rpms/opencryptoki
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Use systemd-sysusers

Browse Source 
- Modifie the unit file to change file ownership
- opencryptoki doesn't work in image mode
Resolves: RHEL-77146
This commit is contained in:
Than Ngo 2025-02-04 14:46:16 +01:00
parent 5d7d5b6ecf
commit f542873317
11 changed files with 88 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
opencryptoki-3.24.0-image-mode.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up opencryptoki-3.24.0/misc/pkcsslotd.service.in.me opencryptoki-3.24.0/misc/pkcsslotd.service.in
--- opencryptoki-3.24.0/misc/pkcsslotd.service.in.me 2025-02-02 16:38:29.381579155 +0100
+++ opencryptoki-3.24.0/misc/pkcsslotd.service.in 2025-02-02 17:06:30.048042047 +0100
@@ -9,6 +9,7 @@ Type=forking
PIDFile=/run/opencryptoki/pkcsslotd.pid
ExecStart=@sbindir@/pkcsslotd
+ExecStartPre=+-/bin/sh -c "/bin/chown -f -h root:pkcs11 /etc/opencryptoki/{strength.conf,p11sak_defined_attrs.conf}"
# Uncomment the following line to allow pkcsslotd to increase the receive buffer
# size of the UDEV monitor's netlink socket via udev_monitor_set_receive_buffer_size():
# AmbientCapabilities=CAP_NET_ADMIN

10
opencryptoki-3.24.0-tmpfiles-image-mode.patch Normal file
View File

@ -0,0 +1,10 @@
diff -up opencryptoki-3.24.0/misc/tmpfiles.conf.in.me opencryptoki-3.24.0/misc/tmpfiles.conf.in
--- opencryptoki-3.24.0/misc/tmpfiles.conf.in.me 2025-02-03 13:46:33.012573050 +0100
+++ opencryptoki-3.24.0/misc/tmpfiles.conf.in 2025-02-03 13:55:59.344093340 +0100
@@ -1,5 +1,6 @@
# path mode uid gid age
D /run/opencryptoki 710 @pkcsslotd_user@ @pkcs_group@ -
d @localstatedir@/lib/opencryptoki 0770 root @pkcs_group@ -
+D @localstatedir@/lib/opencryptoki/HSM_MK_CHANGE 770 root @pkcs_group@ -
d @logdir@ 0770 root @pkcs_group@ -
D @lockdir@ 0770 root @pkcs_group@ -

2
opencryptoki-ccatok.conf Normal file
View File

@ -0,0 +1,2 @@
D /var/lib/opencryptoki/ccatok 770 root pkcs11 -
D /var/lib/opencryptoki/ccatok/TOK_OBJ 770 root pkcs11 -

2
opencryptoki-ep11tok.conf Normal file
View File

@ -0,0 +1,2 @@
D /var/lib/opencryptoki/ep11tok 770 root pkcs11 -
D /var/lib/opencryptoki/ep11tok/TOK_OBJ 770 root pkcs11 -

2
opencryptoki-icatok.conf Normal file
View File

@ -0,0 +1,2 @@
D /var/lib/opencryptoki/lite 770 root pkcs11 -
D /var/lib/opencryptoki/lite/TOK_OBJ 770 root pkcs11 -

1
opencryptoki-icsftok.conf Normal file
View File

@ -0,0 +1 @@
D /var/lib/opencryptoki/icsf 770 root pkcs11 -

3
opencryptoki-swtok.conf Normal file
View File

@ -0,0 +1,3 @@
# path mode uid gid age
D /var/lib/opencryptoki/swtok 770 root pkcs11 -
D /var/lib/opencryptoki/swtok/TOK_OBJ 770 root pkcs11 -

