import CS opensc-0.23.0-2.el9

2023-09-21 19:44:18 +00:00 · 2023-09-21 19:44:18 +00:00 · 873535e9e3
commit 873535e9e3
parent 4f0ec313e1
12 changed files with 3568 additions and 139 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/opensc-0.22.0.tar.gz
+SOURCES/opensc-0.23.0.tar.gz
--- a/.opensc.metadata
+++ b/.opensc.metadata
@ -1 +1 @@
-d920880c72462619e0a1a629e0a637155b75a352 SOURCES/opensc-0.22.0.tar.gz
+5a5367ef33efcc35ed420b191b4d1bc3aa34a538 SOURCES/opensc-0.23.0.tar.gz
--- a/SOURCES/opensc-0.19.0-pinpad.patch
+++ b/SOURCES/opensc-0.19.0-pinpad.patch
@ -3,7 +3,7 @@ diff -up opensc-0.19.0/etc/opensc.conf.pinpad opensc-0.19.0/etc/opensc.conf
 +++ opensc-0.19.0/etc/opensc.conf	2018-10-22 14:33:59.939410701 +0200
@@ -4,4 +4,9 @@ app default {
 	framework pkcs15 {
- 		# use_file_caching = true;
+		# use_file_caching = public;
 	}
 +	reader_driver pcsc {
 +		# The pinpad is disabled by default,
--- a/SOURCES/opensc-0.22.0-detect-empty.patch
+++ b/SOURCES/opensc-0.22.0-detect-empty.patch
@ -1,62 +0,0 @@
 From fe198e8b3837aa4c960e75d0e2a41020ad4dc9f9 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Fri, 24 Sep 2021 13:33:26 +0200
 Subject: [PATCH 1/9] pkcs11: Unbreak detection of unenrolled cards
 This was broken since 58b03b68, which tried to sanitize some states,
 but caused C_GetTokenInfo returning CKR_TOKEN_NOT_RECOGNIZED instead
 of empty token information.
 Note, that this has effect only if the configuration options
 enable_default_driver and pkcs11_enable_InitToken are turned on.
 Otherwise it still returns CKR_TOKEN_NOT_RECOGNIZED.
 ---
 src/pkcs11/framework-pkcs15.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)
 diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
 index 74fe7b3c49..4205e41739 100644
 --- a/src/pkcs11/framework-pkcs15.c
 +++ b/src/pkcs11/framework-pkcs15.c
@@ -544,9 +544,7 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
 {
 	struct sc_pkcs11_slot *slot;
 	struct pkcs15_fw_data *fw_data = NULL;
 -	struct sc_pkcs15_card *p15card = NULL;
 	struct sc_pkcs15_object *auth;
 -	struct sc_pkcs15_auth_info *pin_info;
 	CK_RV rv;
 	sc_log(context, "C_GetTokenInfo(%lx)", slotID);
@@ -578,12 +576,6 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
 		rv = sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo");
 		goto out;
 	}
 -	p15card = fw_data->p15_card;
 -	if (!p15card) {
 -		rv = sc_to_cryptoki_error(SC_ERROR_INVALID_CARD, "C_GetTokenInfo");
 -		goto out;
 -	}
 -
 	/* User PIN flags are cleared before re-calculation */
 	slot->token_info.flags &= ~(CKF_USER_PIN_COUNT_LOW|CKF_USER_PIN_FINAL_TRY|CKF_USER_PIN_LOCKED);
 	auth = slot_data_auth(slot->fw_data);
@@ -591,8 +583,17 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
 		"C_GetTokenInfo() auth. object %p, token-info flags 0x%lX", auth,
 		slot->token_info.flags);
 	if (auth) {
 +		struct sc_pkcs15_card *p15card = NULL;
 +		struct sc_pkcs15_auth_info *pin_info = NULL;
 +
 		pin_info = (struct sc_pkcs15_auth_info*) auth->data;
 +		p15card = fw_data->p15_card;
 +		if (!p15card) {
 +			rv = sc_to_cryptoki_error(SC_ERROR_INVALID_CARD, "C_GetTokenInfo");
 +			goto out;
 +		}
 +
 		sc_pkcs15_get_pin_info(p15card, auth);
 		if (pin_info->tries_left >= 0) {
--- a/SOURCES/opensc-0.22.0-file-cache.patch
+++ b/SOURCES/opensc-0.22.0-file-cache.patch
@ -5,8 +5,8 @@ diff -up opensc-0.22.0/etc/opensc.conf.file-cache opensc-0.22.0/etc/opensc.conf
