Rebase to 0.23.0

Resolves: RHEL-280
This commit is contained in:
Jakub Jelen 2023-03-08 11:42:20 +01:00
parent ba90259736
commit 399c3d3b19
9 changed files with 225 additions and 139 deletions

1
.gitignore vendored
View File

@ -9,3 +9,4 @@
/opensc-0.20.0.tar.gz
/opensc-0.21.0.tar.gz
/opensc-0.22.0.tar.gz
/opensc-0.23.0.tar.gz

View File

@ -3,7 +3,7 @@ diff -up opensc-0.19.0/etc/opensc.conf.pinpad opensc-0.19.0/etc/opensc.conf
+++ opensc-0.19.0/etc/opensc.conf 2018-10-22 14:33:59.939410701 +0200
@@ -4,4 +4,9 @@ app default {
framework pkcs15 {
# use_file_caching = true;
# use_file_caching = public;
}
+ reader_driver pcsc {
+ # The pinpad is disabled by default,

View File

@ -1,62 +0,0 @@
From fe198e8b3837aa4c960e75d0e2a41020ad4dc9f9 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 24 Sep 2021 13:33:26 +0200
Subject: [PATCH 1/9] pkcs11: Unbreak detection of unenrolled cards
This was broken since 58b03b68, which tried to sanitize some states,
but caused C_GetTokenInfo returning CKR_TOKEN_NOT_RECOGNIZED instead
of empty token information.
Note, that this has effect only if the configuration options
enable_default_driver and pkcs11_enable_InitToken are turned on.
Otherwise it still returns CKR_TOKEN_NOT_RECOGNIZED.
---
src/pkcs11/framework-pkcs15.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 74fe7b3c49..4205e41739 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -544,9 +544,7 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
{
struct sc_pkcs11_slot *slot;
struct pkcs15_fw_data *fw_data = NULL;
- struct sc_pkcs15_card *p15card = NULL;
struct sc_pkcs15_object *auth;
- struct sc_pkcs15_auth_info *pin_info;
CK_RV rv;
sc_log(context, "C_GetTokenInfo(%lx)", slotID);
@@ -578,12 +576,6 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
rv = sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo");
goto out;
}
- p15card = fw_data->p15_card;
- if (!p15card) {
- rv = sc_to_cryptoki_error(SC_ERROR_INVALID_CARD, "C_GetTokenInfo");
- goto out;
- }
-
/* User PIN flags are cleared before re-calculation */
slot->token_info.flags &= ~(CKF_USER_PIN_COUNT_LOW|CKF_USER_PIN_FINAL_TRY|CKF_USER_PIN_LOCKED);
auth = slot_data_auth(slot->fw_data);
@@ -591,8 +583,17 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
"C_GetTokenInfo() auth. object %p, token-info flags 0x%lX", auth,
slot->token_info.flags);
if (auth) {
+ struct sc_pkcs15_card *p15card = NULL;
+ struct sc_pkcs15_auth_info *pin_info = NULL;
+
pin_info = (struct sc_pkcs15_auth_info*) auth->data;
+ p15card = fw_data->p15_card;
+ if (!p15card) {
+ rv = sc_to_cryptoki_error(SC_ERROR_INVALID_CARD, "C_GetTokenInfo");
+ goto out;
+ }
+
sc_pkcs15_get_pin_info(p15card, auth);
if (pin_info->tries_left >= 0) {

View File

@ -5,8 +5,8 @@ diff -up opensc-0.22.0/etc/opensc.conf.file-cache opensc-0.22.0/etc/opensc.conf
# debug = 3;
# debug_file = opensc-debug.txt;
framework pkcs15 {
- # use_file_caching = true;
+ use_file_caching = true;
- # use_file_caching = public;
+ use_file_caching = public;
}
reader_driver pcsc {
# The pinpad is disabled by default,
@ -18,6 +18,6 @@ diff -up opensc-0.22.0/etc/opensc.conf.file-cache opensc-0.22.0/etc/opensc.conf
+# brings more trouble than use so disable that:
+app pkcs15-init {
+ framework pkcs15 {
+ use_file_caching = false;
+ use_file_caching = no;
+ }
+}

View File

@ -0,0 +1,212 @@
From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 1 Dec 2022 20:08:53 +0100
Subject: [PATCH 1/4] pkcs11-tool: Fix private key import
---
src/tools/pkcs11-tool.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index aae205fe2c..cfee8526d5 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
RSA_get0_factors(r, &r_p, &r_q);
RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
#else
- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
+ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
util_fatal("OpenSSL error during RSA private key parsing");
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
}
#endif
RSA_GET_BN(rsa, private_exponent, r_d);
From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 1 Dec 2022 20:11:41 +0100
Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors
---
src/tools/pkcs11-tool.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index cfee8526d5..f2e6b1dd91 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
r = EVP_PKEY_get1_RSA(pkey);
if (!r) {
- if (private)
- util_fatal("OpenSSL error during RSA private key parsing");
- else
- util_fatal("OpenSSL error during RSA public key parsing");
+ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
+ ERR_error_string(ERR_peek_last_error(), NULL));
}
RSA_get0_key(r, &r_n, &r_e, NULL);
@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;
if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {
- if (private)
- util_fatal("OpenSSL error during RSA private key parsing");
- else
- util_fatal("OpenSSL error during RSA public key parsing");
+ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
+ ERR_error_string(ERR_peek_last_error(), NULL));
}
#endif
RSA_GET_BN(rsa, modulus, r_n);
@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
- util_fatal("OpenSSL error during RSA private key parsing");
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
+ util_fatal("OpenSSL error during RSA private key parsing: %s",
+ ERR_error_string(ERR_peek_last_error(), NULL));
}
#endif
RSA_GET_BN(rsa, private_exponent, r_d);
From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 1 Dec 2022 20:38:31 +0100
Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import
---
tests/Makefile.am | 10 ++++---
tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++
2 files changed, 54 insertions(+), 4 deletions(-)
create mode 100755 tests/test-pkcs11-tool-import.sh
diff --git a/tests/Makefile.am b/tests/Makefile.am
index d378e2ee00..9d8a24c321 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \
test-pkcs11-tool-test-threads.sh \
test-pkcs11-tool-sign-verify.sh \
test-pkcs11-tool-allowed-mechanisms.sh \
- test-pkcs11-tool-sym-crypt-test.sh\
- test-pkcs11-tool-unwrap-wrap-test.sh
+ test-pkcs11-tool-sym-crypt-test.sh \
+ test-pkcs11-tool-unwrap-wrap-test.sh \
+ test-pkcs11-tool-import.sh
.NOTPARALLEL:
TESTS = \
@@ -25,8 +26,9 @@ TESTS = \
test-pkcs11-tool-test.sh \
test-pkcs11-tool-test-threads.sh \
test-pkcs11-tool-allowed-mechanisms.sh \
- test-pkcs11-tool-sym-crypt-test.sh\
- test-pkcs11-tool-unwrap-wrap-test.sh
+ test-pkcs11-tool-sym-crypt-test.sh \
+ test-pkcs11-tool-unwrap-wrap-test.sh \
+ test-pkcs11-tool-import.sh
XFAIL_TESTS = \
test-pkcs11-tool-test-threads.sh \
test-pkcs11-tool-test.sh
diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
new file mode 100755
index 0000000000..76ff8e51be
--- /dev/null
+++ b/tests/test-pkcs11-tool-import.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+SOURCE_PATH=${SOURCE_PATH:-..}
+
+source $SOURCE_PATH/tests/common.sh
+
+echo "======================================================="
+echo "Setup SoftHSM"
+echo "======================================================="
+if [[ ! -f $P11LIB ]]; then
+ echo "WARNING: The SoftHSM is not installed. Can not run this test"
+ exit 77;
+fi
+card_setup
+
+ID="0100"
+OPTS=""
+for KEYTYPE in "RSA" "EC"; do
+ echo "======================================================="
+ echo "Generate and import $KEYTYPE keys"
+ echo "======================================================="
+ if [ "$KEYTYPE" == "RSA" ]; then
+ ID="0100"
+ elif [ "$KEYTYPE" == "EC" ]; then
+ ID="0200"
+ OPTS="-pkeyopt ec_paramgen_curve:P-521"
+ fi
+ openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS
+ assert $? "Failed to generate private $KEYTYPE key"
+ $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \
+ --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"
+ assert $? "Failed to write private $KEYTYPE key"
+
+ openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER
+ assert $? "Failed to convert private $KEYTYPE key to public"
+ $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \
+ -p $PIN --module $P11LIB
+ assert $? "Failed to write public $KEYTYPE key"
+ # certificate import already tested in all other tests
+
+ rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"
+done
+
+echo "======================================================="
+echo "Cleanup"
+echo "======================================================="
+card_cleanup
+
+exit $ERRORS
From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jakuje@gmail.com>
Date: Fri, 2 Dec 2022 18:07:43 +0100
Subject: [PATCH 4/4] Simplify the new test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>
---
tests/test-pkcs11-tool-import.sh | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
index 76ff8e51be..c90b3b4926 100755
--- a/tests/test-pkcs11-tool-import.sh
+++ b/tests/test-pkcs11-tool-import.sh
@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then
fi
card_setup
-ID="0100"
-OPTS=""
for KEYTYPE in "RSA" "EC"; do
echo "======================================================="
echo "Generate and import $KEYTYPE keys"
echo "======================================================="
- if [ "$KEYTYPE" == "RSA" ]; then
- ID="0100"
- elif [ "$KEYTYPE" == "EC" ]; then
+ ID="0100"
+ OPTS=""
+ if [ "$KEYTYPE" == "EC" ]; then
ID="0200"
OPTS="-pkeyopt ec_paramgen_curve:P-521"
fi

View File

@ -1,33 +0,0 @@
commit 6bc05d7037041e543d627248ca9df90723426ce1
Author: Jakub Jelen <jjelen@redhat.com>
Date: Tue Aug 10 16:30:40 2021 +0200
p11test: Fix invalid format string on 32b architectures
diff --git a/src/tests/p11test/p11test.c b/src/tests/p11test/p11test.c
index dbac167d..49de6a93 100644
--- a/src/tests/p11test/p11test.c
+++ b/src/tests/p11test/p11test.c
@@ -139,7 +139,7 @@ int main(int argc, char** argv) {
return -1;
}
- debug_print("Card info:\n\tPIN %s\n\tPIN LENGTH %lu\n\t",
+ debug_print("Card info:\n\tPIN %s\n\tPIN LENGTH %zu\n\t",
token.pin, token.pin_length);
return cmocka_run_group_tests(readonly_tests_without_initialization,
diff --git a/src/tests/p11test/p11test_case_pss_oaep.c b/src/tests/p11test/p11test_case_pss_oaep.c
index 1d876a5b..5a6ae9d0 100644
--- a/src/tests/p11test/p11test_case_pss_oaep.c
+++ b/src/tests/p11test/p11test_case_pss_oaep.c
@@ -402,7 +402,7 @@ int oaep_encrypt_decrypt_test(test_cert_t *o, token_info_t *info, test_mech_t *m
if (message_length < 0) {
mech->usage_flags &= ~CKF_DECRYPT;
debug_print(" [SKIP %s ] Too small modulus (%ld bits)"
- " or too large hash %s (%lu B) for OAEP", o->id_str,
+ " or too large hash %s (%zu B) for OAEP", o->id_str,
o->bits, get_mechanism_name(mech->hash),
get_hash_length(mech->hash));
return 0;

View File

@ -1,16 +0,0 @@
diff --git a/src/tools/opensc-explorer.c b/src/tools/opensc-explorer.c
index d251495c..e48f3189 100644
--- a/src/tools/opensc-explorer.c
+++ b/src/tools/opensc-explorer.c
@@ -2030,9 +2030,9 @@ static int do_put_data(int argc, char **argv)
static int do_apdu(int argc, char **argv)
{
sc_apdu_t apdu;
- u8 buf[SC_MAX_EXT_APDU_BUFFER_SIZE];
+ u8 buf[SC_MAX_EXT_APDU_BUFFER_SIZE] = {0};
u8 rbuf[SC_MAX_EXT_APDU_BUFFER_SIZE];
- size_t len, i;
+ size_t len = 0, i;
int r;
if (argc < 1)

