rpms/libcacard
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:a10s
rpms:c8s
rpms:c9s
rpms:c8-beta
rpms:changed/a10s/libcacard-2.8.1-6.el10
rpms:imports/c8-beta/libcacard-2.7.0-2.el8_1
rpms:imports/c8-beta/libcacard-2.6.1-1.el8
rpms:imports/c8/libcacard-2.7.0-2.el8_1
rpms:imports/c8/libcacard-2.7.0-1.el8
rpms:imports/c8/libcacard-2.6.1-1.el8
...
pull from: rpms:a10s
Branches Tags
rpms:c10s
rpms:a10s
rpms:c8s
rpms:c9s
rpms:c8-beta
rpms:c8
rpms:changed/a10s/libcacard-2.8.1-6.el10
rpms:imports/c8-beta/libcacard-2.7.0-2.el8_1
rpms:imports/c8-beta/libcacard-2.6.1-1.el8
rpms:imports/c8/libcacard-2.7.0-2.el8_1
rpms:imports/c8/libcacard-2.7.0-1.el8
rpms:imports/c8/libcacard-2.6.1-1.el8

No commits in common. "c8" and "a10s" have entirely different histories.
c8 ... a10s

10 changed files with 657 additions and 251 deletions
Show Stats Expand all files Collapse all files

18
.gitignore vendored
View File

@ -1,2 +1,16 @@
SOURCES/gpgkey-15B5C33D.gpg
SOURCES/libcacard-2.7.0.tar.xz
/libcacard-2.5.0.tar.xz
/libcacard-2.5.1.tar.xz
/libcacard-2.5.2.tar.xz
/libcacard-2.5.3.tar.xz
/libcacard-2.6.0.tar.xz
/libcacard-2.6.1.tar.xz
/libcacard-2.7.0.tar.xz
/libcacard-2.7.0.tar.xz.asc
/gpgkey-15B5C33D.gpg
/libcacard-2.8.0.tar.xz
/libcacard-2.8.0.tar.xz.asc
/gpgkey-E37A484F.gpg
/libcacard-20210801.tar.xz
/libcacard-2.8.1.tar.xz
/libcacard-2.8.1.tar.xz.sig
/gpgkey-A3DDE969.gpg

2
.libcacard.metadata
View File

@ -1,2 +0,0 @@
edd993b1f57280c50dc15f13624a43849b1c69db SOURCES/gpgkey-15B5C33D.gpg
85b85d33e5f2c68f3a792f09cae21de64edc91c0 SOURCES/libcacard-2.7.0.tar.xz

