rpms
/
p11-kit
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:f37-riscv64
rpms:f37
rpms:main
rpms:f36
rpms:f35
rpms:f32
rpms:f33
rpms:f34
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:f20-gnome-3-12
rpms:f19
rpms:f18
rpms:f17
rpms:f16
...
pull from: rpms:f24
Branches Tags
rpms:f37-riscv64
rpms:f37
rpms:main
rpms:rawhide
rpms:f36
rpms:f35
rpms:f32
rpms:f33
rpms:f34
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:f20-gnome-3-12
rpms:f19
rpms:f18
rpms:f17
rpms:f16

2 Commits
rawhide ... f24

Author SHA1 Message Date
Daiki Ueno fe882bfebd Make "trust anchor --remove" work again 2017-05-23 15:52:43 +02:00
Daiki Ueno 6b026bec25 Backport CKA_NSS_MOZILLA_CA_POLICY patch 2017-04-03 10:34:59 +02:00
2 changed files with 306 additions and 1 deletions
Show Stats Expand all files Collapse all files

295
p11-kit-mozilla-ca-policy.patch Normal file
View File

@ -0,0 +1,295 @@
From dbadd5da6ccbb17ec5c4bbb142fdc244b4903bfb Mon Sep 17 00:00:00 2001
From: Kai Engert <kaie@kuix.de>
Date: Thu, 2 Feb 2017 16:01:01 +0100
Subject: [PATCH] Support loading new NSS attribute CKA_NSS_MOZILLA_CA_POLICY
from .p11-kit files. See also NSS bug
https://bugzilla.mozilla.org/show_bug.cgi?id=1334976 and p11-kit bug
https://bugs.freedesktop.org/show_bug.cgi?id=99453
---
common/constants.c | 1 +
common/pkcs11x.h | 1 +
trust/builder.c | 1 +
trust/persist.c | 1 +
4 files changed, 4 insertions(+)
diff --git a/common/constants.c b/common/constants.c
index f4aa66b..2d2ca21 100644
--- a/common/constants.c
+++ b/common/constants.c
@@ -154,6 +154,7 @@ const p11_constant p11_constant_types[] = {
CT (CKA_NSS_PQG_H, "nss-pqg-h")
CT (CKA_NSS_PQG_SEED_BITS, "nss-pqg-seed-bits")
CT (CKA_NSS_MODULE_SPEC, "nss-module-spec")
+ CT (CKA_NSS_MOZILLA_CA_POLICY, "nss-mozilla-ca-policy")
CT (CKA_TRUST_DIGITAL_SIGNATURE, "trust-digital-signature")
CT (CKA_TRUST_NON_REPUDIATION, "trust-non-repudiation")
CT (CKA_TRUST_KEY_ENCIPHERMENT, "trust-key-encipherment")
diff --git a/common/pkcs11x.h b/common/pkcs11x.h
index 4a89f73..d5e1d74 100644
--- a/common/pkcs11x.h
+++ b/common/pkcs11x.h
@@ -74,6 +74,7 @@ extern "C" {
#define CKA_NSS_PQG_H 0xce534366UL
#define CKA_NSS_PQG_SEED_BITS 0xce534367UL
#define CKA_NSS_MODULE_SPEC 0xce534368UL
+#define CKA_NSS_MOZILLA_CA_POLICY 0xce534372UL
/* NSS trust attributes */
#define CKA_TRUST_DIGITAL_SIGNATURE 0xce536351UL
diff --git a/trust/builder.c b/trust/builder.c
index e0ce370..5b20c79 100644
--- a/trust/builder.c
+++ b/trust/builder.c
@@ -792,6 +792,7 @@ const static builder_schema certificate_schema = {
{ CKA_CERTIFICATE_TYPE, REQUIRE | CREATE, type_ulong },
{ CKA_TRUSTED, CREATE | WANT, type_bool },
{ CKA_X_DISTRUSTED, CREATE | WANT, type_bool },
+ { CKA_NSS_MOZILLA_CA_POLICY, CREATE | WANT, type_bool },
{ CKA_CERTIFICATE_CATEGORY, CREATE | WANT, type_ulong },
{ CKA_CHECK_VALUE, CREATE | WANT, },
{ CKA_START_DATE, CREATE | MODIFY | WANT, type_date },
diff --git a/trust/persist.c b/trust/persist.c
index de827a6..63a531e 100644
--- a/trust/persist.c
+++ b/trust/persist.c
@@ -200,6 +200,7 @@ format_bool (CK_ATTRIBUTE *attr,
case CKA_HAS_RESET:
case CKA_COLOR:
case CKA_X_DISTRUSTED:
+ case CKA_NSS_MOZILLA_CA_POLICY:
break;
default:
return false;
--
2.9.3
From 8eed1e60b0921d05872e2f43eee9088cef038d7e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 17 Feb 2017 16:18:21 +0100
Subject: [PATCH] trust: Honor "modifiable" setting in persist file
Previously, all objects read from p11-kit persist files are marked as
modifiable when parsing, regardless of the explicit "modifiable: false"
setting in the file.
Reported by Kai Engert in:
https://bugs.freedesktop.org/show_bug.cgi?id=99797
---
trust/input/verisign-v1.p11-kit | 1 +
trust/parser.c | 10 +++++++++-
trust/test-parser.c | 1 +
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/trust/input/verisign-v1.p11-kit b/trust/input/verisign-v1.p11-kit
index eaa080d..aea49ea 100644
--- a/trust/input/verisign-v1.p11-kit
+++ b/trust/input/verisign-v1.p11-kit
@@ -1,5 +1,6 @@
[p11-kit-object-v1]
trusted: true
+modifiable: false
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG
diff --git a/trust/parser.c b/trust/parser.c
index 41513d4..52d1128 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -610,6 +610,7 @@ p11_parser_format_persist (p11_parser *parser,
{
CK_BBOOL modifiablev = CK_TRUE;
CK_ATTRIBUTE *attrs;
+ CK_ATTRIBUTE *attr;
p11_array *objects;
bool ret;
int i;
@@ -630,7 +631,14 @@ p11_parser_format_persist (p11_parser *parser,
ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
if (ret) {
for (i = 0; i < objects->num; i++) {
- attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
+ /* By default, we mark objects read from a persist
+ * file as modifiable, as the persist format is
+ * writable. However, if CKA_MODIFIABLE is explictly
+ * set in the file, respect the setting. */
+ attrs = objects->elem[i];
+ attr = p11_attrs_find_valid (objects->elem[i], CKA_MODIFIABLE);
+ if (!attr)
+ attrs = p11_attrs_build (attrs, &modifiable, NULL);
sink_object (parser, attrs);
}
}
diff --git a/trust/test-parser.c b/trust/test-parser.c
index b5c2525..088cff9 100644
--- a/trust/test-parser.c
+++ b/trust/test-parser.c
@@ -168,6 +168,7 @@ test_parse_p11_kit_persist (void)