 	# debug = 3;
 	# debug_file = opensc-debug.txt;
 	framework pkcs15 {
-		# use_file_caching = true;
+-		# use_file_caching = public;
-+		use_file_caching = true;
+		use_file_caching = public;
 	}
 	reader_driver pcsc {
 		# The pinpad is disabled by default,
@ -18,6 +18,6 @@ diff -up opensc-0.22.0/etc/opensc.conf.file-cache opensc-0.22.0/etc/opensc.conf
 +# brings more trouble than use so disable that:
 +app pkcs15-init {
 +	framework pkcs15 {
-+		use_file_caching = false;
+		use_file_caching = no;
 +	}
 +}
--- a/SOURCES/opensc-0.23.0-cardos-pkcs15init.patch
+++ b/SOURCES/opensc-0.23.0-cardos-pkcs15init.patch
@ -0,0 +1,50 @@
 From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
 From: fullwaywang <fullwaywang@tencent.com>
 Date: Mon, 29 May 2023 10:38:48 +0800
 Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
 overrun bug. Fixes #2785
 ---
 src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
 index 9715cf390f..f41f73c349 100644
 --- a/src/pkcs15init/pkcs15-cardos.c
 +++ b/src/pkcs15init/pkcs15-cardos.c
@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
 	sc_apdu_t apdu;
         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
         int       r;
 -	const u8  *p = rbuf, *q;
 +	const u8  *p = rbuf, *q, *pp;
 	size_t    len, tlen = 0, ilen = 0;
 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
 		return 0;
 	while (len != 0) {
 -		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
 -		if (p == NULL)
 +		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
 +		if (pp == NULL)
 			return 0;
 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
 			/* and Package Number 0x07					*/
 -			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
 +			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
 			if (q == NULL || ilen != 4)
 				return 0;
 			if (q[0] == 0x07)
@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
 			/* and Package Number 0x02					*/
 -			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
 +			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
 			if (q == NULL || ilen != 4)
 				return 0;
 			if (q[0] == 0x02)
--- a/SOURCES/opensc-0.23.0-openpgp.patch
+++ b/SOURCES/opensc-0.23.0-openpgp.patch
@ -0,0 +1,225 @@
 From 3b580b6fff9ac463ecc6e996cfaf573f62749368 Mon Sep 17 00:00:00 2001
 From: Frank Morgner <frankmorgner@gmail.com>
 Date: Fri, 14 Apr 2023 12:02:54 +0200
 Subject: [PATCH 1/2] openpgp: identify OpenPGP compliance with bcd_version
 rather than card type
 ---
 src/libopensc/card-openpgp.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)
 diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
 index fad32f0ce7..2ea5dc9d36 100644
 --- a/src/libopensc/card-openpgp.c
 +++ b/src/libopensc/card-openpgp.c
@@ -1780,13 +1780,18 @@ pgp_get_pubkey_pem(sc_card_t *card, unsigned int tag, u8 *buf, size_t buf_len)
  * p1: number of an instance (DO 7F21: 0x00 for AUT, 0x01 for DEC and 0x02 for SIG)
  */
 static int
 -pgp_select_data(sc_card_t *card, u8 p1){
 +pgp_select_data(sc_card_t *card, u8 p1)
 +{
 	sc_apdu_t	apdu;
 	u8	apdu_data[6];
 	int	r;
 +	struct pgp_priv_data *priv = DRVDATA(card);
 	LOG_FUNC_CALLED(card->ctx);
 +	if (priv->bcd_version < OPENPGP_CARD_3_0)
 +		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
 +
 	sc_log(card->ctx, "select data with: %u", p1);
 	// create apdu data (taken from spec: SELECT DATA 7.2.5.)