2
opencryptoki-tmpfiles.conf Normal file
View File

@ -0,0 +1,2 @@
d /run/opencryptoki 0710 pkcsslotd pkcs11 -

1
opencryptoki-tpmtok.conf Normal file
View File

@ -0,0 +1 @@
D /var/lib/opencryptoki/tpm 770 root pkcs11 -

56
opencryptoki.spec
View File

@ -1,17 +1,30 @@
Name: opencryptoki Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.24.0 Version: 3.24.0
Release: 4%{?dist} Release: 5%{?dist}
License: CPL-1.0 License: CPL-1.0
URL: https://github.com/opencryptoki/opencryptoki URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
Source1: opencryptoki.module Source1: opencryptoki.module
Source2: opencryptoki.sysusers
# split tmpfiles for image mode
Source3: opencryptoki-ccatok.conf
Source4: opencryptoki-icatok.conf
Source5: opencryptoki-swtok.conf
Source6: opencryptoki-tpmtok.conf
Source7: opencryptoki-ep11tok.conf
Source8: opencryptoki-icsftok.conf
# fix install problem in buildroot # fix install problem in buildroot
Patch1: opencryptoki-3.24.0-p11sak.patch Patch1: opencryptoki-3.24.0-p11sak.patch
# change file ownership for image mode
Patch2: opencryptoki-3.24.0-image-mode.patch
Patch3: opencryptoki-3.24.0-tmpfiles-image-mode.patch
# upstream patches # upstream patches
Patch2: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch Patch100: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch
Patch3: opencryptoki-3.24.0-resource-leaks.patch Patch101: opencryptoki-3.24.0-resource-leaks.patch
Requires(pre): coreutils Requires(pre): coreutils
Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted) Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted)
@ -27,6 +40,8 @@ BuildRequires: libcap-devel
BuildRequires: expect BuildRequires: expect
BuildRequires: make BuildRequires: make
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
%{?sysusers_requires_compat}
%ifarch s390 s390x %ifarch s390 s390x
BuildRequires: libica-devel >= 3.3 BuildRequires: libica-devel >= 3.3
# for /usr/include/libudev.h # for /usr/include/libudev.h
@ -205,6 +220,24 @@ configured with Enterprise PKCS#11 (EP11) firmware.
%make_install CHGRP=/bin/true %make_install CHGRP=/bin/true
# Install sysusers.d configuration
install -p -D -m 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
# Install tmpfiles.d config
%ifarch s390 s390x
install -p -D -m 0644 %{SOURCE4} %{SOURCE7} %{buildroot}%{_tmpfilesdir}/
%endif
%ifarch s390 s390x x86_64 ppc64le
install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/
%endif
%if 0%{?tmptok}
install -p -D -m 0644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/
%endif
install -p -D -m 0644 %{SOURCE5} %{SOURCE8} %{buildroot}%{_tmpfilesdir}/
%pre %pre
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion # don't touch opencryptoki.conf even if it is unchanged due to new tokversion
# backup config file. bz#2044179 # backup config file. bz#2044179
@ -215,8 +248,7 @@ if test $1 -gt 1 && test -f %{cfile} ; then
fi fi
%pre libs %pre libs
getent group pkcs11 >/dev/null || groupadd -r pkcs11 %sysusers_create_compat %{SOURCE2}
getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd
exit 0 exit 0
%post %post
@ -233,6 +265,7 @@ if test $1 -eq 1; then
%tmpfiles_create %{name}.conf %tmpfiles_create %{name}.conf
fi fi
%preun %preun
%systemd_preun pkcsslotd.service %systemd_preun pkcsslotd.service
@ -293,6 +326,7 @@ fi
%{_libdir}/pkcs11/PKCS11_API.so %{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll %{_libdir}/pkcs11/stdll
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
%{_sysusersdir}/%{name}.conf
%files devel %files devel
%{_includedir}/%{name}/ %{_includedir}/%{name}/
@ -303,6 +337,7 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
%{_tmpfilesdir}/%{name}-swtok.conf
%if 0%{?tmptok} %if 0%{?tmptok}
%files tpmtok %files tpmtok
@ -310,6 +345,7 @@ fi
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.* %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
%{_tmpfilesdir}/%{name}-tpmtok.conf
%endif %endif
%files icsftok %files icsftok
@ -319,6 +355,7 @@ fi
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.* %{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
%{_tmpfilesdir}/%{name}-icsftok.conf
%ifarch s390 s390x %ifarch s390 s390x
%files icatok %files icatok
@ -326,6 +363,7 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
%{_tmpfilesdir}/%{name}-icatok.conf
%endif %endif
%ifarch s390 s390x x86_64 ppc64le %ifarch s390 s390x x86_64 ppc64le
@ -338,6 +376,7 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
%{_tmpfilesdir}/%{name}-ccatok.conf
%endif %endif
%ifarch s390 s390x %ifarch s390 s390x
@ -353,10 +392,17 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
%{_tmpfilesdir}/%{name}-ep11tok.conf
%endif %endif
%changelog %changelog
* Sun Feb 02 2025 Than Ngo <than@redhat.com> - 3.24.0-5
- Use systemd-sysusers
- Modifie the unit file to change file ownership
- opencryptoki doesn't work in image mode
Resolves: RHEL-77146
* Tue Nov 26 2024 Than Ngo <than@redhat.com> - 3.24.0-4 * Tue Nov 26 2024 Than Ngo <than@redhat.com> - 3.24.0-4
- Disable ccatok on aarch64 and i686 - Disable ccatok on aarch64 and i686
Related: RHEL-58996 Related: RHEL-58996

3
opencryptoki.sysusers Normal file
View File

@ -0,0 +1,3 @@
u pkcsslotd - "Opencryptoki pkcsslotd user" /run/opencryptoki /sbin/nologin
g pkcs11 - -
m pkcsslotd pkcs11