commit ef58940399af38664ea5bcc1a70b728d9bf6dd44 Author: tigro Date: Mon Jul 17 12:18:19 2023 +0300 import pkcs11-helper-1.27.0-6.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2f39263 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/pkcs11-helper-1.27.0.tar.bz2 diff --git a/.pkcs11-helper.metadata b/.pkcs11-helper.metadata new file mode 100644 index 0000000..c95aefa --- /dev/null +++ b/.pkcs11-helper.metadata @@ -0,0 +1 @@ +1f7046c25968004ef176c0aace90ca6488fbb987 SOURCES/pkcs11-helper-1.27.0.tar.bz2 diff --git a/SOURCES/pkcs11-helper-openssl3.patch b/SOURCES/pkcs11-helper-openssl3.patch new file mode 100644 index 0000000..62194bd --- /dev/null +++ b/SOURCES/pkcs11-helper-openssl3.patch @@ -0,0 +1,24 @@ +From 086d551251cebb67cd74ab2e735427969bbf215f Mon Sep 17 00:00:00 2001 +From: Alon Bar-Lev +Date: Wed, 4 Aug 2021 19:02:34 +0300 +Subject: [PATCH] build: openssl: remove RSA_SSLV23_PADDING constant usage + +Due to openssl-3 compatibility, thanks to t0b3 +--- + lib/pkcs11h-openssl.c | 3 --- + 1 files changed, 3 deletions(-) + +diff --git a/lib/pkcs11h-openssl.c b/lib/pkcs11h-openssl.c +index dfb00136..78bb7fc1 100644 +--- a/lib/pkcs11h-openssl.c ++++ b/lib/pkcs11h-openssl.c +@@ -474,9 +474,6 @@ __pkcs11h_openssl_rsa_dec ( + case RSA_PKCS1_OAEP_PADDING: + mech = CKM_RSA_PKCS_OAEP; + break; +- case RSA_SSLV23_PADDING: +- rv = CKR_MECHANISM_INVALID; +- break; + case RSA_NO_PADDING: + mech = CKM_RSA_X_509; + break; diff --git a/SOURCES/pkcs11-helper-rfc7512.patch b/SOURCES/pkcs11-helper-rfc7512.patch new file mode 100644 index 0000000..59d9955 --- /dev/null +++ b/SOURCES/pkcs11-helper-rfc7512.patch @@ -0,0 +1,719 @@ +From 14e09211c3d50eb06825090c9765e4382cf52f19 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Sun, 14 Dec 2014 19:42:18 +0000 +Subject: [PATCH 1/3] Stop _pkcs11h_util_hexToBinary() checking for trailing + NUL + +We are going to want to use this for parsing %XX hex escapes in RFC7512 +PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only +one existing caller at the moment, it's simple just to let the caller +have responsibility for that check. + +Signed-off-by: David Woodhouse +--- + lib/pkcs11h-serialization.c | 8 +++++++- + lib/pkcs11h-util.c | 7 +------ + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c +index 74b4ca7..a45a6c5 100644 +--- a/lib/pkcs11h-serialization.c ++++ b/lib/pkcs11h-serialization.c +@@ -368,6 +368,7 @@ pkcs11h_certificate_deserializeCertificateId ( + CK_RV rv = CKR_FUNCTION_FAILED; + char *p = NULL; + char *_sz = NULL; ++ size_t id_hex_len; + + _PKCS11H_ASSERT (p_certificate_id!=NULL); + _PKCS11H_ASSERT (sz!=NULL); +@@ -413,7 +414,12 @@ pkcs11h_certificate_deserializeCertificateId ( + goto cleanup; + } + +- certificate_id->attrCKA_ID_size = strlen (p)/2; ++ id_hex_len = strlen (p); ++ if (id_hex_len & 1) { ++ rv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto cleanup; ++ } ++ certificate_id->attrCKA_ID_size = id_hex_len/2; + + if ( + (rv = _pkcs11h_mem_malloc ( +diff --git a/lib/pkcs11h-util.c b/lib/pkcs11h-util.c +index 7325db4..7dfe9a3 100644 +--- a/lib/pkcs11h-util.c ++++ b/lib/pkcs11h-util.c +@@ -109,12 +109,7 @@ _pkcs11h_util_hexToBinary ( + p++; + } + +- if (*p != '\x0') { +- return CKR_ATTRIBUTE_VALUE_INVALID; +- } +- else { +- return CKR_OK; +- } ++ return CKR_OK; + } + + CK_RV + +From 4d5280da8df591aab701dff4493d13a835a9b29c Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Wed, 10 Dec 2014 14:00:21 +0000 +Subject: [PATCH 2/3] Accept RFC7512-compliant PKCS#11 URIs as serialized + token/certificate IDs + +The old format is still accepted for compatibility. + +Signed-off-by: David Woodhouse +--- + lib/pkcs11h-serialization.c | 305 ++++++++++++++++++++++++++++++------ + 1 file changed, 256 insertions(+), 49 deletions(-) + +diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c +index a45a6c5..390ac0e 100644 +--- a/lib/pkcs11h-serialization.c ++++ b/lib/pkcs11h-serialization.c +@@ -60,6 +60,26 @@ + + #if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE) + ++#define URI_SCHEME "pkcs11:" ++ ++#define token_field_ofs(field) ((unsigned long)&(((struct pkcs11h_token_id_s *)0)->field)) ++#define token_field_size(field) sizeof((((struct pkcs11h_token_id_s *)0)->field)) ++#define token_field(name, field) { name "=", sizeof(name), \ ++ token_field_ofs(field), token_field_size(field) } ++ ++static struct { ++ const char const *name; ++ size_t namelen; ++ unsigned long field_ofs; ++ size_t field_size; ++} __token_fields[] = { ++ token_field ("model", model), ++ token_field ("token", label), ++ token_field ("manufacturer", manufacturerID ), ++ token_field ("serial", serialNumber ), ++ { NULL }, ++}; ++ + CK_RV + pkcs11h_token_serializeTokenId ( + OUT char * const sz, +@@ -149,9 +169,147 @@ pkcs11h_token_serializeTokenId ( + return rv; + } + ++static + CK_RV +-pkcs11h_token_deserializeTokenId ( +- OUT pkcs11h_token_id_t *p_token_id, ++__parse_token_uri_attr ( ++ const char *uri, ++ size_t urilen, ++ char *tokstr, ++ size_t toklen, ++ size_t *parsed_len ++) { ++ size_t orig_toklen = toklen; ++ CK_RV rv = CKR_OK; ++ ++ while (urilen && toklen > 1) { ++ if (*uri == '%') { ++ size_t size = 1; ++ ++ if (urilen < 3) { ++ rv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } ++ ++ rv = _pkcs11h_util_hexToBinary ((unsigned char *)tokstr, ++ uri + 1, &size); ++ if (rv != CKR_OK) { ++ goto done; ++ } ++ ++ uri += 2; ++ urilen -= 2; ++ } else { ++ *tokstr = *uri; ++ } ++ tokstr++; ++ uri++; ++ toklen--; ++ urilen--; ++ tokstr[0] = 0; ++ } ++ ++ if (urilen) { ++ rv = CKR_ATTRIBUTE_VALUE_INVALID; ++ } else if (parsed_len) { ++ *parsed_len = orig_toklen - toklen; ++ } ++ ++ done: ++ return rv; ++} ++ ++static ++CK_RV ++__parse_pkcs11_uri ( ++ OUT pkcs11h_token_id_t token_id, ++ OUT pkcs11h_certificate_id_t certificate_id, ++ IN const char * const sz ++) { ++ const char *end, *p; ++ CK_RV rv = CKR_OK; ++ ++ _PKCS11H_ASSERT (token_id!=NULL); ++ _PKCS11H_ASSERT (sz!