import sources

.gitignore

@@ -0,0 +1,2 @@
+/gpgkey-15B5C33D.gpg
+/libcacard-2.7.0.tar.xz

EMPTY

@@ -1 +0,0 @@
- 

libcacard-2.7.0-caching-keys.patch

@@ -0,0 +1,124 @@
+From 2c10ae315375730020108cbcae0c282d0d6eff5f Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 26 Aug 2019 17:42:06 +0200
+Subject: [PATCH 1/2] vcard_emul_nss: Drop the key caching to simplify error
+ handling
+
+It could happen with PKCS#11 modules that (correctly) invalidate object
+handles after logout (which was introduced in 0d3a683a), that the handles
+are not valid when we try to use the objects again.
+
+This is trying to address this use case, which I noticed was breaking
+CI with SoftHSM PKCS#11 modules.
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ src/vcard_emul_nss.c | 15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+diff --git a/src/vcard_emul_nss.c b/src/vcard_emul_nss.c
+index e8f5c56..f788964 100644
+--- a/src/vcard_emul_nss.c
++++ b/src/vcard_emul_nss.c
+@@ -52,7 +52,6 @@ typedef enum {
+ struct VCardKeyStruct {
+     CERTCertificate *cert;
+     PK11SlotInfo *slot;
+-    SECKEYPrivateKey *key;
+     VCardEmulTriState failedX509;
+ };
+ 
+@@ -155,10 +154,6 @@ vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert)
+     key = g_new(VCardKey, 1);
+     key->slot = PK11_ReferenceSlot(slot);
+     key->cert = CERT_DupCertificate(cert);
+-    /* NOTE: if we aren't logged into the token, this could return NULL */
+-    /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
+-     * use the DER version of this function */
+-    key->key = PK11_FindKeyByDERCert(slot, cert, NULL);
+     key->failedX509 = VCardEmulUnknown;
+     return key;
+ }
+@@ -170,10 +165,6 @@ vcard_emul_delete_key(VCardKey *key)
+     if (!nss_emul_init || (key == NULL)) {
+         return;
+     }
+-    if (key->key) {
+-        SECKEY_DestroyPrivateKey(key->key);
+-        key->key = NULL;
+-    }
+     if (key->cert) {
+         CERT_DestroyCertificate(key->cert);
+     }
+@@ -189,12 +180,8 @@ vcard_emul_delete_key(VCardKey *key)
+ static SECKEYPrivateKey *
+ vcard_emul_get_nss_key(VCardKey *key)
+ {
+-    if (key->key) {
+-        return key->key;
+-    }
+     /* NOTE: if we aren't logged into the token, this could return NULL */
+-    key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
+-    return key->key;
++    return PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
+ }
+ 
+ /*
+-- 
+2.22.0
+
+
+From 06587ef683373690f61540935b4516b4f23238ea Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 27 Aug 2019 12:38:45 +0200
+Subject: [PATCH 2/2] tests: Reproducer for pkcs11 modules invalidating object
+ handles on logout
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tests/hwtests.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/tests/hwtests.c b/tests/hwtests.c
+index cd9a33b..39decfb 100644
+--- a/tests/hwtests.c
++++ b/tests/hwtests.c
+@@ -339,6 +339,26 @@ static void test_sign_bad_data_x509(void)
+     vreader_free(reader); /* get by id ref */
+ }
+ 
++/* This is a regression test for issues with PKCS#11 tokens
++ * invalidating object handles after logout (such as softhsm).
++ * See: https://bugzilla.mozilla.org/show_bug.cgi?id=1576642
++ */
++static void test_sign_logout_sign(void)
++{
++    VReader *reader = vreader_get_reader_by_id(0);
++
++    g_assert_nonnull(reader);
++
++    test_login();
++    test_sign();
++
++    /* This implicitly logs out the user */
++    test_login();
++    test_sign();
++
++    vreader_free(reader); /* get by id ref */
++}
++
+ static void libcacard_finalize(void)
+ {
+     VReader *reader = vreader_get_reader_by_id(0);
+@@ -374,6 +394,7 @@ int main(int argc, char *argv[])
+     g_test_add_func("/hw-tests/sign-bad-data", test_sign_bad_data_x509);
+     g_test_add_func("/hw-tests/empty-applets", test_empty_applets);
+     g_test_add_func("/hw-tests/get-response", test_get_response);
++    g_test_add_func("/hw-tests/sign-logout-sign", test_sign_logout_sign);
+ 
+     ret = g_test_run();
+ 
+-- 
+2.22.0
+
+

