Compare commits
2 Commits
Author | SHA1 | Date |
---|---|---|
Daiki Ueno | fe882bfebd | |
Daiki Ueno | 6b026bec25 |
|
@ -0,0 +1,295 @@
|
|||
From dbadd5da6ccbb17ec5c4bbb142fdc244b4903bfb Mon Sep 17 00:00:00 2001
|
||||
From: Kai Engert <kaie@kuix.de>
|
||||
Date: Thu, 2 Feb 2017 16:01:01 +0100
|
||||
Subject: [PATCH] Support loading new NSS attribute CKA_NSS_MOZILLA_CA_POLICY
|
||||
from .p11-kit files. See also NSS bug
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=1334976 and p11-kit bug
|
||||
https://bugs.freedesktop.org/show_bug.cgi?id=99453
|
||||
|
||||
---
|
||||
common/constants.c | 1 +
|
||||
common/pkcs11x.h | 1 +
|
||||
trust/builder.c | 1 +
|
||||
trust/persist.c | 1 +
|
||||
4 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/common/constants.c b/common/constants.c
|
||||
index f4aa66b..2d2ca21 100644
|
||||
--- a/common/constants.c
|
||||
+++ b/common/constants.c
|
||||
@@ -154,6 +154,7 @@ const p11_constant p11_constant_types[] = {
|
||||
CT (CKA_NSS_PQG_H, "nss-pqg-h")
|
||||
CT (CKA_NSS_PQG_SEED_BITS, "nss-pqg-seed-bits")
|
||||
CT (CKA_NSS_MODULE_SPEC, "nss-module-spec")
|
||||
+ CT (CKA_NSS_MOZILLA_CA_POLICY, "nss-mozilla-ca-policy")
|
||||
CT (CKA_TRUST_DIGITAL_SIGNATURE, "trust-digital-signature")
|
||||
CT (CKA_TRUST_NON_REPUDIATION, "trust-non-repudiation")
|
||||
CT (CKA_TRUST_KEY_ENCIPHERMENT, "trust-key-encipherment")
|
||||
diff --git a/common/pkcs11x.h b/common/pkcs11x.h
|
||||
index 4a89f73..d5e1d74 100644
|
||||
--- a/common/pkcs11x.h
|
||||
+++ b/common/pkcs11x.h
|
||||
@@ -74,6 +74,7 @@ extern "C" {
|
||||
#define CKA_NSS_PQG_H 0xce534366UL
|
||||
#define CKA_NSS_PQG_SEED_BITS 0xce534367UL
|
||||
#define CKA_NSS_MODULE_SPEC 0xce534368UL
|
||||
+#define CKA_NSS_MOZILLA_CA_POLICY 0xce534372UL
|
||||
|
||||
/* NSS trust attributes */
|
||||
#define CKA_TRUST_DIGITAL_SIGNATURE 0xce536351UL
|
||||
diff --git a/trust/builder.c b/trust/builder.c
|
||||
index e0ce370..5b20c79 100644
|
||||
--- a/trust/builder.c
|
||||
+++ b/trust/builder.c
|
||||
@@ -792,6 +792,7 @@ const static builder_schema certificate_schema = {
|
||||
{ CKA_CERTIFICATE_TYPE, REQUIRE | CREATE, type_ulong },
|
||||
{ CKA_TRUSTED, CREATE | WANT, type_bool },
|
||||
{ CKA_X_DISTRUSTED, CREATE | WANT, type_bool },
|
||||
+ { CKA_NSS_MOZILLA_CA_POLICY, CREATE | WANT, type_bool },
|
||||
{ CKA_CERTIFICATE_CATEGORY, CREATE | WANT, type_ulong },
|
||||
{ CKA_CHECK_VALUE, CREATE | WANT, },
|
||||
{ CKA_START_DATE, CREATE | MODIFY | WANT, type_date },
|
||||
diff --git a/trust/persist.c b/trust/persist.c
|
||||
index de827a6..63a531e 100644
|
||||
--- a/trust/persist.c
|
||||
+++ b/trust/persist.c
|
||||
@@ -200,6 +200,7 @@ format_bool (CK_ATTRIBUTE *attr,
|
||||
case CKA_HAS_RESET:
|
||||
case CKA_COLOR:
|
||||
case CKA_X_DISTRUSTED:
|
||||
+ case CKA_NSS_MOZILLA_CA_POLICY:
|
||||
break;
|
||||
default:
|
||||
return false;
|
||||
--
|
||||
2.9.3
|
||||
|
||||
From 8eed1e60b0921d05872e2f43eee9088cef038d7e Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Fri, 17 Feb 2017 16:18:21 +0100
|
||||
Subject: [PATCH] trust: Honor "modifiable" setting in persist file
|
||||
|
||||
Previously, all objects read from p11-kit persist files are marked as
|
||||
modifiable when parsing, regardless of the explicit "modifiable: false"
|
||||
setting in the file.