124
SOURCES/libcacard-2.7.0-caching-keys.patch
View File

@ -1,124 +0,0 @@
From 2c10ae315375730020108cbcae0c282d0d6eff5f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 26 Aug 2019 17:42:06 +0200
Subject: [PATCH 1/2] vcard_emul_nss: Drop the key caching to simplify error
handling
It could happen with PKCS#11 modules that (correctly) invalidate object
handles after logout (which was introduced in 0d3a683a), that the handles
are not valid when we try to use the objects again.
This is trying to address this use case, which I noticed was breaking
CI with SoftHSM PKCS#11 modules.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/vcard_emul_nss.c | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)
diff --git a/src/vcard_emul_nss.c b/src/vcard_emul_nss.c
index e8f5c56..f788964 100644
--- a/src/vcard_emul_nss.c
+++ b/src/vcard_emul_nss.c
@@ -52,7 +52,6 @@ typedef enum {
struct VCardKeyStruct {
CERTCertificate *cert;
PK11SlotInfo *slot;
- SECKEYPrivateKey *key;
VCardEmulTriState failedX509;
};
@@ -155,10 +154,6 @@ vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert)
key = g_new(VCardKey, 1);
key->slot = PK11_ReferenceSlot(slot);
key->cert = CERT_DupCertificate(cert);
- /* NOTE: if we aren't logged into the token, this could return NULL */
- /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
- * use the DER version of this function */
- key->key = PK11_FindKeyByDERCert(slot, cert, NULL);
key->failedX509 = VCardEmulUnknown;
return key;
}
@@ -170,10 +165,6 @@ vcard_emul_delete_key(VCardKey *key)
if (!nss_emul_init || (key == NULL)) {
return;
}
- if (key->key) {
- SECKEY_DestroyPrivateKey(key->key);
- key->key = NULL;
- }
if (key->cert) {
CERT_DestroyCertificate(key->cert);
}
@@ -189,12 +180,8 @@ vcard_emul_delete_key(VCardKey *key)
static SECKEYPrivateKey *
vcard_emul_get_nss_key(VCardKey *key)
{
- if (key->key) {
- return key->key;
- }
/* NOTE: if we aren't logged into the token, this could return NULL */
- key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
- return key->key;
+ return PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
}
/*
--
2.22.0
From 06587ef683373690f61540935b4516b4f23238ea Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 27 Aug 2019 12:38:45 +0200
Subject: [PATCH 2/2] tests: Reproducer for pkcs11 modules invalidating object
handles on logout
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/hwtests.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/tests/hwtests.c b/tests/hwtests.c
index cd9a33b..39decfb 100644
--- a/tests/hwtests.c
+++ b/tests/hwtests.c
@@ -339,6 +339,26 @@ static void test_sign_bad_data_x509(void)
vreader_free(reader); /* get by id ref */
}
+/* This is a regression test for issues with PKCS#11 tokens
+ * invalidating object handles after logout (such as softhsm).
+ * See: https://bugzilla.mozilla.org/show_bug.cgi?id=1576642
+ */
+static void test_sign_logout_sign(void)
+{
+ VReader *reader = vreader_get_reader_by_id(0);
+
+ g_assert_nonnull(reader);
+
+ test_login();
+ test_sign();
+
+ /* This implicitly logs out the user */
+ test_login();
+ test_sign();
+
+ vreader_free(reader); /* get by id ref */
+}
+
static void libcacard_finalize(void)
{
VReader *reader = vreader_get_reader_by_id(0);
@@ -374,6 +394,7 @@ int main(int argc, char *argv[])
g_test_add_func("/hw-tests/sign-bad-data", test_sign_bad_data_x509);
g_test_add_func("/hw-tests/empty-applets", test_empty_applets);
g_test_add_func("/hw-tests/get-response", test_get_response);
+ g_test_add_func("/hw-tests/sign-logout-sign", test_sign_logout_sign);
ret = g_test_run();
--
2.22.0

11
SOURCES/libcacard-2.7.0.tar.xz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEE99xQpX39UrlCUyle9kkHrBW1wz0FAl0154wACgkQ9kkHrBW1
wz06+Qf/Q6kuvcClfspNnHC6uiG4ltvxC1/56FQXXMOaiwvaR2lrH61po4f16EXI
fQgjuecTMJukMWwdLFPfR444rfO3vNvaQom953MNI+NoWlzgpl+QoWWvCPJwOUl0
ocKC7eehtSklbr05X885jHdsabhe4yUxOSJPhFwkiPZLnYGVwyB5gkhM/W9hBKqK
IkMycN2lW8q+pcjafha9jcSWEa+fzxd+f/78oFwyXB9cPacm0g/LlpNjHZZlnnfn
X8LVvVeYhMsm9eqY3js2QFOIu2045jBeeg5JwT2scuoMPzWBj8KrMGo8loN0NouZ
uE7+03F0YKBoyV463bJkyYNryChXZg==
=Qkcs
-----END PGP SIGNATURE-----

