rpms/opencryptoki
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-77147, opencryptoki doesn't work in image mode

Browse Source
This commit is contained in:
Than Ngo 2025-03-19 17:02:54 +01:00
parent fb51a2954d
commit 7f7cd0d5cb
3 changed files with 114 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
opencryptoki-3.24.0-sysusers-config.patch Normal file
View File

@ -0,0 +1,7 @@
diff -Nur opencryptoki-3.24.0.me/opencryptoki.sysusers.conf opencryptoki-3.24.0/opencryptoki.sysusers.conf
--- opencryptoki-3.24.0.me/opencryptoki.sysusers.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki.sysusers.conf 2025-03-12 15:56:16.270318728 +0100
@@ -0,0 +1,3 @@
+u pkcsslotd - "Opencryptoki pkcsslotd user" /run/opencryptoki /sbin/nologin
+g pkcs11 - -
+m pkcsslotd pkcs11

47
opencryptoki-3.24.0-tmpfiles-image-mode.patch Normal file
View File

@ -0,0 +1,47 @@
diff -up opencryptoki-3.24.0/misc/tmpfiles.conf.in.me opencryptoki-3.24.0/misc/tmpfiles.conf.in
--- opencryptoki-3.24.0/misc/tmpfiles.conf.in.me 2025-02-04 16:59:16.072468667 +0100
+++ opencryptoki-3.24.0/misc/tmpfiles.conf.in 2025-02-04 17:02:06.151451176 +0100
@@ -1,5 +1,8 @@
# path mode uid gid age
D /run/opencryptoki 710 @pkcsslotd_user@ @pkcs_group@ -
d @localstatedir@/lib/opencryptoki 0770 root @pkcs_group@ -
+d @localstatedir@/lib/opencryptoki/HSM_MK_CHANGE 770 root @pkcs_group@ -
+z /etc/opencryptoki/p11sak_defined_attrs.conf 0640 root pkcs11 -
+z /etc/opencryptoki/strength.conf 0640 root pkcs11 -
d @logdir@ 0770 root @pkcs_group@ -
D @lockdir@ 0770 root @pkcs_group@ -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-ccatok.conf opencryptoki-3.24.0/opencryptoki-ccatok.conf
--- opencryptoki-3.24.0.me/opencryptoki-ccatok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-ccatok.conf 2025-03-12 15:40:01.270065049 +0100
@@ -0,0 +1,2 @@
+d /var/lib/opencryptoki/ccatok 770 root pkcs11 -
+d /var/lib/opencryptoki/ccatok/TOK_OBJ 770 root pkcs11 -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf opencryptoki-3.24.0/opencryptoki-ep11tok.conf
--- opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-ep11tok.conf 2025-03-12 15:40:01.270122658 +0100
@@ -0,0 +1,2 @@
+d /var/lib/opencryptoki/ep11tok 770 root pkcs11 -
+d /var/lib/opencryptoki/ep11tok/TOK_OBJ 770 root pkcs11 -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-icatok.conf opencryptoki-3.24.0/opencryptoki-icatok.conf
--- opencryptoki-3.24.0.me/opencryptoki-icatok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-icatok.conf 2025-03-12 15:40:01.270168936 +0100
@@ -0,0 +1,2 @@
+d /var/lib/opencryptoki/lite 770 root pkcs11 -
+d /var/lib/opencryptoki/lite/TOK_OBJ 770 root pkcs11 -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-icsftok.conf opencryptoki-3.24.0/opencryptoki-icsftok.conf
--- opencryptoki-3.24.0.me/opencryptoki-icsftok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-icsftok.conf 2025-03-12 15:40:01.270213441 +0100
@@ -0,0 +1 @@
+d /var/lib/opencryptoki/icsf 770 root pkcs11 -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-swtok.conf opencryptoki-3.24.0/opencryptoki-swtok.conf
--- opencryptoki-3.24.0.me/opencryptoki-swtok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-swtok.conf 2025-03-12 15:40:01.270256492 +0100
@@ -0,0 +1,3 @@
+# path mode uid gid age
+d /var/lib/opencryptoki/swtok 770 root pkcs11 -
+d /var/lib/opencryptoki/swtok/TOK_OBJ 770 root pkcs11 -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf opencryptoki-3.24.0/opencryptoki-tpmtok.conf
--- opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-tpmtok.conf 2025-03-12 15:40:01.270339921 +0100
@@ -0,0 +1 @@
+d /var/lib/opencryptoki/tpm 770 root pkcs11 -

63
opencryptoki.spec
View File

@ -1,16 +1,25 @@
%global use_sysusers 1
Name: opencryptoki Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.24.0 Version: 3.24.0
Release: 3%{?dist} Release: 4%{?dist}
License: CPL-1.0 License: CPL-1.0
URL: https://github.com/opencryptoki/opencryptoki URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# fix install problem in buildroot # fix install problem in buildroot
Patch1: opencryptoki-3.24.0-p11sak.patch Patch1: opencryptoki-3.24.0-p11sak.patch
# tmpfiles.d config files for image mode
Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch
# sysuser config file for image mode
Patch3: opencryptoki-3.24.0-sysusers-config.patch
# upstream patches # upstream patches
Patch2: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch Patch100: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch
Patch3: opencryptoki-3.24.0-resource-leaks.patch Patch101: opencryptoki-3.24.0-resource-leaks.patch
Requires(pre): coreutils Requires(pre): coreutils
Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted) Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
@ -203,6 +212,28 @@ configured with Enterprise PKCS#11 (EP11) firmware.
%install %install
%make_install CHGRP=/bin/true %make_install CHGRP=/bin/true
%if %{use_sysusers}
# Install sysusers.d config file
install -p -D -m 0644 %{name}.sysusers.conf %{buildroot}%{_sysusersdir}/%{name}.sysusers.conf
# Install tmpfiles.d config files
%ifarch s390 s390x
install -p -D -m 0644 %{name}-icatok.conf %{buildroot}%{_tmpfilesdir}/
install -p -D -m 0644 %{name}-ep11tok.conf %{buildroot}%{_tmpfilesdir}/
%endif
%ifarch s390 s390x x86_64 ppc64le
install -p -D -m 0644 %{name}-ccatok.conf %{buildroot}%{_tmpfilesdir}/
%endif
%if 0%{?tmptok}
install -p -D -m 0644 %{name}-tpmtok.conf %{buildroot}%{_tmpfilesdir}/
%endif
install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/
install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/
%endif
%pre %pre
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion # don't touch opencryptoki.conf even if it is unchanged due to new tokversion
@ -214,8 +245,10 @@ if test $1 -gt 1 && test -f %{cfile} ; then
fi fi
%pre libs %pre libs
%if ! %{use_sysusers}
getent group pkcs11 >/dev/null || groupadd -r pkcs11 getent group pkcs11 >/dev/null || groupadd -r pkcs11
getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd
%endif
exit 0 exit 0
%post %post
@ -292,6 +325,9 @@ fi
%{_libdir}/pkcs11/PKCS11_API.so %{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll %{_libdir}/pkcs11/stdll
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
%if %{use_sysusers}
%{_sysusersdir}/%{name}.sysusers.conf
%endif
%files devel %files devel
%{_includedir}/%{name}/ %{_includedir}/%{name}/
@ -302,6 +338,9 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
%if %{use_sysusers}
%{_tmpfilesdir}/%{name}-swtok.conf
%endif
%if 0%{?tmptok} %if 0%{?tmptok}
%files tpmtok %files tpmtok
@ -309,6 +348,9 @@ fi
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.* %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
%if %{use_sysusers}
%{_tmpfilesdir}/%{name}-tpmtok.conf
%endif
%endif %endif
%files icsftok %files icsftok
@ -318,6 +360,9 @@ fi
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.* %{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
%if %{use_sysusers}
%{_tmpfilesdir}/%{name}-icsftok.conf
%endif
%ifarch s390 s390x %ifarch s390 s390x
%files icatok %files icatok
@ -325,6 +370,9 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
%if %{use_sysusers}
%{_tmpfilesdir}/%{name}-icatok.conf
%endif
%endif %endif
%ifarch s390 s390x x86_64 ppc64le %ifarch s390 s390x x86_64 ppc64le
@ -337,6 +385,9 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
%if %{use_sysusers}
%{_tmpfilesdir}/%{name}-ccatok.conf
%endif
%endif %endif
%ifarch s390 s390x %ifarch s390 s390x
@ -352,10 +403,16 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
%if %{use_sysusers}
%{_tmpfilesdir}/%{name}-ep11tok.conf
%endif
%endif %endif
%changelog %changelog
* Wed Mar 19 2025 Than Ngo <than@redhat.com> - 3.24.0-4
- Resolves: RHEL-77147, opencryptoki doesn't work in image mode
* Tue Nov 26 2024 Than Ngo <than@redhat.com> - 3.24.0-3 * Tue Nov 26 2024 Than Ngo <than@redhat.com> - 3.24.0-3
- Disable ccatok on aarch64 - Disable ccatok on aarch64
Related: RHEL-50064 Related: RHEL-50064