|
||||
|
||||
Reported by Kai Engert in:
|
||||
https://bugs.freedesktop.org/show_bug.cgi?id=99797
|
||||
---
|
||||
trust/input/verisign-v1.p11-kit | 1 +
|
||||
trust/parser.c | 10 +++++++++-
|
||||
trust/test-parser.c | 1 +
|
||||
3 files changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/trust/input/verisign-v1.p11-kit b/trust/input/verisign-v1.p11-kit
|
||||
index eaa080d..aea49ea 100644
|
||||
--- a/trust/input/verisign-v1.p11-kit
|
||||
+++ b/trust/input/verisign-v1.p11-kit
|
||||
@@ -1,5 +1,6 @@
|
||||
[p11-kit-object-v1]
|
||||
trusted: true
|
||||
+modifiable: false
|
||||
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG
|
||||
diff --git a/trust/parser.c b/trust/parser.c
|
||||
index 41513d4..52d1128 100644
|
||||
--- a/trust/parser.c
|
||||
+++ b/trust/parser.c
|
||||
@@ -610,6 +610,7 @@ p11_parser_format_persist (p11_parser *parser,
|
||||
{
|
||||
CK_BBOOL modifiablev = CK_TRUE;
|
||||
CK_ATTRIBUTE *attrs;
|
||||
+ CK_ATTRIBUTE *attr;
|
||||
p11_array *objects;
|
||||
bool ret;
|
||||
int i;
|
||||
@@ -630,7 +631,14 @@ p11_parser_format_persist (p11_parser *parser,
|
||||
ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
|
||||
if (ret) {
|
||||
for (i = 0; i < objects->num; i++) {
|
||||
- attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
|
||||
+ /* By default, we mark objects read from a persist
|
||||
+ * file as modifiable, as the persist format is
|
||||
+ * writable. However, if CKA_MODIFIABLE is explictly
|
||||
+ * set in the file, respect the setting. */
|
||||
+ attrs = objects->elem[i];
|
||||
+ attr = p11_attrs_find_valid (objects->elem[i], CKA_MODIFIABLE);
|
||||
+ if (!attr)
|
||||
+ attrs = p11_attrs_build (attrs, &modifiable, NULL);
|
||||
sink_object (parser, attrs);
|
||||
}
|
||||
}
|
||||
diff --git a/trust/test-parser.c b/trust/test-parser.c
|
||||
index b5c2525..088cff9 100644
|
||||
--- a/trust/test-parser.c
|
||||
+++ b/trust/test-parser.c
|
||||
@@ -168,6 +168,7 @@ test_parse_p11_kit_persist (void)
|
||||
{ CKA_CLASS, &certificate, sizeof (certificate) },
|
||||
{ CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) },
|
||||
{ CKA_TRUSTED, &truev, sizeof (truev) },
|
||||
+ { CKA_MODIFIABLE, &falsev, sizeof (falsev) },
|
||||
{ CKA_X_DISTRUSTED, &falsev, sizeof (falsev) },
|
||||
{ CKA_INVALID },
|
||||
};
|
||||
--
|
||||
2.9.3
|
||||
|
||||
From acf8c4a91a76bf8049f6bfbd95b04e2e36bae4ea Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Thu, 18 May 2017 10:45:26 +0200
|
||||
Subject: [PATCH 1/2] Revert "trust: Honor "modifiable" setting in persist
|
||||
file"
|
||||
|
||||
This reverts commit 8eed1e60b0921d05872e2f43eee9088cef038d7e, which
|
||||
broke "trust anchor --remove".
|
||||
---
|
||||
trust/input/verisign-v1.p11-kit | 1 -
|
||||
trust/parser.c | 10 +---------
|
||||
trust/test-parser.c | 1 -
|
||||
3 files changed, 1 insertion(+), 11 deletions(-)
|
||||
|
||||
diff --git a/trust/input/verisign-v1.p11-kit b/trust/input/verisign-v1.p11-kit
|
||||
index aea49ea..eaa080d 100644
|
||||
--- a/trust/input/verisign-v1.p11-kit
|
||||
+++ b/trust/input/verisign-v1.p11-kit
|
||||
@@ -1,6 +1,5 @@
|
||||
[p11-kit-object-v1]
|
||||
trusted: true
|
||||
-modifiable: false
|
||||
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG
|
||||
diff --git a/trust/parser.c b/trust/parser.c
|
||||
index 52d1128..41513d4 100644
|
||||
--- a/trust/parser.c
|
||||
+++ b/trust/parser.c
|
||||
@@ -610,7 +610,6 @@ p11_parser_format_persist (p11_parser *parser,
|
||||
{
|
||||
CK_BBOOL modifiablev = CK_TRUE;
|
||||
CK_ATTRIBUTE *attrs;
|
||||
- CK_ATTRIBUTE *attr;
|
||||
p11_array *objects;
|
||||
bool ret;
|
||||
int i;
|
||||
@@ -631,14 +630,7 @@ p11_parser_format_persist (p11_parser *parser,
|
||||
ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
|
||||
if (ret) {
|
||||
for (i = 0; i < objects->num; i++) {
|
||||
- /* By default, we mark objects read from a persist
|
||||
- * file as modifiable, as the persist format is
|
||||
- * writable. However, if CKA_MODIFIABLE is explictly
|
||||
- * set in the file, respect the setting. */
|
||||
- attrs = objects->elem[i];
|
||||
- attr = p11_attrs_find_valid (objects->elem[i], CKA_MODIFIABLE);
|
||||
- if (!attr)
|
||||
- attrs = p11_attrs_build (attrs, &modifiable, NULL);
|
||||
+ attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
|
||||
sink_object (parser, attrs);
|
||||
}
|
||||
}
|
||||
diff --git a/trust/test-parser.c b/trust/test-parser.c
|
||||
index 088cff9..b5c2525 100644
|
||||
--- a/trust/test-parser.c
|
||||
+++ b/trust/test-parser.c
|
||||
@@ -168,7 +168,6 @@ test_parse_p11_kit_persist (void)
|
||||
{ CKA_CLASS, &certificate, sizeof (certificate) },
|
||||
{ CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) },
|
||||
{ CKA_TRUSTED, &truev, sizeof (truev) },
|
||||
- { CKA_MODIFIABLE, &falsev, sizeof (falsev) },
|
||||
{ CKA_X_DISTRUSTED, &falsev, sizeof (falsev) },
|
||||
{ CKA_INVALID },
|
||||
};
|
||||
--
|
||||
2.9.4
|
||||
|
||||
|
||||
From 66c6a7e912d39d66cd4cc91375ac7be418bf7176 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Thu, 18 May 2017 11:11:45 +0200
|
||||
Subject: [PATCH 2/2] trust: Check magic comment in persist file for
|
||||
modifiablity
|
||||
|
||||
A persistent file written by the trust module starts with the line "#
|
||||
This file has been auto-generated and written by p11-kit". This can
|
||||
be used as a magic word to determine whether the objects read from a
|
||||
.p11-kit file are read-only.