@@ -2179,8 +2184,7 @@ pgp_set_security_env(sc_card_t *card,
 	/* The SC_SEC_ENV_ALG_PRESENT is set always so let it pass for GNUK */
 	if ((env->flags & SC_SEC_ENV_ALG_PRESENT)
 		&& (env->algorithm != SC_ALGORITHM_RSA)
 -		&& (priv->bcd_version < OPENPGP_CARD_3_0)
 -		&& (card->type != SC_CARD_TYPE_OPENPGP_GNUK))
 +		&& (priv->bcd_version < OPENPGP_CARD_3_0))
 		LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_ARGUMENTS,
 				"only RSA algorithm supported");
@@ -2944,13 +2948,13 @@ pgp_update_card_algorithms(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *ke
 {
 	sc_algorithm_info_t *algo;
 	u8 id = key_info->key_id;
 +	struct pgp_priv_data *priv = DRVDATA(card);
 	LOG_FUNC_CALLED(card->ctx);
 	/* protect incompatible cards against non-RSA */
 	if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA
 -		&& card->type < SC_CARD_TYPE_OPENPGP_V3
 -		&& card->type != SC_CARD_TYPE_OPENPGP_GNUK)
 +		&& priv->bcd_version < OPENPGP_CARD_3_0)
 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
 	if (id > card->algorithm_count) {
@@ -2992,13 +2996,13 @@ pgp_gen_key(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *key_info)
 	size_t apdu_le;
 	size_t resplen = 0;
 	int r = SC_SUCCESS;
 +	struct pgp_priv_data *priv = DRVDATA(card);
 	LOG_FUNC_CALLED(card->ctx);
 	/* protect incompatible cards against non-RSA */
 	if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA
 -		&& card->type < SC_CARD_TYPE_OPENPGP_V3
 -		&& card->type != SC_CARD_TYPE_OPENPGP_GNUK)
 +		&& priv->bcd_version < OPENPGP_CARD_3_0)
 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
 	if (key_info->algorithm == SC_OPENPGP_KEYALGO_EDDSA
 		&& card->type != SC_CARD_TYPE_OPENPGP_GNUK)
@@ -3358,13 +3362,13 @@ pgp_store_key(sc_card_t *card, sc_cardctl_openpgp_keystore_info_t *key_info)
 	u8 *data = NULL;
 	size_t len = 0;
 	int r;
 +	struct pgp_priv_data *priv = DRVDATA(card);
 	LOG_FUNC_CALLED(card->ctx);
 	/* protect incompatible cards against non-RSA */
 	if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA
 -		&& card->type < SC_CARD_TYPE_OPENPGP_V3
 -		&& card->type != SC_CARD_TYPE_OPENPGP_GNUK)
 +		&& priv->bcd_version < OPENPGP_CARD_3_0)
 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
 	/* Validate */
 From 9eccc1494d8303ffe42beb772732df218875e3ac Mon Sep 17 00:00:00 2001
 From: Frank Morgner <frankmorgner@gmail.com>
 Date: Fri, 14 Apr 2023 12:09:55 +0200
 Subject: [PATCH 2/2] openpgp: ignore errors on SELECT DATA for OpenPGP 2 and
 below
 fixes https://github.com/OpenSC/OpenSC/issues/2752
 ---
 src/libopensc/pkcs15-openpgp.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)
 diff --git a/src/libopensc/pkcs15-openpgp.c b/src/libopensc/pkcs15-openpgp.c
 index e2f3442238..9d3fd746a0 100644
 --- a/src/libopensc/pkcs15-openpgp.c
 +++ b/src/libopensc/pkcs15-openpgp.c
@@ -556,14 +556,9 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
 		memset(&cert_info, 0, sizeof(cert_info));
 		memset(&cert_obj,  0, sizeof(cert_obj));
 -		/* only try to SELECT DATA for OpenPGP >= v3 */
 -		if (card->type >= SC_CARD_TYPE_OPENPGP_V3) {
 -			r = sc_card_ctl(card, SC_CARDCTL_OPENPGP_SELECT_DATA, &i);
 -			if (r < 0) {
 -				free(buffer);
 -				LOG_TEST_RET(card->ctx, r, "Failed OpenPGP - select data");
 -			}
 -		}
 +		/* try to SELECT DATA. Will only work for OpenPGP >= v3, errors are non-critical */
 +		sc_card_ctl(card, SC_CARDCTL_OPENPGP_SELECT_DATA, &i);
 +
 		sc_format_path(certs[i].path, &cert_info.path);
 		/* Certificate ID. We use the same ID as the authentication key */
 commit e8fba322a2f4d06ec5c74fe80f9e2b0e9fdefec6
 Author: Jakub Jelen <jjelen@redhat.com>
 Date:   Fri May 19 16:49:00 2023 +0200
    openpgp: Fix fingerprint calculation