112
SPECS/libcacard.spec
View File

@ -1,112 +0,0 @@
Name: libcacard
Version: 2.7.0
Release: 2%{?dist}
Summary: CAC (Common Access Card) library
License: LGPLv2+
URL: http://www.spice-space.org/page/Libcacard
Source0: http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz
Source1: http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz.asc
Source2: gpgkey-15B5C33D.gpg
# https://gitlab.freedesktop.org/spice/libcacard/merge_requests/5
Patch0: %{name}-2.7.0-caching-keys.patch
Epoch: 3
BuildRequires: glib2-devel
BuildRequires: nss-devel
BuildRequires: softhsm
BuildRequires: opensc
BuildRequires: gnutls-utils
BuildRequires: nss-tools
BuildRequires: openssl
BuildRequires: gnupg2
Conflicts: qemu-common < 2:2.5.0
%description
This library provides emulation of smart cards to a virtual card
reader running in a guest virtual machine.
It implements DoD CAC standard with separate pki containers
(compatible coolkey), using certificates read from NSS.
%package devel
Summary: Development files for %{name}
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%description devel
The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.
%prep
gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%setup -q
%patch0 -p1 -b .caching
%build
%configure --disable-static
sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool
make %{?_smp_mflags}
%check
# Do not run the tests on s390x, which fails
%ifnarch s390x
sed -i "s!/usr/lib64/!%{_libdir}/!" tests/setup-softhsm2.sh
make check
%endif
%install
%make_install
rm -f %{buildroot}%{_libdir}/*.la
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%license COPYING
%doc NEWS
%{_libdir}/libcacard.so.*
%files devel
%{_includedir}/cacard
%{_libdir}/libcacard.so
%{_libdir}/pkgconfig/libcacard.pc
%changelog
* Mon Sep 16 2019 Jakub Jelen <jjelen@redhat.com> - 2.7.0-2
- Remove key caching capabilities since to avoid invalid handle reuse (#1746883)
* Tue Jul 23 2019 Jakub Jelen <jjelen@redhat.com> - 2.7.0-1
- Update to libcacard 2.7.0 to improve Windows compatibility (#1615840)
* Mon Dec 17 2018 Christophe Fergeau <cfergeau@redhat.com> - 2.6.1-1
- Update to libcacard 2.6.1
Resolves: rhbz#1620129
* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com> - 3:2.5.3-5
- Release Bumped for el8 Mass Rebuild
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Mar 01 2017 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.5.3-1
- new upstream release 2.5.3
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Dec 8 2015 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.5.2-1
- Update to latest libcacard's release (2.5.2)
* Wed Nov 25 2015 Fabiano Fidêncio <fidencio@redhat.com> - 3:2.5.1-1
- Update to latest libcacard's release (2.5.1)
* Wed Sep 23 2015 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.5.0-1
- Initial standalone libcacard package.

BIN
db2.crypt Normal file
View File

Binary file not shown.