=NULL); ++ ++ if (strncmp (sz, URI_SCHEME, strlen (URI_SCHEME))) ++ return CKR_ATTRIBUTE_VALUE_INVALID; ++ ++ end = sz + strlen (URI_SCHEME) - 1; ++ while (rv == CKR_OK && end[0] && end[1]) { ++ int i; ++ ++ p = end + 1; ++ end = strchr (p, ';'); ++ if (!end) ++ end = p + strlen(p); ++ ++ for (i = 0; __token_fields[i].name; i++) { ++ /* Parse the token=, label=, manufacturer= and serial= fields */ ++ if (!strncmp(p, __token_fields[i].name, __token_fields[i].namelen)) { ++ char *field = ((char *)token_id) + __token_fields[i].field_ofs; ++ ++ p += __token_fields[i].namelen; ++ rv = __parse_token_uri_attr (p, end - p, field, ++ __token_fields[i].field_size, ++ NULL); ++ if (rv != CKR_OK) { ++ goto cleanup; ++ } ++ ++ goto matched; ++ } ++ } ++ if (certificate_id && !strncmp(p, "id=", 3)) { ++ p += 3; ++ ++ rv = _pkcs11h_mem_malloc ((void *)&certificate_id->attrCKA_ID, ++ end - p + 1); ++ if (rv != CKR_OK) { ++ goto cleanup; ++ } ++ ++ rv = __parse_token_uri_attr (p, end - p, ++ (char *)certificate_id->attrCKA_ID, ++ end - p + 1, ++ &certificate_id->attrCKA_ID_size); ++ if (rv != CKR_OK) { ++ goto cleanup; ++ } ++ ++ goto matched; ++ } ++ ++ /* We don't parse object= because the match code doesn't support ++ matching by label. */ ++ ++ /* Failed to parse PKCS#11 URI element. */ ++ return CKR_ATTRIBUTE_VALUE_INVALID; ++ ++ matched: ++ ; ++ } ++cleanup: ++ /* The matching code doesn't support support partial matches; it needs ++ * *all* of manufacturer, model, serial and label attributes to be ++ * defined. So reject partial URIs early instead of letting it do the ++ * wrong thing. We can maybe improve this later. */ ++ if (!token_id->model[0] || !token_id->label[0] || ++ !token_id->manufacturerID[0] || !token_id->serialNumber[0]) { ++ return CKR_ATTRIBUTE_VALUE_INVALID; ++ } ++ ++ /* For a certificate ID we need CKA_ID */ ++ if (certificate_id && !certificate_id->attrCKA_ID_size) { ++ return CKR_ATTRIBUTE_VALUE_INVALID; ++ } ++ ++ return rv; ++} ++ ++static ++CK_RV ++__pkcs11h_token_legacy_deserializeTokenId ( ++ OUT pkcs11h_token_id_t token_id, + IN const char * const sz + ) { + #define __PKCS11H_TARGETS_NUMBER 4 +@@ -160,24 +318,11 @@ pkcs11h_token_deserializeTokenId ( + size_t s; + } targets[__PKCS11H_TARGETS_NUMBER]; + +- pkcs11h_token_id_t token_id = NULL; + char *p1 = NULL; + char *_sz = NULL; + int e; + CK_RV rv = CKR_FUNCTION_FAILED; + +- _PKCS11H_ASSERT (p_token_id!=NULL); +- _PKCS11H_ASSERT (sz!=NULL); +- +- _PKCS11H_DEBUG ( +- PKCS11H_LOG_DEBUG2, +- "PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'", +- (void *)p_token_id, +- sz +- ); +- +- *p_token_id = NULL; +- + if ( + (rv = _pkcs11h_mem_strdup ( + (void *)&_sz, +@@ -189,10 +334,6 @@ pkcs11h_token_deserializeTokenId ( + + p1 = _sz; + +- if ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) { +- goto cleanup; +- } +- + targets[0].p = token_id->manufacturerID; + targets[0].s = sizeof (token_id->manufacturerID); + targets[1].p = token_id->model; +@@ -251,6 +392,51 @@ pkcs11h_token_deserializeTokenId ( + p1 = p2+1; + } + ++ rv = CKR_OK; ++ ++cleanup: ++ ++ if (_sz != NULL) { ++ _pkcs11h_mem_free ((void *)&_sz); ++ } ++ ++ return rv; ++#undef __PKCS11H_TARGETS_NUMBER ++} ++ ++CK_RV ++pkcs11h_token_deserializeTokenId ( ++ OUT pkcs11h_token_id_t *p_token_id, ++ IN const char * const sz ++) { ++ pkcs11h_token_id_t token_id = NULL; ++ CK_RV rv = CKR_FUNCTION_FAILED; ++ ++ _PKCS11H_ASSERT (p_token_id!