import libcacard-2.7.0-2.el8_1

This commit is contained in:
CentOS Sources 2019-11-07 07:02:52 -05:00 committed by Andrew Lukoshko
parent e9fe00707a
commit 5fd3a71470
2 changed files with 131 additions and 1 deletions

View File

@ -0,0 +1,124 @@
From 2c10ae315375730020108cbcae0c282d0d6eff5f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 26 Aug 2019 17:42:06 +0200
Subject: [PATCH 1/2] vcard_emul_nss: Drop the key caching to simplify error
handling
It could happen with PKCS#11 modules that (correctly) invalidate object
handles after logout (which was introduced in 0d3a683a), that the handles
are not valid when we try to use the objects again.
This is trying to address this use case, which I noticed was breaking
CI with SoftHSM PKCS#11 modules.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/vcard_emul_nss.c | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)
diff --git a/src/vcard_emul_nss.c b/src/vcard_emul_nss.c
index e8f5c56..f788964 100644
--- a/src/vcard_emul_nss.c
+++ b/src/vcard_emul_nss.c
@@ -52,7 +52,6 @@ typedef enum {
struct VCardKeyStruct {
CERTCertificate *cert;
PK11SlotInfo *slot;
- SECKEYPrivateKey *key;
VCardEmulTriState failedX509;
};
@@ -155,10 +154,6 @@ vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert)
key = g_new(VCardKey, 1);
key->slot = PK11_ReferenceSlot(slot);
key->cert = CERT_DupCertificate(cert);
- /* NOTE: if we aren't logged into the token, this could return NULL */
- /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
- * use the DER version of this function */
- key->key = PK11_FindKeyByDERCert(slot, cert, NULL);
key->failedX509 = VCardEmulUnknown;
return key;
}
@@ -170,10 +165,6 @@ vcard_emul_delete_key(VCardKey *key)
if (!nss_emul_init || (key == NULL)) {
return;
}
- if (key->key) {
- SECKEY_DestroyPrivateKey(key->key);
- key->key = NULL;
- }
if (key->cert) {
CERT_DestroyCertificate(key->cert);
}
@@ -189,12 +180,8 @@ vcard_emul_delete_key(VCardKey *key)
static SECKEYPrivateKey *
vcard_emul_get_nss_key(VCardKey *key)
{
- if (key->key) {
- return key->key;
- }
/* NOTE: if we aren't logged into the token, this could return NULL */
- key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
- return key->key;
+ return PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
}
/*
--
2.22.0
From 06587ef683373690f61540935b4516b4f23238ea Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 27 Aug 2019 12:38:45 +0200
Subject: [PATCH 2/2] tests: Reproducer for pkcs11 modules invalidating object
handles on logout
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/hwtests.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/tests/hwtests.c b/tests/hwtests.c
index cd9a33b..39decfb 100644
--- a/tests/hwtests.c
+++ b/tests/hwtests.c
@@ -339,6 +339,26 @@ static void test_sign_bad_data_x509(void)
vreader_free(reader); /* get by id ref */
}
+/* This is a regression test for issues with PKCS#11 tokens
+ * invalidating object handles after logout (such as softhsm).
+ * See: https://bugzilla.mozilla.org/show_bug.cgi?id=1576642
+ */
+static void test_sign_logout_sign(void)
+{
+ VReader *reader = vreader_get_reader_by_id(0);
+
+ g_assert_nonnull(reader);
+
+ test_login();
+ test_sign();
+
+ /* This implicitly logs out the user */
+ test_login();
+ test_sign();
+
+ vreader_free(reader); /* get by id ref */
+}
+
static void libcacard_finalize(void)
{
VReader *reader = vreader_get_reader_by_id(0);
@@ -374,6 +394,7 @@ int main(int argc, char *argv[])
g_test_add_func("/hw-tests/sign-bad-data", test_sign_bad_data_x509);
g_test_add_func("/hw-tests/empty-applets", test_empty_applets);
g_test_add_func("/hw-tests/get-response", test_get_response);
+ g_test_add_func("/hw-tests/sign-logout-sign", test_sign_logout_sign);
ret = g_test_run();
--
2.22.0

View File

@ -1,12 +1,14 @@
Name: libcacard
Version: 2.7.0
Release: 1%{?dist}
Release: 2%{?dist}
Summary: CAC (Common Access Card) library
License: LGPLv2+
URL: http://www.spice-space.org/page/Libcacard
Source0: http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz
Source1: http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz.asc
Source2: gpgkey-15B5C33D.gpg
# https://gitlab.freedesktop.org/spice/libcacard/merge_requests/5
Patch0: %{name}-2.7.0-caching-keys.patch
Epoch: 3
BuildRequires: glib2-devel
@ -37,6 +39,7 @@ developing applications that use %{name}.
%prep
gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%setup -q
%patch0 -p1 -b .caching
%build
%configure --disable-static
@ -68,6 +71,9 @@ rm -f %{buildroot}%{_libdir}/*.la
%{_libdir}/pkgconfig/libcacard.pc
%changelog
* Mon Sep 16 2019 Jakub Jelen <jjelen@redhat.com> - 2.7.0-2
- Remove key caching capabilities since to avoid invalid handle reuse (#1746883)
* Tue Jul 23 2019 Jakub Jelen <jjelen@redhat.com> - 2.7.0-1
- Update to libcacard 2.7.0 to improve Windows compatibility (#1615840)