    fixes https://github.com/OpenSC/OpenSC/issues/2775
 diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
 index cc454cef..496e38e6 100644
 --- a/src/libopensc/card-openpgp.c
 +++ b/src/libopensc/card-openpgp.c
@@ -2697,15 +2697,23 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime,
 	/* RSA */
 	if (key_info->algorithm == SC_OPENPGP_KEYALGO_RSA) {
 +		unsigned short bytes_length = 0;
 +
 		*p = 1; /* Algorithm ID, RSA */
 		p += 1;
 +
 +		/* Modulus */
 +		bytes_length = BYTES4BITS(key_info->u.rsa.modulus_len);
 		ushort2bebytes(p, (unsigned short)key_info->u.rsa.modulus_len);
 		p += 2;
 -		memcpy(p, key_info->u.rsa.modulus, (BYTES4BITS(key_info->u.rsa.modulus_len)));
 -		p += (key_info->u.rsa.modulus_len >> 3);
 -		ushort2bebytes(++p, (unsigned short)key_info->u.rsa.exponent_len);
 +		memcpy(p, key_info->u.rsa.modulus, bytes_length);
 +		p += bytes_length;
 +
 +		/* Exponent */
 +		bytes_length = BYTES4BITS(key_info->u.rsa.exponent_len);
 +		ushort2bebytes(p, (unsigned short)key_info->u.rsa.exponent_len);
 		p += 2;
 -		memcpy(p, key_info->u.rsa.exponent, (BYTES4BITS(key_info->u.rsa.exponent_len)));
 +		memcpy(p, key_info->u.rsa.exponent, bytes_length);
 	}
 	/* ECC */
 	else if (key_info->algorithm == SC_OPENPGP_KEYALGO_ECDH
 commit 891f10e49de1a5ee038b1cb2fb59dce40429e6c2
 Author: Jakub Jelen <jjelen@redhat.com>
 Date:   Fri May 19 17:53:35 2023 +0200
    openpgp: Fix modulus length calculation in pkc15init layer
 diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h
 index 5a0a19c5..ba685a30 100644
 --- a/src/libopensc/pkcs15.h
 +++ b/src/libopensc/pkcs15.h
@@ -373,7 +373,7 @@ struct sc_pkcs15_prkey_info {
 	unsigned int usage, access_flags;
 	int native, key_reference;
 	/* convert to union if other types are supported */
 -	size_t modulus_length; /* RSA */
 +	size_t modulus_length; /* RSA, in bits */
 	size_t field_length;   /* EC in bits */
 	unsigned int algo_refs[SC_MAX_SUPPORTED_ALGORITHMS];
 diff --git a/src/pkcs15init/pkcs15-openpgp.c b/src/pkcs15init/pkcs15-openpgp.c
 index c75bcbda..3e060be5 100644
 --- a/src/pkcs15init/pkcs15-openpgp.c
 +++ b/src/pkcs15init/pkcs15-openpgp.c
@@ -235,7 +235,7 @@ static int openpgp_generate_key_rsa(sc_card_t *card, sc_pkcs15_object_t *obj,
 	/* Prepare buffer */
 	key_info.u.rsa.modulus_len = required->modulus_length;
 -	key_info.u.rsa.modulus = calloc(required->modulus_length >> 3, 1);
 +	key_info.u.rsa.modulus = calloc(BYTES4BITS(required->modulus_length), 1);
 	if (key_info.u.rsa.modulus == NULL)
 		LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_ENOUGH_MEMORY);
@@ -252,18 +252,18 @@ static int openpgp_generate_key_rsa(sc_card_t *card, sc_pkcs15_object_t *obj,
 	pubkey->algorithm = SC_ALGORITHM_RSA;
 	sc_log(ctx, "Set output modulus info");
 -	pubkey->u.rsa.modulus.len = key_info.u.rsa.modulus_len;
 -	pubkey->u.rsa.modulus.data = calloc(key_info.u.rsa.modulus_len, 1);
 +	pubkey->u.rsa.modulus.len = BYTES4BITS(key_info.u.rsa.modulus_len);
 +	pubkey->u.rsa.modulus.data = calloc(pubkey->u.rsa.modulus.len, 1);
 	if (pubkey->u.rsa.modulus.data == NULL)
 		goto err;
 -	memcpy(pubkey->u.rsa.modulus.data, key_info.u.rsa.modulus, key_info.u.rsa.modulus_len);
 +	memcpy(pubkey->u.rsa.modulus.data, key_info.u.rsa.modulus, BYTES4BITS(key_info.u.rsa.modulus_len));
 	sc_log(ctx, "Set output exponent info");
 -	pubkey->u.rsa.exponent.len = key_info.u.rsa.exponent_len;
 -	pubkey->u.rsa.exponent.data = calloc(BYTES4BITS(key_info.u.rsa.exponent_len), 1);
 +	pubkey->u.rsa.exponent.len = BYTES4BITS(key_info.u.rsa.exponent_len);
 +	pubkey->u.rsa.exponent.data = calloc(pubkey->u.rsa.exponent.len, 1);
 	if (pubkey->u.rsa.exponent.data == NULL)
 		goto err;
 -	memcpy(pubkey->u.rsa.exponent.data, key_info.u.rsa.exponent, BYTES4BITS(key_info.u.rsa.exponent_len));