{ CKA_CLASS, &certificate, sizeof (certificate) },
{ CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) },
{ CKA_TRUSTED, &truev, sizeof (truev) },
+ { CKA_MODIFIABLE, &falsev, sizeof (falsev) },
{ CKA_X_DISTRUSTED, &falsev, sizeof (falsev) },
{ CKA_INVALID },
};
--
2.9.3
From acf8c4a91a76bf8049f6bfbd95b04e2e36bae4ea Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 18 May 2017 10:45:26 +0200
Subject: [PATCH 1/2] Revert "trust: Honor "modifiable" setting in persist
file"
This reverts commit 8eed1e60b0921d05872e2f43eee9088cef038d7e, which
broke "trust anchor --remove".
---
trust/input/verisign-v1.p11-kit | 1 -
trust/parser.c | 10 +---------
trust/test-parser.c | 1 -
3 files changed, 1 insertion(+), 11 deletions(-)
diff --git a/trust/input/verisign-v1.p11-kit b/trust/input/verisign-v1.p11-kit
index aea49ea..eaa080d 100644
--- a/trust/input/verisign-v1.p11-kit
+++ b/trust/input/verisign-v1.p11-kit
@@ -1,6 +1,5 @@
[p11-kit-object-v1]
trusted: true
-modifiable: false
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG
diff --git a/trust/parser.c b/trust/parser.c
index 52d1128..41513d4 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -610,7 +610,6 @@ p11_parser_format_persist (p11_parser *parser,
{
CK_BBOOL modifiablev = CK_TRUE;
CK_ATTRIBUTE *attrs;
- CK_ATTRIBUTE *attr;
p11_array *objects;
bool ret;
int i;
@@ -631,14 +630,7 @@ p11_parser_format_persist (p11_parser *parser,
ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
if (ret) {
for (i = 0; i < objects->num; i++) {
- /* By default, we mark objects read from a persist
- * file as modifiable, as the persist format is
- * writable. However, if CKA_MODIFIABLE is explictly
- * set in the file, respect the setting. */
- attrs = objects->elem[i];
- attr = p11_attrs_find_valid (objects->elem[i], CKA_MODIFIABLE);
- if (!attr)
- attrs = p11_attrs_build (attrs, &modifiable, NULL);
+ attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
sink_object (parser, attrs);
}
}
diff --git a/trust/test-parser.c b/trust/test-parser.c
index 088cff9..b5c2525 100644
--- a/trust/test-parser.c
+++ b/trust/test-parser.c
@@ -168,7 +168,6 @@ test_parse_p11_kit_persist (void)
{ CKA_CLASS, &certificate, sizeof (certificate) },
{ CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) },
{ CKA_TRUSTED, &truev, sizeof (truev) },
- { CKA_MODIFIABLE, &falsev, sizeof (falsev) },
{ CKA_X_DISTRUSTED, &falsev, sizeof (falsev) },
{ CKA_INVALID },
};
--
2.9.4
From 66c6a7e912d39d66cd4cc91375ac7be418bf7176 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 18 May 2017 11:11:45 +0200
Subject: [PATCH 2/2] trust: Check magic comment in persist file for
modifiablity
A persistent file written by the trust module starts with the line "#
This file has been auto-generated and written by p11-kit". This can
be used as a magic word to determine whether the objects read from a
.p11-kit file are read-only.
---
trust/parser.c | 6 +++++-
trust/persist.c | 9 ++++++++-
trust/test-token.c | 1 +
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/trust/parser.c b/trust/parser.c
index 41513d4..abe86fc 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -49,6 +49,7 @@
#include "pem.h"
#include "pkcs11x.h"
#include "persist.h"
+#include "types.h"
#include "x509.h"
#include <libtasn1.h>
@@ -630,7 +631,10 @@ p11_parser_format_persist (p11_parser *parser,
ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
if (ret) {
for (i = 0; i < objects->num; i++) {
- attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
+ CK_BBOOL generatedv;
+ attrs = objects->elem[i];
+ if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv)
+ attrs = p11_attrs_build (attrs, &modifiable, NULL);
sink_object (parser, attrs);
}
}
diff --git a/trust/persist.c b/trust/persist.c
index 63a531e..928260e 100644
--- a/trust/persist.c
+++ b/trust/persist.c
@@ -631,6 +631,9 @@ p11_persist_read (p11_persist *persist,
CK_ATTRIBUTE *attrs;
bool failed;
bool skip;
+ CK_BBOOL generatedv = CK_FALSE;
+ CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) };
+ static const char comment[] = "# This file has been auto-generated and written by p11-kit.";
return_val_if_fail (persist != NULL, false);
return_val_if_fail (objects != NULL, false);
@@ -639,6 +642,10 @@ p11_persist_read (p11_persist *persist,
attrs = NULL;
failed = false;
+ if (length >= sizeof (comment) - 1 &&
+ memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0)
+ generatedv = CK_TRUE;
+
p11_lexer_init (&lexer, filename, (const char *)data, length);
while (p11_lexer_next (&lexer, &failed)) {
switch (lexer.tok_type) {
@@ -650,7 +657,7 @@ p11_persist_read (p11_persist *persist,
p11_lexer_msg (&lexer, "unrecognized or invalid section header");
skip = true;
} else {
- attrs = p11_attrs_build (NULL, NULL);
+ attrs = p11_attrs_build (NULL, &generated, NULL);
return_val_if_fail (attrs != NULL, false);
skip = false;
}
diff --git a/trust/test-token.c b/trust/test-token.c
index ad22fcb..3e7d735 100644
--- a/trust/test-token.c
+++ b/trust/test-token.c
@@ -610,6 +610,7 @@ static void
test_modify_multiple (void)
{
const char *test_data =
+ "# This file has been auto-generated and written by p11-kit.\n"
"[p11-kit-object-v1]\n"
"class: data\n"
"label: \"first\"\n"
--
2.9.4