libcacard-2.7.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEE99xQpX39UrlCUyle9kkHrBW1wz0FAl0154wACgkQ9kkHrBW1
+wz06+Qf/Q6kuvcClfspNnHC6uiG4ltvxC1/56FQXXMOaiwvaR2lrH61po4f16EXI
+fQgjuecTMJukMWwdLFPfR444rfO3vNvaQom953MNI+NoWlzgpl+QoWWvCPJwOUl0
+ocKC7eehtSklbr05X885jHdsabhe4yUxOSJPhFwkiPZLnYGVwyB5gkhM/W9hBKqK
+IkMycN2lW8q+pcjafha9jcSWEa+fzxd+f/78oFwyXB9cPacm0g/LlpNjHZZlnnfn
+X8LVvVeYhMsm9eqY3js2QFOIu2045jBeeg5JwT2scuoMPzWBj8KrMGo8loN0NouZ
+uE7+03F0YKBoyV463bJkyYNryChXZg==
+=Qkcs
+-----END PGP SIGNATURE-----

libcacard.spec

@@ -0,0 +1,112 @@
+Name:           libcacard
+Version:        2.7.0
+Release:        2%{?dist}
+Summary:        CAC (Common Access Card) library
+License:        LGPLv2+
+URL:            http://www.spice-space.org/page/Libcacard
+Source0:        http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz
+Source1:        http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz.asc
+Source2:        gpgkey-15B5C33D.gpg
+# https://gitlab.freedesktop.org/spice/libcacard/merge_requests/5
+Patch0:         %{name}-2.7.0-caching-keys.patch
+Epoch:          3
+
+BuildRequires:  glib2-devel
+BuildRequires:  nss-devel
+BuildRequires:  softhsm
+BuildRequires:  opensc
+BuildRequires:  gnutls-utils
+BuildRequires:  nss-tools
+BuildRequires:  openssl
+BuildRequires:  gnupg2
+Conflicts:      qemu-common < 2:2.5.0
+
+%description
+This library provides emulation of smart cards to a virtual card
+reader running in a guest virtual machine.
+
+It implements DoD CAC standard with separate pki containers
+(compatible coolkey), using certificates read from NSS.
+
+%package        devel
+Summary:        Development files for %{name}
+Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+
+%description    devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use %{name}.
+
+%prep
+gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
+%setup -q
+%patch0 -p1 -b .caching
+
+%build
+%configure --disable-static
+sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool
+make %{?_smp_mflags}
+
+%check
+# Do not run the tests on s390x, which fails
+%ifnarch s390x
+sed -i "s!/usr/lib64/!%{_libdir}/!" tests/setup-softhsm2.sh
+make check
+%endif
+
+%install
+%make_install
+rm -f %{buildroot}%{_libdir}/*.la
+
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
+
+%files
+%license COPYING
+%doc NEWS
+%{_libdir}/libcacard.so.*
+
+%files devel
+%{_includedir}/cacard
+%{_libdir}/libcacard.so
+%{_libdir}/pkgconfig/libcacard.pc
+
+%changelog
+* Mon Sep 16 2019 Jakub Jelen <jjelen@redhat.com> - 2.7.0-2
+- Remove key caching capabilities since to avoid invalid handle reuse (#1746883)
+
+* Tue Jul 23 2019 Jakub Jelen <jjelen@redhat.com> - 2.7.0-1
+- Update to libcacard 2.7.0 to improve Windows compatibility (#1615840)
+
+* Mon Dec 17 2018 Christophe Fergeau <cfergeau@redhat.com> - 2.6.1-1
+- Update to libcacard 2.6.1
+  Resolves: rhbz#1620129
+
+* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com> - 3:2.5.3-5
+- Release Bumped for el8 Mass Rebuild
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Mar 01 2017 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.5.3-1
+- new upstream release 2.5.3
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Dec  8 2015 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.5.2-1
+- Update to latest libcacard's release (2.5.2)
+
+* Wed Nov 25 2015 Fabiano Fidêncio <fidencio@redhat.com> - 3:2.5.1-1
+- Update to latest libcacard's release (2.5.1)
+
+* Wed Sep 23 2015 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.5.0-1
+- Initial standalone libcacard package.

sources

@@ -0,0 +1,2 @@
+SHA512 (gpgkey-15B5C33D.gpg) = 7f17283e5ea7e173d867ff815370c37b138df4fd8b7310f8a6eca13c5af90b0e6bd51bac79c0d3265021f6ae0e0e32f738ba4e12ba21e5302d628c235d5aed58
+SHA512 (libcacard-2.7.0.tar.xz) = 347c13396e6777193e4e158321605410f4cbd90727c1ba8d85a1aac41d5ada96728dbef367ed4027d16dd0b10c8a4d0cf902ce3345334be4c78994cf72c58352