 +	memcpy(pubkey->u.rsa.exponent.data, key_info.u.rsa.exponent, pubkey->u.rsa.exponent.len);
 err:
 	free(key_info.u.rsa.modulus);
--- a/SOURCES/opensc-0.23.0-openssl-ctx.patch
+++ b/SOURCES/opensc-0.23.0-openssl-ctx.patch
--- a/SOURCES/opensc-0.23.0-pkcs11-tool-import.patch
+++ b/SOURCES/opensc-0.23.0-pkcs11-tool-import.patch
@ -0,0 +1,212 @@
 From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 1 Dec 2022 20:08:53 +0100
 Subject: [PATCH 1/4] pkcs11-tool: Fix private key import
 ---
 src/tools/pkcs11-tool.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
 index aae205fe2c..cfee8526d5 100644
 --- a/src/tools/pkcs11-tool.c
 +++ b/src/tools/pkcs11-tool.c
@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 		RSA_get0_factors(r, &r_p, &r_q);
 		RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
 #else
 -		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
 +		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
 -			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
 			util_fatal("OpenSSL error during RSA private key parsing");
 +			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
 		}
 #endif
 		RSA_GET_BN(rsa, private_exponent, r_d);
 From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 1 Dec 2022 20:11:41 +0100
 Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors
 ---
 src/tools/pkcs11-tool.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)
 diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
 index cfee8526d5..f2e6b1dd91 100644
 --- a/src/tools/pkcs11-tool.c
 +++ b/src/tools/pkcs11-tool.c
@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 	const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
 	r = EVP_PKEY_get1_RSA(pkey);
 	if (!r) {
 -		if (private)
 -			util_fatal("OpenSSL error during RSA private key parsing");
 -		else
 -			util_fatal("OpenSSL error during RSA public key parsing");
 +		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
 +			ERR_error_string(ERR_peek_last_error(), NULL));
 	}
 	RSA_get0_key(r, &r_n, &r_e, NULL);
@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 	BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;
 	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||
 		EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {
 -		if (private)
 -			util_fatal("OpenSSL error during RSA private key parsing");
 -		else
 -			util_fatal("OpenSSL error during RSA public key parsing");
 +		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
 +			ERR_error_string(ERR_peek_last_error(), NULL));
 	 }
 #endif
 	RSA_GET_BN(rsa, modulus, r_n);
@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
 -			util_fatal("OpenSSL error during RSA private key parsing");
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
 +			util_fatal("OpenSSL error during RSA private key parsing: %s",
 +				ERR_error_string(ERR_peek_last_error(), NULL));
 		}
 #endif
 		RSA_GET_BN(rsa, private_exponent, r_d);
 From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 1 Dec 2022 20:38:31 +0100
 Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import
 ---
 tests/Makefile.am                | 10 ++++---
 tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100755 tests/test-pkcs11-tool-import.sh
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index d378e2ee00..9d8a24c321 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \
                       test-pkcs11-tool-test-threads.sh \
                       test-pkcs11-tool-sign-verify.sh \
                       test-pkcs11-tool-allowed-mechanisms.sh \
 -                      test-pkcs11-tool-sym-crypt-test.sh\
 -                      test-pkcs11-tool-unwrap-wrap-test.sh
 +                      test-pkcs11-tool-sym-crypt-test.sh \