12
p11-kit.spec
View File

@ -1,12 +1,13 @@
Name: p11-kit
Version: 0.23.2
Release: 2%{?dist}
Release: 4%{?dist}
Summary: Library for loading and sharing PKCS#11 modules
License: BSD
URL: http://p11-glue.freedesktop.org/p11-kit.html
Source0: http://p11-glue.freedesktop.org/releases/p11-kit-%{version}.tar.gz
Source1: trust-extract-compat
Patch0: p11-kit-mozilla-ca-policy.patch
BuildRequires: libtasn1-devel >= 2.3
BuildRequires: nss-softokn-freebl
@ -51,6 +52,9 @@ contains certificate anchors and black lists.
%prep
%setup -q
%patch0 -p1 -b .mozilla-ca-policy
# Remove backup so not to confuse the trust module when testing
rm -f trust/input/*.mozilla-ca-policy
%build
# These paths are the source paths that come from the plan here:
@ -119,6 +123,12 @@ fi
%changelog
* Tue May 23 2017 Daiki Ueno <dueno@redhat.com> - 0.23.2-4
- Make "trust anchor --remove" work again
* Fri Mar 31 2017 Daiki Ueno <dueno@redhat.com> - 0.23.2-3
- Backport patch to recognize CKA_NSS_MOZILLA_CA_POLICY
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild