Backport upstream patches for better CloudHSM support (#1562572)

opensc-0.17.0-cloudhsm.patch

@@ -0,0 +1,78 @@
+From 74885fb1c174468cc0a505cd7404e228d465efd8 Mon Sep 17 00:00:00 2001
+From: AnthonyA <ascanio.alba7@gmail.com>
+Date: Tue, 27 Mar 2018 00:48:05 +0000
+Subject: [PATCH] pkcs11-tool: allow mechanism to be specified in hexadecimal
+
+To support vendor mechanisms, let -m accept hexadecimal strings,
+e.g., -m 0x80001234
+---
+ doc/tools/pkcs11-tool.1.xml | 3 ++-
+ src/tools/pkcs11-tool.c     | 5 ++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml
+index f8d638b45..e78570b10 100644
+--- a/doc/tools/pkcs11-tool.1.xml
++++ b/doc/tools/pkcs11-tool.1.xml
+@@ -231,7 +231,8 @@
+ 					</term>
+ 					<listitem><para>Use the specified <replaceable>mechanism</replaceable>
+ 					for token operations. See <option>-M</option> for a list
+-					of mechanisms supported by your token.</para></listitem>
++					of mechanisms supported by your token. The mechanism can also be specified in
++					hexadecimal, e.g., <replaceable>0x80001234</replaceable>.</para></listitem>
+ 				</varlistentry>
+ 
+ 				<varlistentry>
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 63e5c5f7f..484c019d8 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -234,7 +234,7 @@ static const char *option_help[] = {
+ 	"Hash some data",
+ 	"Derive a secret key using another key and some data",
+ 	"Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations",
+-	"Specify mechanism (use -M for a list of supported mechanisms)",
++	"Specify mechanism (use -M for a list of supported mechanisms), or by hexadecimal, e.g., 0x80001234",
+ 
+ 	"Log into the token first",
+ 	"Specify login type ('so', 'user', 'context-specific'; default:'user')",
+@@ -6076,6 +6076,9 @@ static CK_MECHANISM_TYPE p11_name_to_mechanism(const char *name)
+ {
+ 	struct mech_info *mi;
+ 
++	if (strncasecmp("0x", name, 2) == 0) {
++		return strtoul(name, NULL, 0);
++	}
+ 	for (mi = p11_mechanisms; mi->name; mi++) {
+ 		if (!strcasecmp(mi->name, name)
+ 		 || (mi->short_name && !strcasecmp(mi->short_name, name)))
+
+
+From ea4baf50d57a7a41164fedcd1b10fdb0438305c5 Mon Sep 17 00:00:00 2001
+From: AnthonyA <ascanio.alba7@gmail.com>
+Date: Mon, 19 Mar 2018 15:58:21 +0800
+Subject: [PATCH] pkcs11-tool: make ECPoint behaviour standards compliant by
+ default
+
+Fixes #1286. The behaviour of pkcs11-tool will follow the standard -
+send DER. If EC_POINT_NO_ASN1_OCTET_STRING is defined then it will
+write plain bytes.
+---
+ src/tools/pkcs11-tool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 876bba2dc..63e5c5f7f 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -2632,7 +2632,7 @@ parse_ec_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost)
+ 		header_len = point-gost->public.value;
+ 		memcpy(point, buf, point_len);
+ 		gost->public.len = header_len+point_len;
+-#ifndef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
++#ifdef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
+ 		gost->public.len   -= header_len;
+ 		gost->public.value += header_len;
+ #endif
+

opensc.spec

@@ -26,6 +26,8 @@ Patch5:		opensc-0.17.0-simpletlv.patch
 # Make Feitian tokens working again (#1558099)
 # https://github.com/OpenSC/OpenSC/pull/1145
 Patch6:		opensc-0.17.0-feitian.patch
+# CloudHSM improvements (proper EC_POINT, specification of mechanisms)
+Patch7:		opensc-0.17.0-cloudhsm.patch
 
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  readline-devel
@@ -59,6 +61,7 @@ every software/card that does so, too.
 %patch4 -p1 -b .cac-alt
 %patch5 -p1 -b .simpletlv
 %patch6 -p1 -b .feitian
+%patch7 -p1 -b .cloudhsm
 
 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .