msvsphere.ru> - 1.27.0-6
+- Rebuilt for MSVSphere 9.2
+
+* Mon Oct 04 2021 Neal Gompa <ngompa@fedoraproject.org> - 1.27.0-6
+- Backport fix for OpenSSL 3.0 support
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.27.0-5
+- Rebuilt with OpenSSL 3.0.0
+
+* Tue Jul 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.27.0-4
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.27.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Dec 18 2020 Kalev Lember <klember@redhat.com> - 1.27.0-2
+- Update pkcs11-helper-rfc7512.patch from
+  https://github.com/OpenSC/pkcs11-helper/pull/4 (#1849259)
+
+* Fri Nov 20 2020 Kalev Lember <klember@redhat.com> - 1.27.0-1
+- Update to 1.27.0
+- Use make_build and make_install macros
+- Tighten soname globs
+- Use license macro for COPYING*
+- Tighten requires with _isa macro
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.22-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Apr 24 2020 David Woodhouse <dwmw2@infradead.org> - 1.22-10
+- Fix serialisation of attributes with NUL bytes in (#1825496)
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.22-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.22-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.22-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.22-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.22-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Nov 24 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.22-4
+- Addressed issue with RFC7512 URI parsing (#1516474)
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.22-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.22-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Feb 21 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.22-1
+- New upstream release
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.11-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.11-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Sep 22 2015 David Woodhouse <David.Woodhouse@intel.com> - 1.11-7
+- Fix ID buffer size for URI parsing (#1264645)
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.11-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed Apr 29 2015 David Woodhouse <David.Woodhouse@intel.com> - 1.11-5
+- Migrate ID serialisation format to RFC7512 (#1173554)
+
+* Tue Dec 09 2014 David Woodhouse <David.Woodhouse@intel.com> - 1.11-4
+- Apply upstream fix for bug #1172237 (ignore objects without CKA_ID)
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.11-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri Apr 11 2014 Jon Ciesla <limburgher@gmail.com> - 1.11-1
+- Latest upstream, required for openvpn 2.3.3.
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Tue Apr 02 2013 Kalev Lember <kalevlember@gmail.com> - 1.10-1
+- Update to 1.10
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.09-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.09-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.09-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Aug 17 2011 Kalev Lember <kalevlember@gmail.com> - 1.09-1
+- Update to 1.09
+
+* Sun Jun 19 2011 Kalev Lember <kalev@smartlink.ee> - 1.08-1
+- Update to 1.08
+- Clean up the spec file for modern rpmbuild
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.07-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Jul 01 2010 Kalev Lember <kalev@smartlink.ee> - 1.07-5
+- use System Environment/Libraries group for main package
+- removed R: pkgconfig from devel subpackage
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.07-4
+- rebuilt with new openssl
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.07-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Sat Jul 11 2009 Kalev Lember <kalev@smartlink.ee> - 1.07-2
+- Make devel package depend on automake for /usr/share/aclocal
+
+* Tue Jun 23 2009 Kalev Lember <kalev@smartlink.ee> - 1.07-1
+- Initial RPM release.