rpms/p11-kit
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI p11-kit-0.26.2-1.el9

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-05-19 20:14:43 -04:00
parent 6fb1ed2c2a
commit aeb28523d1
6 changed files with 273 additions and 389 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/p11-kit-0.25.3.tar.xz
SOURCES/p11-kit-0.25.3.tar.xz.sig
SOURCES/p11-kit-0.26.2.tar.xz
SOURCES/p11-kit-0.26.2.tar.xz.sig
SOURCES/p11-kit-release-keyring.gpg

6
.p11-kit.metadata
View File

@ -1,3 +1,3 @@
796f3b69cad054a52e04f520459beaaab936b99f SOURCES/p11-kit-0.25.3.tar.xz
4133131840ef3f9609403fe391ce414878bcb9f1 SOURCES/p11-kit-0.25.3.tar.xz.sig
6fecd5be3ee12d07f6f61a65e18523ee03e0f925 SOURCES/p11-kit-release-keyring.gpg
c6aa53aa656b4ba4b066e1f2c8d7d4870562ec46 SOURCES/p11-kit-0.26.2.tar.xz
94bb171d48aa99733e4f171a3b57509caddd6486 SOURCES/p11-kit-0.26.2.tar.xz.sig
0f7896b12a7eaea6919d3213795bcf328240826e SOURCES/p11-kit-release-keyring.gpg