=NULL); ++ _PKCS11H_ASSERT (sz!=NULL); ++ ++ _PKCS11H_DEBUG ( ++ PKCS11H_LOG_DEBUG2, ++ "PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'", ++ (void *)p_token_id, ++ sz ++ ); ++ ++ *p_token_id = NULL; ++ ++ if ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) { ++ goto cleanup; ++ } ++ ++ if (!strncmp (sz, URI_SCHEME, strlen (URI_SCHEME))) { ++ rv = __parse_pkcs11_uri(token_id, NULL, sz); ++ } else { ++ rv = __pkcs11h_token_legacy_deserializeTokenId(token_id, sz); ++ } ++ if (rv != CKR_OK) { ++ goto cleanup; ++ } ++ + strncpy ( + token_id->display, + token_id->label, +@@ -263,11 +449,6 @@ pkcs11h_token_deserializeTokenId ( + rv = CKR_OK; + + cleanup: +- +- if (_sz != NULL) { +- _pkcs11h_mem_free ((void *)&_sz); +- } +- + if (token_id != NULL) { + pkcs11h_token_freeTokenId (token_id); + } +@@ -280,7 +461,6 @@ pkcs11h_token_deserializeTokenId ( + ); + + return rv; +-#undef __PKCS11H_TARGETS_NUMBER + } + + #endif /* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */ +@@ -359,29 +539,17 @@ pkcs11h_certificate_serializeCertificateId ( + return rv; + } + ++static + CK_RV +-pkcs11h_certificate_deserializeCertificateId ( +- OUT pkcs11h_certificate_id_t * const p_certificate_id, ++__pkcs11h_certificate_legacy_deserializeCertificateId ( ++ OUT pkcs11h_certificate_id_t certificate_id, + IN const char * const sz + ) { +- pkcs11h_certificate_id_t certificate_id = NULL; + CK_RV rv = CKR_FUNCTION_FAILED; + char *p = NULL; + char *_sz = NULL; + size_t id_hex_len; + +- _PKCS11H_ASSERT (p_certificate_id!=NULL); +- _PKCS11H_ASSERT (sz!=NULL); +- +- *p_certificate_id = NULL; +- +- _PKCS11H_DEBUG ( +- PKCS11H_LOG_DEBUG2, +- "PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'", +- (void *)p_certificate_id, +- sz +- ); +- + if ( + (rv = _pkcs11h_mem_strdup ( + (void *)&_sz, +@@ -393,10 +561,6 @@ pkcs11h_certificate_deserializeCertificateId ( + + p = _sz; + +- if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) { +- goto cleanup; +- } +- + if ((p = strrchr (_sz, '/')) == NULL) { + rv = CKR_ATTRIBUTE_VALUE_INVALID; + goto cleanup; +@@ -435,21 +599,64 @@ pkcs11h_certificate_deserializeCertificateId ( + goto cleanup; + } + ++ rv = CKR_OK; ++ ++cleanup: ++ ++ if (_sz != NULL) { ++ _pkcs11h_mem_free ((void *)&_sz); ++ } ++ ++ return rv; ++ ++} ++ ++CK_RV ++pkcs11h_certificate_deserializeCertificateId ( ++ OUT pkcs11h_certificate_id_t * const p_certificate_id, ++ IN const char * const sz ++) { ++ pkcs11h_certificate_id_t certificate_id = NULL; ++ CK_RV rv = CKR_FUNCTION_FAILED; ++ ++ _PKCS11H_ASSERT (p_certificate_id!=NULL); ++ _PKCS11H_ASSERT (sz!