456
libcacard-2.8.1-sort-certificates.patch Normal file
View File

@ -0,0 +1,456 @@
From 8458e1b1b35e69ecdc57c5c92c5780c38695f3f0 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 16 Jun 2022 22:22:17 +0200
Subject: [PATCH 1/3] m4: Update code coverage
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
m4/ax_code_coverage.m4 | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/m4/ax_code_coverage.m4 b/m4/ax_code_coverage.m4
index 3d36924..352165b 100644
--- a/m4/ax_code_coverage.m4
+++ b/m4/ax_code_coverage.m4
@@ -74,7 +74,7 @@
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
-#serial 32
+#serial 34
m4_define(_AX_CODE_COVERAGE_RULES,[
AX_ADD_AM_MACRO_STATIC([
@@ -138,7 +138,7 @@ CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT ?=\
CODE_COVERAGE_GENHTML_OPTIONS ?= \$(CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT)
CODE_COVERAGE_IGNORE_PATTERN ?=
-GITIGNOREFILES = \$(GITIGNOREFILES) \$(CODE_COVERAGE_OUTPUT_FILE) \$(CODE_COVERAGE_OUTPUT_DIRECTORY)
+GITIGNOREFILES := \$(GITIGNOREFILES) \$(CODE_COVERAGE_OUTPUT_FILE) \$(CODE_COVERAGE_OUTPUT_DIRECTORY)
code_coverage_v_lcov_cap = \$(code_coverage_v_lcov_cap_\$(V))
code_coverage_v_lcov_cap_ = \$(code_coverage_v_lcov_cap_\$(AM_DEFAULT_VERBOSITY))
code_coverage_v_lcov_cap_0 = @echo \" LCOV --capture\" \$(CODE_COVERAGE_OUTPUT_FILE);
@@ -175,7 +175,7 @@ code-coverage-clean:
code-coverage-dist-clean:
-A][M_DISTCHECK_CONFIGURE_FLAGS = \$(A][M_DISTCHECK_CONFIGURE_FLAGS) --disable-code-coverage
+A][M_DISTCHECK_CONFIGURE_FLAGS := \$(A][M_DISTCHECK_CONFIGURE_FLAGS) --disable-code-coverage
else # ifneq (\$(abs_builddir), \$(abs_top_builddir))
check-code-coverage:
--
2.35.3
From 0f4cd1279ea826a306bb0f10c691af9f0c40ad2e Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 16 Jun 2022 22:23:03 +0200
Subject: [PATCH 2/3] Sort certificates by ID
This is needed to avoid non-deterministic order of the certificates in
case the underlying pkcs11 module does not guarantee that (such as
softhsm). Without this change, the signing and encryption certificate
might get mixed up and application might try to use wrong one for
verification or decryption.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/vcard_emul_nss.c | 43 +++++++++++++++++++++++++++++++++++++------
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/src/vcard_emul_nss.c b/src/vcard_emul_nss.c
index b63105d..2d2062d 100644
--- a/src/vcard_emul_nss.c
+++ b/src/vcard_emul_nss.c
@@ -706,8 +706,9 @@ vcard_emul_mirror_card(VReader *vreader)
* us the real certs until we log in.
*/
PK11GenericObject *firstObj, *thisObj;
- int cert_count;
+ int cert_count, i;
unsigned char **certs;
+ SECItem **ids;
int *cert_len;
VCardKey **keys;
PK11SlotInfo *slot;
@@ -734,12 +735,13 @@ vcard_emul_mirror_card(VReader *vreader)
/* allocate the arrays */
vcard_emul_alloc_arrays(&certs, &cert_len, &keys, cert_count);
+ ids = g_new(SECItem *, cert_count);
/* fill in the arrays */
- cert_count = 0;
+ cert_count = i = 0;
for (thisObj = firstObj; thisObj;
thisObj = PK11_GetNextGenericObject(thisObj)) {
- SECItem derCert;
+ SECItem derCert, *id;
CERTCertificate *cert;
SECStatus rv;
@@ -749,22 +751,51 @@ vcard_emul_mirror_card(VReader *vreader)
if (rv != SECSuccess) {
continue;
}
+ /* Read ID and try to sort by this to get reproducible results
+ * in case of underlying pkcs11 module does not provide it */
+ id = SECITEM_AllocItem(NULL, NULL, 0);
+ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisObj, CKA_ID, id);
+ if (rv != SECSuccess) {
+ SECITEM_FreeItem(&derCert, PR_FALSE);
+ SECITEM_FreeItem(id, PR_TRUE);
+ continue;
+ }
/* create floating temp cert. This gives us a cert structure even if
* the token isn't logged in */
cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &derCert,
NULL, PR_FALSE, PR_TRUE);
SECITEM_FreeItem(&derCert, PR_FALSE);
if (cert == NULL) {
+ SECITEM_FreeItem(id, PR_TRUE);
continue;
}
- certs[cert_count] = cert->derCert.data;
- cert_len[cert_count] = cert->derCert.len;
- keys[cert_count] = vcard_emul_make_key(slot, cert);
+ for (i = 0; i < cert_count; i++) {
+ if (SECITEM_CompareItem(id, ids[i]) < SECEqual) {
+ int j;
+ /* Make space for the item here, move the rest of the items */
+ for (j = cert_count; j > i; j--) {
+ certs[j] = certs[j - 1];
+ cert_len[j] = cert_len[j - 1];
+ keys[j] = keys[j - 1];
+ ids[j] = ids[j - 1];
+ }
+ break;
+ }
+ }
+ certs[i] = cert->derCert.data;
+ cert_len[i] = cert->derCert.len;
+ keys[i] = vcard_emul_make_key(slot, cert);
+ ids[i] = id;
cert_count++;
CERT_DestroyCertificate(cert); /* key obj still has a reference */
}
PK11_DestroyGenericObjects(firstObj);
+ /* No longer needed */
+ for (i = 0; i < cert_count; i++) {
+ SECITEM_FreeItem(ids[i], PR_TRUE);
+ }
+ g_free(ids);
/* now create the card */
card = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count);
--
2.35.3
From 1a415a16f9d3d914e3d1f5b45d3e6b30160280c9 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 17 Jun 2022 12:36:18 +0200
Subject: [PATCH 3/3] Implement tests with second PKI object
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/common.c | 42 ++++++++++++++++++++++++++++++++++------
tests/common.h | 15 +++++++-------
tests/db2.crypt | Bin 0 -> 256 bytes
tests/hwtests.c | 27 ++++++++++++++++++++++++--
tests/libcacard.c | 36 +++++++++++++++++++++++++++++++++-
tests/setup-softhsm2.sh | 2 +-
6 files changed, 105 insertions(+), 17 deletions(-)
create mode 100644 tests/db2.crypt
diff --git a/tests/common.c b/tests/common.c
index e5bc3e2..d1681f2 100644
--- a/tests/common.c
+++ b/tests/common.c
@@ -192,7 +192,7 @@ void get_properties_coid(VReader *reader, const unsigned char coid[2],
case 0x43: /* PKI properties */
g_assert_cmphex(p2[0], ==, 0x06);
- if (hw_tests) {
+ if (hw_tests && object_type == TEST_PKI) {
/* Assuming CAC card with 1024 b RSA keys */
key_bits = 1024;
} else {
@@ -248,7 +248,7 @@ void get_properties_coid(VReader *reader, const unsigned char coid[2],
g_assert_cmpint(num_objects_expected, ==, 0);
}
- if (object_type == TEST_PKI) {
+ if (object_type == TEST_PKI || object_type == TEST_PKI_2) {
g_assert_cmpint(verified_pki_properties, ==, 1);
}
@@ -307,12 +307,17 @@ void get_properties(VReader *reader, int object_type)
unsigned char coid[2];
switch (object_type) {
case TEST_PKI:
- // XXX only the first PKI for now
coid[0] = 0x01;
coid[1] = 0x00;
get_properties_coid(reader, coid, object_type);
break;
+ case TEST_PKI_2:
+ coid[0] = 0x01;
+ coid[1] = 0x01;
+ get_properties_coid(reader, coid, object_type);
+ break;
+
case TEST_CCC:
coid[0] = 0xDB;
coid[1] = 0x00;
@@ -426,6 +431,10 @@ void select_applet(VReader *reader, int type)
/* Select first PKI Applet */
0xa0, 0x00, 0x00, 0x00, 0x79, 0x01, 0x00
};
+ uint8_t selfile_pki_2[] = {
+ /* Select second PKI Applet */
+ 0xa0, 0x00, 0x00, 0x00, 0x79, 0x01, 0x01
+ };
uint8_t selfile_passthrough[] = {
/* Select Person Instance (passthrough) */
0xa0, 0x00, 0x00, 0x00, 0x79, 0x02, 0x00
@@ -442,6 +451,11 @@ void select_applet(VReader *reader, int type)
aid_len = sizeof(selfile_pki);
break;
+ case TEST_PKI_2:
+ aid = selfile_pki_2;
+ aid_len = sizeof(selfile_pki_2);
+ break;
+
case TEST_CCC:
aid = selfile_ccc;
aid_len = sizeof(selfile_ccc);
@@ -562,7 +576,7 @@ void do_sign(VReader *reader, int parts)
}
-void do_decipher(VReader *reader)
+void do_decipher(VReader *reader, int type)
{
VReaderStatus status;
int dwRecvLength = APDUBufSize;
@@ -589,14 +603,30 @@ void do_decipher(VReader *reader)
/* Read the encrypted file */
if (hw_tests) {
- filename = g_test_build_filename(G_TEST_BUILT, "01.crypt", NULL);
+ const char *name;
+ if (type == TEST_PKI) {
+ name = "01.crypt";
+ } else if (type == TEST_PKI_2) {
+ name = "02.crypt";
+ } else {
+ g_assert_not_reached();
+ }
+ filename = g_test_build_filename(G_TEST_BUILT, name, NULL);
} else {
/* Generated from existing db using:
* echo "1234567890" > data
* certutil -L -d sql:$PWD/tests/db/ -n cert1 -r > tests/db.cert
* openssl rsautl -encrypt -inkey "tests/db.cert" -keyform DER -certin -in data -out "tests/db.crypt"
*/
- filename = g_test_build_filename(G_TEST_DIST, "db.crypt", NULL);
+ const char *name;
+ if (type == TEST_PKI) {
+ name = "db.crypt";
+ } else if (type == TEST_PKI_2) {
+ name = "db2.crypt";
+ } else {
+ g_assert_not_reached();
+ }
+ filename = g_test_build_filename(G_TEST_DIST, name, NULL);
}
if (!g_file_get_contents(filename, &ciphertext, &ciphertext_len, NULL)) {
g_test_skip("The encrypted file not found");
diff --git a/tests/common.h b/tests/common.h
index db217b4..459d980 100644
--- a/tests/common.h
+++ b/tests/common.h
@@ -17,12 +17,13 @@
enum {
TEST_PKI = 1,
- TEST_CCC = 2,
- TEST_ACA = 3,
- TEST_GENERIC = 4,
- TEST_EMPTY_BUFFER = 5,
- TEST_EMPTY = 6,
- TEST_PASSTHROUGH = 7,
+ TEST_PKI_2,
+ TEST_CCC,
+ TEST_ACA,
+ TEST_GENERIC,
+ TEST_EMPTY_BUFFER,
+ TEST_EMPTY,
+ TEST_PASSTHROUGH,
};
void select_coid_good(VReader *reader, unsigned char *coid);
@@ -40,7 +41,7 @@ void read_buffer(VReader *reader, uint8_t type, int object_type);
void do_sign(VReader *reader, int parts);
-void do_decipher(VReader *reader);
+void do_decipher(VReader *reader, int type);
void test_empty_applets(void);
diff --git a/tests/hwtests.c b/tests/hwtests.c
index 3684642..2474578 100644
--- a/tests/hwtests.c
+++ b/tests/hwtests.c
@@ -256,6 +256,17 @@ static void test_sign(void)
/* test also multipart signatures */
do_sign(reader, 1);
+ /* select the second PKI */
+ select_applet(reader, TEST_PKI_2);
+
+ /* get properties to figure out the key length */
+ get_properties(reader, TEST_PKI_2);
+
+ do_sign(reader, 0);
+
+ /* test also multipart signatures */
+ do_sign(reader, 1);
+
vreader_free(reader); /* get by id ref */
}
@@ -281,7 +292,15 @@ static void test_decipher(void)
/* get properties to figure out the key length */
get_properties(reader, TEST_PKI);
- do_decipher(reader);
+ do_decipher(reader, TEST_PKI);
+
+ /* select the second PKI */
+ select_applet(reader, TEST_PKI_2);
+
+ /* get properties to figure out the key length */
+ get_properties(reader, TEST_PKI_2);
+
+ do_decipher(reader, TEST_PKI_2);
vreader_free(reader); /* get by id ref */
}
@@ -318,7 +337,7 @@ static void test_sign_bad_data_x509(void)
0x00 /* <-- [Le] */
};
int sign_len = sizeof(sign);
- int key_bits = getBits();
+ int key_bits;
g_assert_nonnull(reader);
@@ -329,6 +348,10 @@ static void test_sign_bad_data_x509(void)
return;
}
+ /* get properties to figure out the key length */
+ select_applet(reader, TEST_PKI);
+ get_properties(reader, TEST_PKI);
+
/* run the actual test */
key_bits = getBits();
diff --git a/tests/libcacard.c b/tests/libcacard.c
index 5328ace..37dedbb 100644
--- a/tests/libcacard.c
+++ b/tests/libcacard.c
@@ -515,6 +515,25 @@ static void test_cac_pki(void)
vreader_free(reader); /* get by id ref */
}
+static void test_cac_pki_2(void)
+{
+ VReader *reader = vreader_get_reader_by_id(0);
+
+ /* select the first PKI applet */
+ select_applet(reader, TEST_PKI_2);
+
+ /* get properties */
+ get_properties(reader, TEST_PKI_2);
+
+ /* get the TAG buffer length */
+ read_buffer(reader, CAC_FILE_TAG, TEST_PKI_2);
+
+ /* get the VALUE buffer length */
+ read_buffer(reader, CAC_FILE_VALUE, TEST_PKI_2);
+
+ vreader_free(reader); /* get by id ref */
+}
+
static void test_cac_ccc(void)
{
VReader *reader = vreader_get_reader_by_id(0);
@@ -579,6 +598,14 @@ static void test_sign(void)
/* test also multipart signatures */
do_sign(reader, 1);
+ /* select the second PKI */
+ select_applet(reader, TEST_PKI_2);
+
+ do_sign(reader, 0);
+
+ /* test also multipart signatures */
+ do_sign(reader, 1);
+
vreader_free(reader); /* get by id ref */
}
@@ -594,7 +621,12 @@ static void test_decipher(void)
/* select the PKI */
select_applet(reader, TEST_PKI);
- do_decipher(reader);
+ do_decipher(reader, TEST_PKI);
+
+ /* select the PKI */
+ select_applet(reader, TEST_PKI_2);
+
+ do_decipher(reader, TEST_PKI_2);
vreader_free(reader); /* get by id ref */
}
@@ -925,6 +957,7 @@ static void test_invalid_read_buffer(void)
test_invalid_read_buffer_applet(reader, TEST_CCC);
test_invalid_read_buffer_applet(reader, TEST_PKI);
+ test_invalid_read_buffer_applet(reader, TEST_PKI_2);
test_invalid_read_buffer_applet(reader, TEST_PASSTHROUGH);
test_invalid_read_buffer_applet(reader, TEST_EMPTY);
@@ -1122,6 +1155,7 @@ int main(int argc, char *argv[])
g_test_add_func("/libcacard/xfer", test_xfer);
g_test_add_func("/libcacard/select-coid", test_select_coid);
g_test_add_func("/libcacard/cac-pki", test_cac_pki);
+ g_test_add_func("/libcacard/cac-pki-2", test_cac_pki_2);
g_test_add_func("/libcacard/cac-ccc", test_cac_ccc);
g_test_add_func("/libcacard/cac-aca", test_cac_aca);
g_test_add_func("/libcacard/get-response", test_get_response);
diff --git a/tests/setup-softhsm2.sh b/tests/setup-softhsm2.sh
index c3874e5..f187191 100755
--- a/tests/setup-softhsm2.sh
+++ b/tests/setup-softhsm2.sh
@@ -111,7 +111,7 @@ if [ ! -d "tokens" ]; then
# Generate 1024b RSA Key pair
generate_cert "RSA:1024" "01" "RSA_auth"
- #generate_cert "RSA:1024" "02" "RSA_sign"
+ generate_cert "RSA:2048" "02" "RSA_sign"
fi
# NSS DB
if [ ! -d "$NSSDB" ]; then
--
2.35.3