|
||||
---
|
||||
trust/parser.c | 6 +++++-
|
||||
trust/persist.c | 9 ++++++++-
|
||||
trust/test-token.c | 1 +
|
||||
3 files changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/trust/parser.c b/trust/parser.c
|
||||
index 41513d4..abe86fc 100644
|
||||
--- a/trust/parser.c
|
||||
+++ b/trust/parser.c
|
||||
@@ -49,6 +49,7 @@
|
||||
#include "pem.h"
|
||||
#include "pkcs11x.h"
|
||||
#include "persist.h"
|
||||
+#include "types.h"
|
||||
#include "x509.h"
|
||||
|
||||
#include <libtasn1.h>
|
||||
@@ -630,7 +631,10 @@ p11_parser_format_persist (p11_parser *parser,
|
||||
ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
|
||||
if (ret) {
|
||||
for (i = 0; i < objects->num; i++) {
|
||||
- attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
|
||||
+ CK_BBOOL generatedv;
|
||||
+ attrs = objects->elem[i];
|
||||
+ if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv)
|
||||
+ attrs = p11_attrs_build (attrs, &modifiable, NULL);
|
||||
sink_object (parser, attrs);
|
||||
}
|
||||
}
|
||||
diff --git a/trust/persist.c b/trust/persist.c
|
||||
index 63a531e..928260e 100644
|
||||
--- a/trust/persist.c
|
||||
+++ b/trust/persist.c
|
||||
@@ -631,6 +631,9 @@ p11_persist_read (p11_persist *persist,
|
||||
CK_ATTRIBUTE *attrs;
|
||||
bool failed;
|
||||
bool skip;
|
||||
+ CK_BBOOL generatedv = CK_FALSE;
|
||||
+ CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) };
|
||||
+ static const char comment[] = "# This file has been auto-generated and written by p11-kit.";
|
||||
|
||||
return_val_if_fail (persist != NULL, false);
|
||||
return_val_if_fail (objects != NULL, false);
|
||||
@@ -639,6 +642,10 @@ p11_persist_read (p11_persist *persist,
|
||||
attrs = NULL;
|
||||
failed = false;
|
||||
|
||||
+ if (length >= sizeof (comment) - 1 &&
|
||||
+ memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0)
|
||||
+ generatedv = CK_TRUE;
|
||||
+
|
||||
p11_lexer_init (&lexer, filename, (const char *)data, length);
|
||||
while (p11_lexer_next (&lexer, &failed)) {
|
||||
switch (lexer.tok_type) {
|
||||
@@ -650,7 +657,7 @@ p11_persist_read (p11_persist *persist,
|
||||
p11_lexer_msg (&lexer, "unrecognized or invalid section header");
|
||||
skip = true;
|
||||
} else {
|
||||
- attrs = p11_attrs_build (NULL, NULL);
|
||||
+ attrs = p11_attrs_build (NULL, &generated, NULL);
|
||||
return_val_if_fail (attrs != NULL, false);
|
||||
skip = false;
|
||||
}
|
||||
diff --git a/trust/test-token.c b/trust/test-token.c
|
||||
index ad22fcb..3e7d735 100644
|
||||
--- a/trust/test-token.c
|
||||
+++ b/trust/test-token.c
|
||||
@@ -610,6 +610,7 @@ static void
|
||||
test_modify_multiple (void)
|
||||
{
|
||||
const char *test_data =
|
||||
+ "# This file has been auto-generated and written by p11-kit.\n"
|
||||
"[p11-kit-object-v1]\n"
|
||||
"class: data\n"
|
||||
"label: \"first\"\n"
|
||||
--
|
||||
2.9.4
|
||||
|
12
p11-kit.spec
12
p11-kit.spec
|
@ -1,12 +1,13 @@
|
|||
Name: p11-kit
|
||||
Version: 0.23.2
|
||||
Release: 2%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Library for loading and sharing PKCS#11 modules
|
||||
|
||||
License: BSD
|
||||
URL: http://p11-glue.freedesktop.org/p11-kit.html
|
||||
Source0: http://p11-glue.freedesktop.org/releases/p11-kit-%{version}.tar.gz
|
||||
Source1: trust-extract-compat
|
||||
Patch0: p11-kit-mozilla-ca-policy.patch
|
||||
|
||||
BuildRequires: libtasn1-devel >= 2.3
|
||||
BuildRequires: nss-softokn-freebl
|
||||
|
@ -51,6 +52,9 @@ contains certificate anchors and black lists.
|
|||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1 -b .mozilla-ca-policy
|
||||
# Remove backup so not to confuse the trust module when testing
|
||||
rm -f trust/input/*.mozilla-ca-policy
|
||||
|
||||
%build
|
||||
# These paths are the source paths that come from the plan here:
|
||||
|
@ -119,6 +123,12 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue May 23 2017 Daiki Ueno <dueno@redhat.com> - 0.23.2-4
|
||||
- Make "trust anchor --remove" work again
|
||||
|
||||
* Fri Mar 31 2017 Daiki Ueno <dueno@redhat.com> - 0.23.2-3
|
||||
- Backport patch to recognize CKA_NSS_MOZILLA_CA_POLICY
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
|
|
Loading…
Reference in New Issue