=NULL); ++ ++ *p_certificate_id = NULL; ++ ++ _PKCS11H_DEBUG ( ++ PKCS11H_LOG_DEBUG2, ++ "PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'", ++ (void *)p_certificate_id, ++ sz ++ ); ++ ++ if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) { ++ goto cleanup; ++ } ++ if ((rv = _pkcs11h_token_newTokenId (&certificate_id->token_id)) != CKR_OK) { ++ goto cleanup; ++ } ++ ++ if (!strncmp(sz, URI_SCHEME, strlen (URI_SCHEME))) { ++ rv = __parse_pkcs11_uri (certificate_id->token_id, certificate_id, sz); ++ } else { ++ rv = __pkcs11h_certificate_legacy_deserializeCertificateId (certificate_id, sz); ++ } ++ if (rv != CKR_OK) { ++ goto cleanup; ++ } ++ + *p_certificate_id = certificate_id; + certificate_id = NULL; + rv = CKR_OK; + + cleanup: +- + if (certificate_id != NULL) { + pkcs11h_certificate_freeCertificateId (certificate_id); + certificate_id = NULL; + } + +- if (_sz != NULL) { +- _pkcs11h_mem_free ((void *)&_sz); +- } +- + _PKCS11H_DEBUG ( + PKCS11H_LOG_DEBUG2, + "PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=%lu-'%s'", + +From 90590b02085edc3830bdfe0942a46c4e7bf3f1ab Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Thu, 30 Apr 2015 14:58:24 +0100 +Subject: [PATCH 3/3] Serialize to RFC7512-compliant PKCS#11 URIs + +Signed-off-by: David Woodhouse +--- + lib/pkcs11h-serialization.c | 186 ++++++++++++++++++------------------ + 1 file changed, 91 insertions(+), 95 deletions(-) + +diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c +index 390ac0e..0ea1861 100644 +--- a/lib/pkcs11h-serialization.c ++++ b/lib/pkcs11h-serialization.c +@@ -80,29 +80,107 @@ static struct { + { NULL }, + }; + ++#define P11_URL_VERBATIM "abcdefghijklmnopqrstuvwxyz" \ ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \ ++ "0123456789_-." ++ ++static ++int ++__token_attr_escape(char *uri, char *attr, size_t attrlen) ++{ ++ int len = 0, i; ++ ++ for (i = 0; i < attrlen; i++) { ++ if ((attr[i] != '\x0') && strchr(P11_URL_VERBATIM, attr[i])) { ++ if (uri) { ++ *(uri++) = attr[i]; ++ } ++ len++; ++ } else { ++ if (uri) { ++ sprintf(uri, "%%%02x", (unsigned char)attr[i]); ++ uri += 3; ++ } ++ len += 3; ++ } ++ } ++ return len; ++} ++ ++static ++CK_RV ++__generate_pkcs11_uri ( ++ OUT char * const sz, ++ IN OUT size_t *max, ++ IN const pkcs11h_certificate_id_t certificate_id, ++ IN const pkcs11h_token_id_t token_id ++) { ++ size_t _max; ++ char *p = sz; ++ int i; ++ ++ _PKCS11H_ASSERT (max!=NULL); ++ _PKCS11H_ASSERT (token_id!=NULL); ++ ++ _max = strlen(URI_SCHEME); ++ for (i = 0; __token_fields[i].name; i++) { ++ char *field = ((char *)token_id) + __token_fields[i].field_ofs; ++ ++ _max += __token_fields[i].namelen; ++ _max += __token_attr_escape (NULL, field, strlen(field)); ++ _max++; /* For a semicolon or trailing NUL */ ++ } ++ if (certificate_id) { ++ _max += strlen (";id="); ++ _max += __token_attr_escape (NULL, ++ (char *)certificate_id->attrCKA_ID, ++ certificate_id->attrCKA_ID_size); ++ } ++ ++ if (!sz) { ++ *max = _max; ++ return CKR_OK; ++ } ++ ++ if (sz && *max < _max) ++ return CKR_ATTRIBUTE_VALUE_INVALID; ++ ++ p += sprintf(p, URI_SCHEME); ++ for (i = 0; __token_fields[i].name; i++) { ++ char *field = ((char *)token_id) + __token_fields[i].field_ofs; ++ ++ p += sprintf (p, "%s", __token_fields[i].name); ++ p += __token_attr_escape (p, field, strlen(field)); ++ *(p++) = ';'; ++ } ++ if (certificate_id) { ++ p += sprintf (p, "id="); ++ p += __token_attr_escape (p, ++ (char *)certificate_id->attrCKA_ID, ++ certificate_id->attrCKA_ID_size); ++ } else { ++ /* Remove the unneeded trailing semicolon */ ++ p--; ++ } ++ *(p++) = 0; ++ ++ *max = _max; ++ ++ return CKR_OK; ++} ++ + CK_RV + pkcs11h_token_serializeTokenId ( + OUT char * const sz, + IN OUT size_t *max, + IN const pkcs11h_token_id_t token_id + ) { +- const char *sources[5]; + CK_RV rv = CKR_FUNCTION_FAILED; +- size_t n; +- int e; + + /*_PKCS11H_ASSERT (sz!=NULL); Not required*/ + _PKCS11H_ASSERT (max!=NULL); + _PKCS11H_ASSERT (token_id!=NULL); + +- { /* Must be after assert */ +- sources[0] = token_id->manufacturerID; +- sources[1] = token_id->model; +- sources[2] = token_id->serialNumber; +- sources[3] = token_id->label; +- sources[4] = NULL; +- } +- + _PKCS11H_DEBUG ( + PKCS11H_LOG_DEBUG2, + "PKCS#11: pkcs11h_token_serializeTokenId entry sz=%p, *max="P_Z", token_id=%p", +@@ -111,51 +189,7 @@ pkcs11h_token_serializeTokenId ( + (void *)token_id + ); + +- n = 0; +- for (e=0;sources[e] != NULL;e++) { +- size_t t; +- if ( +- (rv = _pkcs11h_util_escapeString ( +- NULL, +- sources[e], +- &t, +- __PKCS11H_SERIALIZE_INVALID_CHARS +- )) != CKR_OK +- ) { +- goto cleanup; +- } +- n+=t; +- } +- +- if (sz != NULL) { +- if (*max < n) { +- rv = CKR_ATTRIBUTE_VALUE_INVALID; +- goto cleanup; +- } +- +- n = 0; +- for (e=0;sources[e] != NULL;e++) { +- size_t t = *max-n; +- if ( +- (rv = _pkcs11h_util_escapeString ( +- sz+n, +- sources[e], +- &t, +- __PKCS11H_SERIALIZE_INVALID_CHARS +- )) != CKR_OK +- ) { +- goto cleanup; +- } +- n+=t; +- sz[n-1] = '/'; +- } +- sz[n-1] = '\x0'; +- } +- +- *max = n; +- rv = CKR_OK; +- +-cleanup: ++ rv = __generate_pkcs11_uri(sz, max, NULL, token_id); + + _PKCS11H_DEBUG ( + PKCS11H_LOG_DEBUG2, +@@ -474,9 +508,6 @@ pkcs11h_certificate_serializeCertificateId ( + IN const pkcs11h_certificate_id_t certificate_id + ) { + CK_RV rv = CKR_FUNCTION_FAILED; +- size_t saved_max = 0; +- size_t n = 0; +- size_t _max = 0; + + /*_PKCS11H_ASSERT (sz!=NULL); Not required */ + _PKCS11H_ASSERT (max!=NULL); +@@ -490,42 +521,7 @@ pkcs11h_certificate_serializeCertificateId ( + (void *)certificate_id + ); + +- if (sz != NULL) { +- saved_max = n = *max; +- } +- *max = 0; +- +- if ( +- (rv = pkcs11h_token_serializeTokenId ( +- sz, +- &n, +- certificate_id->token_id +- )) != CKR_OK +- ) { +- goto cleanup; +- } +- +- _max = n + certificate_id->attrCKA_ID_size*2 + 1; +- +- if (sz != NULL) { +- if (saved_max < _max) { +- rv = CKR_ATTRIBUTE_VALUE_INVALID; +- goto cleanup; +- } +- +- sz[n-1] = '/'; +- rv = _pkcs11h_util_binaryToHex ( +- sz+n, +- saved_max-n, +- certificate_id->attrCKA_ID, +- certificate_id->attrCKA_ID_size +- ); +- } +- +- *max = _max; +- rv = CKR_OK; +- +-cleanup: ++ rv = __generate_pkcs11_uri(sz, max, certificate_id, certificate_id->token_id); + + _PKCS11H_DEBUG ( + PKCS11H_LOG_DEBUG2, diff --git a/SPECS/pkcs11-helper.spec b/SPECS/pkcs11-helper.spec new file mode 100644 index 0000000..0517c55 --- /dev/null +++ b/SPECS/pkcs11-helper.spec @@ -0,0 +1,205 @@ +Name: pkcs11-helper +Version: 1.27.0 +Release: 6%{?dist} +Summary: A library for using PKCS#11 providers + +License: GPLv2 or BSD +URL: http://www.opensc-project.org/opensc/wiki/pkcs11-helper +Source0: https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-1.27/pkcs11-helper-%{version}.tar.bz2 +# https://github.com/OpenSC/pkcs11-helper/pull/4 +Patch2: pkcs11-helper-rfc7512.patch +# https://github.com/OpenSC/pkcs11-helper/commit/086d551251cebb67cd74ab2e735427969bbf215f +Patch3: pkcs11-helper-openssl3.patch + +BuildRequires: make +BuildRequires: gcc +BuildRequires: doxygen graphviz +BuildRequires: openssl-devel + +%description +pkcs11-helper is a library that simplifies the interaction with PKCS#11 +providers for end-user applications using a simple API and optional OpenSSL +engine. The library allows using multiple PKCS#11 providers at the same time, +enumerating available token certificates, or selecting a certificate directly +by serialized id, handling card removal and card insert events, handling card +re-insert to a different slot, supporting session expiration and much more all +using a simple API. + +%package devel +Summary: Development files for pkcs11-helper +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: openssl-devel +# for /usr/share/aclocal +Requires: automake + +%description devel +This package contains header files and documentation necessary for developing +programs using the pkcs11-helper library. + + +%prep +%autosetup -p1 + +%build +%configure --disable-static --enable-doc +%make_build + + +%install +%make_install + +# Use %%doc to install documentation in a standard location +mkdir apidocdir +mv $RPM_BUILD_ROOT%{_datadir}/doc/%{name}/api/ apidocdir/ +rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/%{name}/ + +# Remove libtool .la files +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la + + +%ldconfig_scriptlets + + +%files +%license COPYING* +%doc AUTHORS ChangeLog README THANKS +%{_libdir}/libpkcs11-helper.so.1* + + +%files devel +%doc apidocdir/* +%{_includedir}/pkcs11-helper-1.0/ +%{_libdir}/libpkcs11-helper.so +%{_libdir}/pkgconfig/libpkcs11-helper-1.pc +%{_datadir}/aclocal/pkcs11-helper-1.m4 +%{_mandir}/man8/pkcs11-helper-1.8* + + +%changelog +* Mon Jul 17 2023 Arkady L. Shane - 1.27.0-6 +- Rebuilt for MSVSphere 9.2 + +* Mon Oct 04 2021 Neal Gompa - 1.27.0-6 +- Backport fix for OpenSSL 3.0 support + +* Tue Sep 14 2021 Sahana Prasad - 1.27.0-5 +- Rebuilt with OpenSSL 3.0.0 + +* Tue Jul 27 2021 Fedora Release Engineering - 1.27.0-4 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jan 27 2021 Fedora Release Engineering - 1.27.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Dec 18 2020 Kalev Lember - 1.27.0-2 +- Update pkcs11-helper-rfc7512.patch from + https://github.com/OpenSC/pkcs11-helper/pull/4 (#1849259) + +* Fri Nov 20 2020 Kalev Lember - 1.27.0-1 +- Update to 1.27.0 +- Use make_build and make_install macros +- Tighten soname globs +- Use license macro for COPYING* +- Tighten requires with _isa macro + +* Tue Jul 28 2020 Fedora Release Engineering - 1.22-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Apr 24 2020 David Woodhouse - 1.22-10 +- Fix serialisation of attributes with NUL bytes in (#1825496) + +* Thu Jan 30 2020 Fedora Release Engineering - 1.22-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 1.22-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Feb 02 2019 Fedora Release Engineering - 1.22-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 1.22-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 1.22-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Nov 24 2017 Nikos Mavrogiannopoulos - 1.22-4 +- Addressed issue with RFC7512 URI parsing (#1516474) + +* Thu Aug 03 2017 Fedora Release Engineering - 1.22-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.22-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Feb 21 2017 Nikos Mavrogiannopoulos - 1.22-1 +- New upstream release + +* Sat Feb 11 2017 Fedora Release Engineering - 1.11-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 1.11-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Sep 22 2015 David Woodhouse - 1.11-7 +- Fix ID buffer size for URI parsing (#1264645) + +* Thu Jun 18 2015 Fedora Release Engineering - 1.11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Apr 29 2015 David Woodhouse - 1.11-5 +- Migrate ID serialisation format to RFC7512 (#1173554) + +* Tue Dec 09 2014 David Woodhouse - 1.11-4 +- Apply upstream fix for bug #1172237 (ignore objects without CKA_ID) + +* Sun Aug 17 2014 Fedora Release Engineering - 1.11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Apr 11 2014 Jon Ciesla - 1.11-1 +- Latest upstream, required for openvpn 2.3.3. + +* Sun Aug 04 2013 Fedora Release Engineering - 1.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Apr 02 2013 Kalev Lember - 1.10-1 +- Update to 1.10 + +* Thu Feb 14 2013 Fedora Release Engineering - 1.09-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Jul 21 2012 Fedora Release Engineering - 1.09-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Fedora Release Engineering - 1.09-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Aug 17 2011 Kalev Lember - 1.09-1 +- Update to 1.09 + +* Sun Jun 19 2011 Kalev Lember - 1.08-1 +- Update to 1.08 +- Clean up the spec file for modern rpmbuild + +* Wed Feb 09 2011 Fedora Release Engineering - 1.07-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jul 01 2010 Kalev Lember - 1.07-5 +- use System Environment/Libraries group for main package +- removed R: pkgconfig from devel subpackage + +* Fri Aug 21 2009 Tomas Mraz - 1.07-4 +- rebuilt with new openssl + +* Sun Jul 26 2009 Fedora Release Engineering - 1.07-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Jul 11 2009 Kalev Lember - 1.07-2 +- Make devel package depend on automake for /usr/share/aclocal + +* Tue Jun 23 2009 Kalev Lember - 1.07-1 +- Initial RPM release.