 +                      test-pkcs11-tool-unwrap-wrap-test.sh \
 +                      test-pkcs11-tool-import.sh
 .NOTPARALLEL:
 TESTS = \
@@ -25,8 +26,9 @@ TESTS = \
         test-pkcs11-tool-test.sh \
         test-pkcs11-tool-test-threads.sh \
         test-pkcs11-tool-allowed-mechanisms.sh \
 -        test-pkcs11-tool-sym-crypt-test.sh\
 -        test-pkcs11-tool-unwrap-wrap-test.sh
 +        test-pkcs11-tool-sym-crypt-test.sh \
 +        test-pkcs11-tool-unwrap-wrap-test.sh \
 +        test-pkcs11-tool-import.sh
 XFAIL_TESTS = \
         test-pkcs11-tool-test-threads.sh \
         test-pkcs11-tool-test.sh
 diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
 new file mode 100755
 index 0000000000..76ff8e51be
 --- /dev/null
 +++ b/tests/test-pkcs11-tool-import.sh
@@ -0,0 +1,48 @@
 +#!/bin/bash
 +SOURCE_PATH=${SOURCE_PATH:-..}
 +
 +source $SOURCE_PATH/tests/common.sh
 +
 +echo "======================================================="
 +echo "Setup SoftHSM"
 +echo "======================================================="
 +if [[ ! -f $P11LIB ]]; then
 +    echo "WARNING: The SoftHSM is not installed. Can not run this test"
 +    exit 77;
 +fi
 +card_setup
 +
 +ID="0100"
 +OPTS=""
 +for KEYTYPE in "RSA" "EC"; do
 +    echo "======================================================="
 +    echo "Generate and import $KEYTYPE keys"
 +    echo "======================================================="
 +    if [ "$KEYTYPE" == "RSA" ]; then
 +        ID="0100"
 +    elif [ "$KEYTYPE" == "EC" ]; then
 +        ID="0200"
 +        OPTS="-pkeyopt ec_paramgen_curve:P-521"
 +    fi
 +    openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS
 +    assert $? "Failed to generate private $KEYTYPE key"
 +    $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \
 +        --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"
 +    assert $? "Failed to write private $KEYTYPE key"
 +
 +    openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER
 +    assert $? "Failed to convert private $KEYTYPE key to public"
 +    $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \
 +        -p $PIN --module $P11LIB
 +    assert $? "Failed to write public $KEYTYPE key"
 +    # certificate import already tested in all other tests
 +
 +    rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"
 +done
 +
 +echo "======================================================="
 +echo "Cleanup"
 +echo "======================================================="
 +card_cleanup
 +
 +exit $ERRORS
 From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jakuje@gmail.com>
 Date: Fri, 2 Dec 2022 18:07:43 +0100
 Subject: [PATCH 4/4] Simplify the new test
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>
 ---
 tests/test-pkcs11-tool-import.sh | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)
 diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
 index 76ff8e51be..c90b3b4926 100755
 --- a/tests/test-pkcs11-tool-import.sh
 +++ b/tests/test-pkcs11-tool-import.sh
@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then
 fi
 card_setup
 -ID="0100"
 -OPTS=""
 for KEYTYPE in "RSA" "EC"; do
     echo "======================================================="
     echo "Generate and import $KEYTYPE keys"
     echo "======================================================="
 -    if [ "$KEYTYPE" == "RSA" ]; then
 -        ID="0100"
 -    elif [ "$KEYTYPE" == "EC" ]; then
 +    ID="0100"
 +    OPTS=""
 +    if [ "$KEYTYPE" == "EC" ]; then
         ID="0200"
         OPTS="-pkeyopt ec_paramgen_curve:P-521"
     fi
--- a/SOURCES/opensc-32b-arch.patch
+++ b/SOURCES/opensc-32b-arch.patch
@ -1,33 +0,0 @@
 commit 6bc05d7037041e543d627248ca9df90723426ce1
 Author: Jakub Jelen <jjelen@redhat.com>
 Date:   Tue Aug 10 16:30:40 2021 +0200
    p11test: Fix invalid format string on 32b architectures
 diff --git a/src/tests/p11test/p11test.c b/src/tests/p11test/p11test.c
 index dbac167d..49de6a93 100644
 --- a/src/tests/p11test/p11test.c
 +++ b/src/tests/p11test/p11test.c
@@ -139,7 +139,7 @@ int main(int argc, char** argv) {
 		return -1;
 	}
 -	debug_print("Card info:\n\tPIN %s\n\tPIN LENGTH %lu\n\t",
 +	debug_print("Card info:\n\tPIN %s\n\tPIN LENGTH %zu\n\t",
 		token.pin, token.pin_length);
 	return cmocka_run_group_tests(readonly_tests_without_initialization,
 diff --git a/src/tests/p11test/p11test_case_pss_oaep.c b/src/tests/p11test/p11test_case_pss_oaep.c
 index 1d876a5b..5a6ae9d0 100644
 --- a/src/tests/p11test/p11test_case_pss_oaep.c
 +++ b/src/tests/p11test/p11test_case_pss_oaep.c
@@ -402,7 +402,7 @@ int oaep_encrypt_decrypt_test(test_cert_t *o, token_info_t *info, test_mech_t *m
 	if (message_length < 0) {
 		mech->usage_flags &= ~CKF_DECRYPT;
 		debug_print(" [SKIP %s ] Too small modulus (%ld bits)"
 -			" or too large hash %s (%lu B) for OAEP", o->id_str,
 +			" or too large hash %s (%zu B) for OAEP", o->id_str,
 			o->bits, get_mechanism_name(mech->hash),
 			get_hash_length(mech->hash));
 		return 0;
--- a/SOURCES/opensc-gcc11.patch
+++ b/SOURCES/opensc-gcc11.patch
@ -1,16 +0,0 @@
 diff --git a/src/tools/opensc-explorer.c b/src/tools/opensc-explorer.c
 index d251495c..e48f3189 100644
 --- a/src/tools/opensc-explorer.c
 +++ b/src/tools/opensc-explorer.c
@@ -2030,9 +2030,9 @@ static int do_put_data(int argc, char **argv)
 static int do_apdu(int argc, char **argv)
 {
 	sc_apdu_t apdu;
 -	u8 buf[SC_MAX_EXT_APDU_BUFFER_SIZE];
 +	u8 buf[SC_MAX_EXT_APDU_BUFFER_SIZE] = {0};
 	u8 rbuf[SC_MAX_EXT_APDU_BUFFER_SIZE];
 -	size_t len, i;
 +	size_t len = 0, i;
 	int r;
 	if (argc < 1)
--- a/SPECS/opensc.spec
+++ b/SPECS/opensc.spec
@ -2,7 +2,7 @@
 %define nssdb %{_sysconfdir}/pki/nssdb
 Name:           opensc
-Version:        0.22.0
+Version:        0.23.0
 Release:        2%{?dist}
 Summary:        Smart card library and applications
@ -11,16 +11,20 @@ URL:            https://github.com/OpenSC/OpenSC/wiki
 Source0:        https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
 Source1:        opensc.module
 Patch1:         opensc-0.19.0-pinpad.patch
 # https://github.com/OpenSC/OpenSC/pull/2241/
 Patch5:         %{name}-gcc11.patch
 # https://github.com/OpenSC/OpenSC/pull/2343
 Patch7:         %{name}-32b-arch.patch
 # File caching by default (#2000626)
-Patch8:         %{name}-%{version}-file-cache.patch
+Patch8:         %{name}-0.22.0-file-cache.patch
-# https://github.com/OpenSC/OpenSC/pull/2414 (#2007029)
+# https://github.com/OpenSC/OpenSC/pull/2656
-Patch9:         %{name}-%{version}-detect-empty.patch
+Patch9:         %{name}-0.23.0-pkcs11-tool-import.patch
 # https://github.com/OpenSC/OpenSC/pull/2712
 Patch10:         %{name}-0.23.0-openssl-ctx.patch
 # https://github.com/OpenSC/OpenSC/pull/2753
 # https://github.com/OpenSC/OpenSC/commit/e8fba322a2f4d06ec5c74fe80f9e2b0e9fdefec6
 # https://github.com/OpenSC/OpenSC/commit/891f10e49de1a5ee038b1cb2fb59dce40429e6c2
 Patch11:         %{name}-0.23.0-openpgp.patch
 # https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
 Patch12:        %{name}-0.23.0-cardos-pkcs15init.patch
-BuildRequires: make
+BuildRequires:  make
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  readline-devel
 BuildRequires:  openssl-devel
@ -31,6 +35,7 @@ BuildRequires:  bash-completion
 BuildRequires:  zlib-devel
 # For tests
 BuildRequires:  libcmocka-devel
 BuildRequires:  vim-common
 %if ! 0%{?rhel}
 BuildRequires:  softhsm
 %endif
@ -56,10 +61,11 @@ every software/card that does so, too.
 %prep
 %setup -q
 %patch1 -p1 -b .pinpad
 %patch5 -p1 -b .gcc11
 %patch7 -p1 -b .32b
 %patch8 -p1 -b .file-cache
-%patch9 -p1 -b .detect-empty
+%patch9 -p1 -b .pkcs11-tool-import
 %patch10 -p1 -b .ossl3context
 %patch11 -p1 -b .openpgp
 %patch12 -p1 -b .cardos-pkcs15init
 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .
@ -75,21 +81,19 @@ sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in
 sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
 %set_build_flags
 CFLAGS="$CFLAGS -Wstrict-aliasing=2 -Wno-deprecated-declarations"
-%configure  --disable-static \
+%configure --disable-static \
  --disable-autostart-items \
  --disable-notify \
  --disable-assert \
  --enable-pcsc \
  --enable-cmocka \
-  --enable-sm \
+  --enable-sm
  --with-pcsc-provider=libpcsclite.so.1
 %make_build
 %check
 make check
 %install
 %make_install
 install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module
@ -119,9 +123,6 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so
 # remove the .pc file so we do not confuse users #1673139
 rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/*.pc
 rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so
 %if 0%{?rhel} && 0%{?rhel} < 7
 rm -rf %{buildroot}%{_datadir}/bash-completion/
 %endif
 # the npa-tool builds to nothing since we do not have OpenPACE library
 rm -rf %{buildroot}%{_bindir}/npa-tool
@ -132,7 +133,6 @@ rm -rf %{buildroot}%{_bindir}/pkcs11-register
 rm -rf %{buildroot}%{_mandir}/man1/pkcs11-register.1*
 # Remove the notification files
 rm %{buildroot}%{_bindir}/opensc-notify
 rm %{buildroot}%{_datadir}/applications/org.opensc.notify.desktop
 rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
@ -140,9 +140,7 @@ rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
 %files
 %doc COPYING NEWS README*
 %if ! 0%{?rhel} || 0%{?rhel} >= 7
 %{_datadir}/bash-completion/*
 %endif
 %ifarch %{ix86}
 %{_mandir}/man5/opensc-%{_arch}.conf.5*
@ -209,6 +207,14 @@ rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
 %changelog
 * Thu May 25 2023 Jakub Jelen <jjelen@redhat.com> - 0.23.0-2
 - Fix regression in handling OpenPGP cards
 - Fix CVE-2023-2977: buffer overrun in pkcs15init for cardos
 * Wed Mar 08 2023 Jakub Jelen <jjelen@redhat.com> - 0.23.0-1
 - Rebase to latest 0.23.0 release (#2100409)
 - Use separate OpenSSL context to work better from inside of OpenSSL providers
 * Fri Oct 08 2021 Jakub Jelen <jjelen@redhat.com> - 0.22.0-2
 - Unbreak detection of unentrolled smart cards (#2007029)
 - Enable file caching by default except for pkcs15-init (#2000626)
`@ -1 +1 @@`
	`SOURCES/opensc-0.22.0.tar.gz`	`SOURCES/opensc-0.23.0.tar.gz`
`@ -1 +1 @@`
	`d920880c72462619e0a1a629e0a637155b75a352 SOURCES/opensc-0.22.0.tar.gz`	`5a5367ef33efcc35ed420b191b4d1bc3aa34a538 SOURCES/opensc-0.23.0.tar.gz`