Resolves: #2222592, p11sak tool: slot option does not accept argument 0 for slot index 0
Resolves: #2222596, p11sak fails as soon as there reside non-key objects
This commit is contained in:
parent
62e92e9764
commit
e1ae1255d0
@ -0,0 +1,34 @@
|
|||||||
|
commit 2ba0f41ef5e14d4b509c8854e27cf98e3ee89445
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon Jul 10 13:22:48 2023 +0200
|
||||||
|
|
||||||
|
p11sak: Fix parsing of slot number 0
|
||||||
|
|
||||||
|
Running command 'p11sak list-key aes --slot 0' may result in
|
||||||
|
'p11sak: Invalid argument '0' for option '-s/--slot''
|
||||||
|
|
||||||
|
This is because of the error checking after strtoul() within function
|
||||||
|
process_number_argument(). In case errno is not zero, it treats a
|
||||||
|
parsed value of zero as an error.
|
||||||
|
|
||||||
|
Under certain circumstances, errno is non-zero already before calling
|
||||||
|
strtoul(), and stays non-zero in case of strtoul() succeeds. This leads to
|
||||||
|
an incorrect error checking, and it is treated as error.
|
||||||
|
|
||||||
|
Initialize errno to zero before calling strtoul() to avoid such false error
|
||||||
|
detection.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
|
||||||
|
index 6e11cb41..38665bbd 100644
|
||||||
|
--- a/usr/sbin/p11sak/p11sak.c
|
||||||
|
+++ b/usr/sbin/p11sak/p11sak.c
|
||||||
|
@@ -1712,6 +1712,7 @@ static CK_RV process_number_argument(const struct p11sak_arg *arg, char *val)
|
||||||
|
{
|
||||||
|
char *endptr;
|
||||||
|
|
||||||
|
+ errno = 0;
|
||||||
|
*arg->value.number = strtoul(val, &endptr, 0);
|
||||||
|
|
||||||
|
if ((errno == ERANGE && *arg->value.number == ULONG_MAX) ||
|
@ -0,0 +1,96 @@
|
|||||||
|
commit 92999f344a3ad99a67a1bcfd9ad28f28c33e51bc
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon Jul 10 10:19:13 2023 +0200
|
||||||
|
|
||||||
|
p11sak: Fix listing of key objects when other object types are present
|
||||||
|
|
||||||
|
A command like 'p11sak list-key all --slot N ...' fails with
|
||||||
|
|
||||||
|
p11sak: Attribute CKA_KEY_TYPE is not available in key object
|
||||||
|
p11sak: Failed to iterate over key objects for key type All: 0xD0: CKR_TEMPLATE_INCOMPLETE
|
||||||
|
p11sak: Failed to perform the 'list-key' command: CKR_TEMPLATE_INCOMPLETE
|
||||||
|
|
||||||
|
when the object repository contains other, non-key objects, e.g. certificates.
|
||||||
|
|
||||||
|
When 'all' is used as key type, then no filter for CKA_KEY_TYPE is used
|
||||||
|
with C_FindObjects(), and thus other non-key objects also match the filter.
|
||||||
|
When a specific key type is specified, then only such objects match that
|
||||||
|
have the desired CKA_KEY_TYPE attribute value.
|
||||||
|
|
||||||
|
Fix this by checking the object class in get_key_infos() and skip the object,
|
||||||
|
if it is not a key object.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
|
||||||
|
index a6213720..6e11cb41 100644
|
||||||
|
--- a/usr/sbin/p11sak/p11sak.c
|
||||||
|
+++ b/usr/sbin/p11sak/p11sak.c
|
||||||
|
@@ -3403,6 +3403,16 @@ static CK_RV get_key_infos(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS *class,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ switch (class_val) {
|
||||||
|
+ case CKO_PUBLIC_KEY:
|
||||||
|
+ case CKO_PRIVATE_KEY:
|
||||||
|
+ case CKO_SECRET_KEY:
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ free(attrs[0].pValue);
|
||||||
|
+ return CKR_KEY_NEEDED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (i = 0; i < num_attrs; i++) {
|
||||||
|
if (attrs[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
|
||||||
|
warnx("Attribute %s is not available in key object",
|
||||||
|
@@ -3614,6 +3624,10 @@ static CK_RV iterate_key_objects(const struct p11sak_keytype *keytype,
|
||||||
|
if (manual_filtering) {
|
||||||
|
rc = get_key_infos(keys[i], NULL, NULL, NULL, &label,
|
||||||
|
NULL, NULL);
|
||||||
|
+ if (rc == CKR_KEY_NEEDED) {
|
||||||
|
+ rc = CKR_OK;
|
||||||
|
+ goto next;
|
||||||
|
+ }
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
break;
|
||||||
|
|
||||||
|
@@ -3672,6 +3686,10 @@ done_find:
|
||||||
|
for (i = 0; i < num_matched_keys; i++) {
|
||||||
|
rc = get_key_infos(matched_keys[i], &class, &ktype, &keysize,
|
||||||
|
&label, &typestr, &type);
|
||||||
|
+ if (rc == CKR_KEY_NEEDED) {
|
||||||
|
+ rc = CKR_OK;
|
||||||
|
+ goto next2;
|
||||||
|
+ }
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
break;
|
||||||
|
|
||||||
|
@@ -3680,6 +3698,7 @@ done_find:
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
break;
|
||||||
|
|
||||||
|
+next2:
|
||||||
|
if (label != NULL)
|
||||||
|
free(label);
|
||||||
|
label = NULL;
|
||||||
|
@@ -4480,10 +4499,20 @@ static CK_RV p11sak_list_key_compare(CK_OBJECT_HANDLE key1,
|
||||||
|
*result = 0;
|
||||||
|
|
||||||
|
rc = get_key_infos(key1, &class1, &ktype1, &keysize1, &label1, NULL, NULL);
|
||||||
|
+ if (rc == CKR_KEY_NEEDED) {
|
||||||
|
+ rc = CKR_OK;
|
||||||
|
+ *result = 1; /* non-key objects are always greater than key objects */
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
rc = get_key_infos(key2, &class2, &ktype2, &keysize2, &label2, NULL, NULL);
|
||||||
|
+ if (rc == CKR_KEY_NEEDED) {
|
||||||
|
+ rc = CKR_OK;
|
||||||
|
+ *result = -1; /* key objects are always smaller than non-key objects */
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
goto done;
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Name: opencryptoki
|
Name: opencryptoki
|
||||||
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
|
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
|
||||||
Version: 3.21.0
|
Version: 3.21.0
|
||||||
Release: 5%{?dist}
|
Release: 8%{?dist}
|
||||||
License: CPL
|
License: CPL
|
||||||
URL: https://github.com/opencryptoki/opencryptoki
|
URL: https://github.com/opencryptoki/opencryptoki
|
||||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
@ -9,11 +9,16 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{
|
|||||||
Patch1: opencryptoki-3.11.0-lockdir.patch
|
Patch1: opencryptoki-3.11.0-lockdir.patch
|
||||||
# add missing p11sak_defined_attrs.conf, strength.conf
|
# add missing p11sak_defined_attrs.conf, strength.conf
|
||||||
Patch2: opencryptoki-3.21.0-p11sak.patch
|
Patch2: opencryptoki-3.21.0-p11sak.patch
|
||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
# pkcsstats: Fix handling of user name
|
# pkcsstats: Fix handling of user name
|
||||||
Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
|
Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
|
||||||
# p11sak: Fix user confirmation prompt behavior when stdin is closed
|
# p11sak: Fix user confirmation prompt behavior when stdin is closed
|
||||||
Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
|
Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
|
||||||
|
# p11sak fails as soon as there reside non-key objects
|
||||||
|
Patch102: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch
|
||||||
|
# opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0
|
||||||
|
Patch103: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch
|
||||||
|
|
||||||
Requires(pre): coreutils diffutils
|
Requires(pre): coreutils diffutils
|
||||||
Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
|
Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
|
||||||
@ -348,6 +353,10 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 14 2023 Than Ngo <than@redhat.com> - 3.21.0-8
|
||||||
|
- Resolves: #2222592, p11sak tool: slot option does not accept argument 0 for slot index 0
|
||||||
|
- Resolves: #2222596, p11sak fails as soon as there reside non-key objects
|
||||||
|
|
||||||
* Tue Jun 13 2023 Than Ngo <than@redhat.com> - 3.21.0-5
|
* Tue Jun 13 2023 Than Ngo <than@redhat.com> - 3.21.0-5
|
||||||
- add requirement on selinux-policy >= 38.1.14-1 for pkcsslotd policy sandboxing
|
- add requirement on selinux-policy >= 38.1.14-1 for pkcsslotd policy sandboxing
|
||||||
Related: #2160061
|
Related: #2160061
|
||||||
|
Loading…
Reference in New Issue
Block a user