rpms/libcacard
5
0
Fork 0
Code Issues Pull Requests Releases Activity

libcacard-2.8.0-1

Browse Source 
This also switches build system from autotools to meson
This commit is contained in:
Jakub Jelen 2020-07-31 15:46:44 +02:00
parent 3d62a35395
commit f0ac0b659e
4 changed files with 19 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -7,3 +7,6 @@
/libcacard-2.7.0.tar.xz /libcacard-2.7.0.tar.xz
/libcacard-2.7.0.tar.xz.asc /libcacard-2.7.0.tar.xz.asc
/gpgkey-15B5C33D.gpg /gpgkey-15B5C33D.gpg
/libcacard-2.8.0.tar.xz
/libcacard-2.8.0.tar.xz.asc
/gpgkey-E37A484F.gpg

124
libcacard-2.7.0-caching-keys.patch
View File

@ -1,124 +0,0 @@
From 2c10ae315375730020108cbcae0c282d0d6eff5f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 26 Aug 2019 17:42:06 +0200
Subject: [PATCH 1/2] vcard_emul_nss: Drop the key caching to simplify error
handling
It could happen with PKCS#11 modules that (correctly) invalidate object
handles after logout (which was introduced in 0d3a683a), that the handles
are not valid when we try to use the objects again.
This is trying to address this use case, which I noticed was breaking
CI with SoftHSM PKCS#11 modules.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/vcard_emul_nss.c | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)
diff --git a/src/vcard_emul_nss.c b/src/vcard_emul_nss.c
index e8f5c56..f788964 100644
--- a/src/vcard_emul_nss.c
+++ b/src/vcard_emul_nss.c
@@ -52,7 +52,6 @@ typedef enum {
struct VCardKeyStruct {
CERTCertificate *cert;
PK11SlotInfo *slot;
- SECKEYPrivateKey *key;
VCardEmulTriState failedX509;
};
@@ -155,10 +154,6 @@ vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert)
key = g_new(VCardKey, 1);
key->slot = PK11_ReferenceSlot(slot);
key->cert = CERT_DupCertificate(cert);
- /* NOTE: if we aren't logged into the token, this could return NULL */
- /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
- * use the DER version of this function */
- key->key = PK11_FindKeyByDERCert(slot, cert, NULL);
key->failedX509 = VCardEmulUnknown;
return key;
}
@@ -170,10 +165,6 @@ vcard_emul_delete_key(VCardKey *key)
if (!nss_emul_init || (key == NULL)) {
return;
}
- if (key->key) {
- SECKEY_DestroyPrivateKey(key->key);
- key->key = NULL;
- }
if (key->cert) {
CERT_DestroyCertificate(key->cert);
}
@@ -189,12 +180,8 @@ vcard_emul_delete_key(VCardKey *key)
static SECKEYPrivateKey *
vcard_emul_get_nss_key(VCardKey *key)
{
- if (key->key) {
- return key->key;
- }
/* NOTE: if we aren't logged into the token, this could return NULL */
- key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
- return key->key;
+ return PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
}
/*
--
2.22.0
From 06587ef683373690f61540935b4516b4f23238ea Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 27 Aug 2019 12:38:45 +0200
Subject: [PATCH 2/2] tests: Reproducer for pkcs11 modules invalidating object
handles on logout
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/hwtests.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/tests/hwtests.c b/tests/hwtests.c
index cd9a33b..39decfb 100644
--- a/tests/hwtests.c
+++ b/tests/hwtests.c
@@ -339,6 +339,26 @@ static void test_sign_bad_data_x509(void)
vreader_free(reader); /* get by id ref */
}
+/* This is a regression test for issues with PKCS#11 tokens
+ * invalidating object handles after logout (such as softhsm).
+ * See: https://bugzilla.mozilla.org/show_bug.cgi?id=1576642
+ */
+static void test_sign_logout_sign(void)
+{
+ VReader *reader = vreader_get_reader_by_id(0);
+
+ g_assert_nonnull(reader);
+
+ test_login();
+ test_sign();
+
+ /* This implicitly logs out the user */
+ test_login();
+ test_sign();
+
+ vreader_free(reader); /* get by id ref */
+}
+
static void libcacard_finalize(void)
{
VReader *reader = vreader_get_reader_by_id(0);
@@ -374,6 +394,7 @@ int main(int argc, char *argv[])
g_test_add_func("/hw-tests/sign-bad-data", test_sign_bad_data_x509);
g_test_add_func("/hw-tests/empty-applets", test_empty_applets);
g_test_add_func("/hw-tests/get-response", test_get_response);
+ g_test_add_func("/hw-tests/sign-logout-sign", test_sign_logout_sign);
ret = g_test_run();
--
2.22.0

25
libcacard.spec
View File

@ -1,14 +1,12 @@
Name: libcacard Name: libcacard
Version: 2.7.0 Version: 2.8.0
Release: 5%{?dist} Release: 1%{?dist}
Summary: CAC (Common Access Card) library Summary: CAC (Common Access Card) library
License: LGPLv2+ License: LGPLv2+
URL: https://gitlab.freedesktop.org/spice/libcacard URL: https://gitlab.freedesktop.org/spice/libcacard
Source0: http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz Source0: http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz
Source1: http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz.asc Source1: http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz.asc
Source2: gpgkey-15B5C33D.gpg Source2: gpgkey-E37A484F.gpg
# https://gitlab.freedesktop.org/spice/libcacard/merge_requests/5
Patch0: %{name}-2.7.0-caching-keys.patch
Epoch: 3 Epoch: 3
BuildRequires: gcc BuildRequires: gcc
@ -19,8 +17,10 @@ BuildRequires: opensc
BuildRequires: gnutls-utils BuildRequires: gnutls-utils
BuildRequires: nss-tools BuildRequires: nss-tools
BuildRequires: openssl BuildRequires: openssl
BuildRequires: lcov
BuildRequires: gnupg2 BuildRequires: gnupg2
BuildRequires: meson
BuildRequires: gcc-c++
BuildRequires: pcsc-lite-devel
Conflicts: qemu-common < 2:2.5.0 Conflicts: qemu-common < 2:2.5.0
%description %description
@ -41,22 +41,20 @@ developing applications that use %{name}.
%prep %prep
gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%setup -q %setup -q
%patch0 -p1
%build %build
%configure --disable-static %meson
sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool %meson_build
%make_build
%check %check
# Do not run the tests on s390x, which fails # Do not run the tests on s390x, which fails
%ifnarch s390x %ifnarch s390x
sed -i "s!/usr/lib64/!%{_libdir}/!" tests/setup-softhsm2.sh sed -i "s!/usr/lib64/!%{_libdir}/!" tests/setup-softhsm2.sh
make check %meson_test
%endif %endif
%install %install
%make_install %meson_install
rm -f %{buildroot}%{_libdir}/*.la rm -f %{buildroot}%{_libdir}/*.la
%ldconfig_scriptlets %ldconfig_scriptlets
@ -72,6 +70,9 @@ rm -f %{buildroot}%{_libdir}/*.la
%{_libdir}/pkgconfig/libcacard.pc %{_libdir}/pkgconfig/libcacard.pc
%changelog %changelog
* Tue Oct 06 2020 Jakub Jelen <jjelen@redhat.com> - 2.8.0-1
- New upstream release
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.7.0-5 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.7.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

6
sources
View File

@ -1,3 +1,3 @@
SHA512 (libcacard-2.7.0.tar.xz) = 347c13396e6777193e4e158321605410f4cbd90727c1ba8d85a1aac41d5ada96728dbef367ed4027d16dd0b10c8a4d0cf902ce3345334be4c78994cf72c58352 SHA512 (libcacard-2.8.0.tar.xz) = 68a7ef8446995b8495f23656d481ed8accc451412561dac9b2397b34accaf88c44499bc753de2e56ae22a07af81594a29b4e47fa9418a2f97c33804e3c6b9da3
SHA512 (libcacard-2.7.0.tar.xz.asc) = a8890117610a0d89019fee5c2ec67a8e383095a39ce56b3a2d092c6e1164435888c5128f9ca303689ffa304f4bcdf71bfab9b2218361bb352427c58dae54dce0 SHA512 (libcacard-2.8.0.tar.xz.asc) = fffe6a236276cd01bcdd1962e17d2b1b3f5450aae4848b3640808faabcf5e93a3c8ec394b335ccd21cebdcca5129859cfe52c2f7c69f8a3c37763c3844311d5e
SHA512 (gpgkey-15B5C33D.gpg) = 7f17283e5ea7e173d867ff815370c37b138df4fd8b7310f8a6eca13c5af90b0e6bd51bac79c0d3265021f6ae0e0e32f738ba4e12ba21e5302d628c235d5aed58 SHA512 (gpgkey-E37A484F.gpg) = 091755da8a358c8c8ebd3b5443b4b5eb3c260afed943454c085d48c973de6a42763547c321c64e4da5c1b2983ad0c5146aaeddeb1d54ef414f7e6a530a3bf14a