View File

@ -2,8 +2,8 @@
%define nssdb %{_sysconfdir}/pki/nssdb
Name: opensc
Version: 0.22.0
Release: 2%{?dist}
Version: 0.23.0
Release: 1%{?dist}
Summary: Smart card library and applications
License: LGPLv2+
@ -11,16 +11,10 @@ URL: https://github.com/OpenSC/OpenSC/wiki
Source0: https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
Source1: opensc.module
Patch1: opensc-0.19.0-pinpad.patch
# https://github.com/OpenSC/OpenSC/pull/2241/
Patch5: %{name}-gcc11.patch
# https://github.com/OpenSC/OpenSC/pull/2343
Patch7: %{name}-32b-arch.patch
# File caching by default (#2000626)
Patch8: %{name}-%{version}-file-cache.patch
# https://github.com/OpenSC/OpenSC/pull/2414 (#2007029)
Patch9: %{name}-%{version}-detect-empty.patch
Patch8: %{name}-0.22.0-file-cache.patch
BuildRequires: make
BuildRequires: make
BuildRequires: pcsc-lite-devel
BuildRequires: readline-devel
BuildRequires: openssl-devel
@ -31,6 +25,7 @@ BuildRequires: bash-completion
BuildRequires: zlib-devel
# For tests
BuildRequires: libcmocka-devel
BuildRequires: vim-common
%if ! 0%{?rhel}
BuildRequires: softhsm
%endif
@ -56,10 +51,7 @@ every software/card that does so, too.
%prep
%setup -q
%patch1 -p1 -b .pinpad
%patch5 -p1 -b .gcc11
%patch7 -p1 -b .32b
%patch8 -p1 -b .file-cache
%patch9 -p1 -b .detect-empty
cp -p src/pkcs15init/README ./README.pkcs15init
cp -p src/scconf/README.scconf .
@ -75,21 +67,19 @@ sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in
sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
%set_build_flags
CFLAGS="$CFLAGS -Wstrict-aliasing=2 -Wno-deprecated-declarations"
%configure --disable-static \
%configure --disable-static \
--disable-autostart-items \
--disable-notify \
--disable-assert \
--enable-pcsc \
--enable-cmocka \
--enable-sm \
--with-pcsc-provider=libpcsclite.so.1
--enable-sm
%make_build
%check
make check
%install
%make_install
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module
@ -119,9 +109,6 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so
# remove the .pc file so we do not confuse users #1673139
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/*.pc
rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so
%if 0%{?rhel} && 0%{?rhel} < 7
rm -rf %{buildroot}%{_datadir}/bash-completion/
%endif
# the npa-tool builds to nothing since we do not have OpenPACE library
rm -rf %{buildroot}%{_bindir}/npa-tool
@ -132,7 +119,6 @@ rm -rf %{buildroot}%{_bindir}/pkcs11-register
rm -rf %{buildroot}%{_mandir}/man1/pkcs11-register.1*
# Remove the notification files
rm %{buildroot}%{_bindir}/opensc-notify
rm %{buildroot}%{_datadir}/applications/org.opensc.notify.desktop
rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
@ -140,9 +126,7 @@ rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
%files
%doc COPYING NEWS README*
%if ! 0%{?rhel} || 0%{?rhel} >= 7
%{_datadir}/bash-completion/*
%endif
%ifarch %{ix86}
%{_mandir}/man5/opensc-%{_arch}.conf.5*

View File

@ -1 +1 @@
SHA512 (opensc-0.22.0.tar.gz) = 70ad5f1219f2ec2a5529a30d8e9955510c77c87d0bc857d5951c7227c75cf9de1c6071f43dd3816a2034123ebd902709793ff776e84d5379fdd54c811ccfaaee
SHA512 (opensc-0.23.0.tar.gz) = cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b