160
libcacard.spec Normal file
View File

@ -0,0 +1,160 @@
Name: libcacard
Version: 2.8.1
Release: 6%{?dist}
Summary: CAC (Common Access Card) library
License: LGPLv2+
URL: https://gitlab.freedesktop.org/spice/libcacard
Source0: http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz
Source1: http://www.spice-space.org/download/libcacard/%{name}-%{version}.tar.xz.sig
Source2: gpgkey-A3DDE969.gpg
Source3: db2.crypt
# https://gitlab.freedesktop.org/spice/libcacard/-/merge_requests/31
Patch1: libcacard-2.8.1-sort-certificates.patch
Epoch: 3
BuildRequires: gcc
BuildRequires: glib2-devel
BuildRequires: nss-devel
BuildRequires: softhsm
BuildRequires: opensc
BuildRequires: gnutls-utils
BuildRequires: nss-tools
BuildRequires: openssl
BuildRequires: gnupg2
BuildRequires: meson
BuildRequires: gcc-c++
BuildRequires: pcsc-lite-devel
Conflicts: qemu-common < 2:2.5.0
%description
This library provides emulation of smart cards to a virtual card
reader running in a guest virtual machine.
It implements DoD CAC standard with separate pki containers
(compatible coolkey), using certificates read from NSS.
%package devel
Summary: Development files for %{name}
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%description devel
The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.
%prep
gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%setup -q
%patch1 -p1
cp %{SOURCE3} tests/
%build
%meson
%meson_build
%check
# Do not run the tests on s390x, which fails
%ifnarch s390x
%meson_test
%endif
%install
%meson_install
%ldconfig_scriptlets
%files
%license COPYING
%doc NEWS
%{_libdir}/libcacard.so.*
%files devel
%{_includedir}/cacard
%{_libdir}/libcacard.so
%{_libdir}/pkgconfig/libcacard.pc
%changelog
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.8.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu May 18 2023 Jakub Jelen <jjelen@redhat.com> - 2.8.1-5
- Sort certificates by ID
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.8.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.8.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.8.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Aug 16 2021 Jakub Jelen <jjelen@redhat.com> - 2.8.1-1
- New upstream release
* Mon Aug 2 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.8.0-5.20210801gitcf6121deb4
- Fix UNKNOWN pkg-config version, rhbz#1989031
* Sun Aug 1 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.8.0-4.20210801gitcf6121deb4
- Update to git snapshot v2.8.0.22
- Fix FTBFS rhbz#1987641
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.8.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Oct 06 2020 Jakub Jelen <jjelen@redhat.com> - 2.8.0-1
- New upstream release
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.7.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.7.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Aug 29 2019 Jakub Jelen <jjelen@redhat.com> - 2.7.0-3
- Backport an upstream patch to unbreak testing
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Aug 31 2018 Christophe Fergeau <cfergeau@redhat.com> - 2.6.1-1
- Update to new upstream release
* Wed Aug 8 2018 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.6.0-1
- Update to release v2.6.0
- remove vscclient, drop libcacard-tools
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Mar 01 2017 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.5.3-1
- new upstream release 2.5.3
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3:2.5.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Dec 8 2015 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.5.2-1
- Update to latest libcacard's release (2.5.2)
* Wed Nov 25 2015 Fabiano Fidêncio <fidencio@redhat.com> - 3:2.5.1-1
- Update to latest libcacard's release (2.5.1)
* Wed Sep 23 2015 Marc-André Lureau <marcandre.lureau@redhat.com> - 3:2.5.0-1
- Initial standalone libcacard package.

22
make-git-snapshot.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
# Usage: ./make-git-snapshot.sh [COMMIT]
#
# to make a snapshot of the given tag/branch. Defaults to HEAD.
# Point env var REF to a local mesa repo to reduce clone time.
DIRNAME=libcacard-$( date +%Y%m%d )
echo REF ${REF:+--reference $REF}
echo DIRNAME $DIRNAME
echo HEAD ${1:-HEAD}
rm -rf $DIRNAME
git clone ${REF:+--reference $REF} \
https://gitlab.freedesktop.org/spice/libcacard.git $DIRNAME
GIT_DIR=$DIRNAME/.git git archive --format=tar --prefix=$DIRNAME/ ${1:-HEAD} \
| xz > $DIRNAME.tar.xz
# rm -rf $DIRNAME

3
sources Normal file
View File

@ -0,0 +1,3 @@
SHA512 (libcacard-2.8.1.tar.xz) = 6deddd3319dbd74165eeaa2e8ab10de4a6eb111e980edd608801f7fe3c4fa896c9fb239110d17763864887f5eb0b77c03c680d83fd58a3913b48deb5a225ec74
SHA512 (libcacard-2.8.1.tar.xz.sig) = ecd854c05bdbb45bd9a8aaec5246bacf526f92220fd6375e315c08b034188d6dd05e095f4077c3840c91966610b1f75177e3b6133d813b49e4ddff216f93cf50
SHA512 (gpgkey-A3DDE969.gpg) = 48f057c0c8369883b85de962b014ba48fe65e9801bbbae718088b84179c202e3da6d2c7bfc7c6711ef0d324586274b5a2e8a2d43fc67935297ac4358533179fc