298
SOURCES/001-static-analysis.patch
View File

@ -1,298 +0,0 @@
From 58cd1c05e001a4fe250c15f3599e79974bc509e3 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Thu, 16 Nov 2023 10:12:14 +0100
Subject: [PATCH] Fix issues found by static analysis
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
common/frob-getprogname.c | 4 ++--
common/test.c | 4 +---
p11-kit/generate-keypair.c | 25 +++++++++----------------
p11-kit/import-object.c | 22 +++++-----------------
p11-kit/lists.c | 1 +
p11-kit/print-config.c | 4 +++-
p11-kit/rpc-client.c | 6 ++++--
p11-kit/test-uri.c | 4 ++--
trust/test-trust.c | 2 +-
9 files changed, 28 insertions(+), 44 deletions(-)
diff --git a/common/frob-getprogname.c b/common/frob-getprogname.c
index ead658cc8..46e3b7fd3 100644
--- a/common/frob-getprogname.c
+++ b/common/frob-getprogname.c
@@ -76,14 +76,14 @@ main (int argc,
execv (BUILDDIR "/common/frob-getprogname" EXEEXT, args);
} else {
int status;
- char buffer[1024];
+ char buffer[1024] = { 0 };
size_t offset = 0;
ssize_t nread;
char *p;
close (pfds[1]);
while (1) {
- nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset);
+ nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset - 1);
if (nread < 0) {
perror ("read");
exit (EXIT_FAILURE);
diff --git a/common/test.c b/common/test.c
index 3ed98da01..6cdbd1fa2 100644
--- a/common/test.c
+++ b/common/test.c
@@ -272,7 +272,6 @@ p11_testx (void (* function) (void *),
test_item item = { TEST, };
va_list va;
- item.type = TEST;
item.x.test.func = function;
item.x.test.argument = argument;
@@ -287,9 +286,8 @@ void
p11_fixture (void (* setup) (void *),
void (* teardown) (void *))
{
- test_item item;
+ test_item item = { FIXTURE, };
- item.type = FIXTURE;
item.x.fix.setup = setup;
item.x.fix.teardown = teardown;
diff --git a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c
index 49dc11830..695103d1d 100644
--- a/p11-kit/generate-keypair.c
+++ b/p11-kit/generate-keypair.c
@@ -351,7 +351,7 @@ int
p11_kit_generate_keypair (int argc,
char *argv[])
{
- int opt, ret = 2;
+ int opt, ret;
char *label = NULL;
CK_ULONG bits = 0;
const uint8_t *ec_params = NULL;
@@ -396,31 +396,27 @@ p11_kit_generate_keypair (int argc,
while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
switch (opt) {
case opt_label:
- label = strdup (optarg);
- if (label == NULL) {
- p11_message (_("failed to allocate memory"));
- goto cleanup;
- }
+ label = optarg;
break;
case opt_type:
mechanism = get_mechanism (optarg);
if (mechanism.mechanism == CKA_INVALID) {
p11_message (_("unknown mechanism type: %s"), optarg);
- goto cleanup;
+ return 2;
}
break;
case opt_bits:
bits = strtol (optarg, NULL, 10);
if (bits == 0) {
p11_message (_("failed to parse bits value: %s"), optarg);
- goto cleanup;
+ return 2;
}
break;
case opt_curve:
ec_params = get_ec_params (optarg, &ec_params_len);
if (ec_params == NULL) {
p11_message (_("unknown curve name: %s"), optarg);
- goto cleanup;
+ return 2;
}
break;
case opt_login:
@@ -434,10 +430,9 @@ p11_kit_generate_keypair (int argc,
break;
case opt_help:
p11_tool_usage (usages, options);
- ret = 0;
- goto cleanup;
+ return 0;
case '?':
- goto cleanup;
+ return 2;
default:
assert_not_reached ();
break;
@@ -449,11 +444,11 @@ p11_kit_generate_keypair (int argc,
if (argc != 1) {
p11_tool_usage (usages, options);
- goto cleanup;
+ return 2;
}
if (!check_args (mechanism.mechanism, bits, ec_params))
- goto cleanup;
+ return 2;
#ifdef OS_UNIX
/* Register a fallback PIN callback that reads from terminal.
@@ -464,11 +459,9 @@ p11_kit_generate_keypair (int argc,
ret = generate_keypair (*argv, label, mechanism, bits, ec_params, ec_params_len, login);
-cleanup:
#ifdef OS_UNIX
p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
#endif
- free (label);
return ret;
}
diff --git a/p11-kit/import-object.c b/p11-kit/import-object.c
index 270a0e027..feee07659 100644
--- a/p11-kit/import-object.c
+++ b/p11-kit/import-object.c
@@ -500,7 +500,7 @@ int
p11_kit_import_object (int argc,
char *argv[])
{
- int opt, ret = 2;
+ int opt, ret;
char *label = NULL;
char *file = NULL;
bool login = false;
@@ -536,18 +536,10 @@ p11_kit_import_object (int argc,
while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
switch (opt) {
case opt_label:
- label = strdup (optarg);
- if (label == NULL) {
- p11_message (_("failed to allocate memory"));
- goto cleanup;
- }
+ label = optarg;
break;
case opt_file:
- file = strdup (optarg);
- if (file == NULL) {
- p11_message (_("failed to allocate memory"));
- goto cleanup;
- }
+ file = optarg;
break;
case opt_login:
login = true;
@@ -574,12 +566,12 @@ p11_kit_import_object (int argc,
if (argc != 1) {
p11_tool_usage (usages, options);
- goto cleanup;
+ return 2;
}
if (file == NULL) {
p11_message (_("no file specified"));
- goto cleanup;
+ return 2;
}
#ifdef OS_UNIX
@@ -595,10 +587,6 @@ p11_kit_import_object (int argc,
p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
#endif
-cleanup:
- free (label);
- free (file);
-
return ret;
}
diff --git a/p11-kit/lists.c b/p11-kit/lists.c
index df58beb3f..007bb0f12 100644
--- a/p11-kit/lists.c
+++ b/p11-kit/lists.c
@@ -295,6 +295,7 @@ print_modules (void)
if (rv != CKR_OK) {
p11_message (_("couldn't load module info: %s"),
p11_kit_strerror (rv));
+ p11_kit_modules_finalize_and_release (module_list);
return 1;
}
diff --git a/p11-kit/print-config.c b/p11-kit/print-config.c
index 173b55feb..29daf3871 100644
--- a/p11-kit/print-config.c
+++ b/p11-kit/print-config.c
@@ -74,8 +74,10 @@ print_config (void)
P11_PACKAGE_CONFIG_MODULES,
P11_SYSTEM_CONFIG_MODULES,
P11_USER_CONFIG_MODULES);
- if (modules_conf == NULL)
+ if (modules_conf == NULL) {
+ p11_dict_free (global_conf);
return 1;
+ }
printf ("[global]\n");
p11_dict_iterate (global_conf, &i);
diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
index fb39103eb..19b628b1a 100644
--- a/p11-kit/rpc-client.c
+++ b/p11-kit/rpc-client.c
@@ -173,6 +173,8 @@ call_done (rpc_client *module,
p11_rpc_message *msg,
CK_RV ret)
{
+ p11_buffer *buf;
+
assert (module != NULL);
assert (msg != NULL);
@@ -189,9 +191,9 @@ call_done (rpc_client *module,
/* We used the same buffer for input/output, so this frees both */
assert (msg->input == msg->output);
- p11_rpc_buffer_free (msg->input);
-
+ buf = msg->input;
p11_rpc_message_clear (msg);
+ p11_rpc_buffer_free (buf);
return ret;
}
diff --git a/p11-kit/test-uri.c b/p11-kit/test-uri.c
index 32e8da703..18b7a108a 100644
--- a/p11-kit/test-uri.c
+++ b/p11-kit/test-uri.c
@@ -1019,7 +1019,7 @@ test_uri_get_set_unrecognized (void)
static void
test_uri_match_token (void)
{
- CK_TOKEN_INFO token;
+ CK_TOKEN_INFO token = { 0 };
P11KitUri *uri;
int ret;
@@ -1056,7 +1056,7 @@ test_uri_match_token (void)
static void
test_uri_match_module (void)
{
- CK_INFO info;
+ CK_INFO info = { 0 };
P11KitUri *uri;
int ret;
diff --git a/trust/test-trust.c b/trust/test-trust.c
index 29b2797b5..3b27a1f31 100644
--- a/trust/test-trust.c
+++ b/trust/test-trust.c
@@ -258,7 +258,7 @@ test_check_symlink_msg (const char *file,
if (asprintf (&filename, "%s/%s", directory, name) < 0)
assert_not_reached ();
- if (readlink (filename, buf, sizeof (buf)) < 0)
+ if (readlink (filename, buf, sizeof (buf) - 1) < 0)
p11_test_fail (file, line, function, "Couldn't read symlink: %s", filename);
if (strcmp (destination, buf) != 0)

73
SOURCES/p11-kit-0.25.5-trust-file-length.patch
View File

@ -1,73 +0,0 @@
From a8b94642dbe6d52aa7a7805fbb60b64c4cfd7245 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Thu, 3 Oct 2024 11:34:14 +0200
Subject: [PATCH] trust: don't create file names longer then 255
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
trust/save.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/trust/save.c b/trust/save.c
index 057a9c5e3..acabcbf6d 100644
--- a/trust/save.c
+++ b/trust/save.c
@@ -61,6 +61,8 @@
#define O_DIRECTORY 0
#endif
+#define MAX_FILE_NAME 255
+
struct _p11_save_file {
char *bare;
char *extension;
@@ -414,12 +416,23 @@ make_unique_name (const char *bare,
p11_buffer buf;
int ret;
int i;
+ int bare_len, ext_len, diff;
assert (bare != NULL);
assert (check != NULL);
p11_buffer_init_null (&buf, 0);
+ /*
+ * Make sure the name will not be longer then MAX_FILE_NAME
+ */
+ bare_len = strlen (bare);
+ ext_len = extension ? strlen (extension) : 0;
+ diff = bare_len + ext_len + sizeof (unique) - MAX_FILE_NAME;
+ if (diff > 0)
+ bare_len -= diff;
+ return_val_if_fail (bare_len > 0, NULL);
+
for (i = 0; true; i++) {
p11_buffer_reset (&buf, 64);
@@ -431,7 +444,7 @@ make_unique_name (const char *bare,
* provided by the caller.
*/
case 0:
- p11_buffer_add (&buf, bare, -1);
+ p11_buffer_add (&buf, bare, bare_len);
break;
/*
@@ -448,14 +461,14 @@ make_unique_name (const char *bare,
/* fall through */
default:
- p11_buffer_add (&buf, bare, -1);
+ p11_buffer_add (&buf, bare, bare_len);
snprintf (unique, sizeof (unique), ".%d", i);
p11_buffer_add (&buf, unique, -1);
break;
}
if (extension)
- p11_buffer_add (&buf, extension, -1);
+ p11_buffer_add (&buf, extension, ext_len);
return_val_if_fail (p11_buffer_ok (&buf), NULL);

224
SOURCES/p11-kit-0.26.1-pkcs11-legacy-defs.patch Normal file
View File

@ -0,0 +1,224 @@
diff --color -ruNp a/common/attrs.c b/common/attrs.c
--- a/common/attrs.c 2025-12-11 14:59:36.000000000 +0100
+++ b/common/attrs.c 2026-01-22 09:47:40.761892180 +0100
@@ -638,13 +638,15 @@ attribute_is_trust_value (const CK_ATTRI
case CKA_NSS_TRUST_IPSEC_TUNNEL:
case CKA_NSS_TRUST_IPSEC_USER:
case CKA_NSS_TRUST_TIME_STAMPING:
+ case CKA_TRUST_IPSEC_IKE:
+ case CKA_TRUST_OCSP_SIGNING:
+#ifdef USE_STANDARD_TRUST
case CKA_TRUST_SERVER_AUTH:
case CKA_TRUST_CLIENT_AUTH:
case CKA_TRUST_CODE_SIGNING:
case CKA_TRUST_EMAIL_PROTECTION:
- case CKA_TRUST_IPSEC_IKE:
case CKA_TRUST_TIME_STAMPING:
- case CKA_TRUST_OCSP_SIGNING:
+#endif
break;
default:
return false;
@@ -734,12 +736,14 @@ attribute_is_sensitive (const CK_ATTRIBU
X (CKA_DEFAULT_CMS_ATTRIBUTES)
X (CKA_SUPPORTED_CMS_ATTRIBUTES)
X (CKA_ALLOWED_MECHANISMS)
+#ifdef USE_STANDARD_TRUST
X (CKA_TRUST_SERVER_AUTH)
X (CKA_TRUST_CLIENT_AUTH)
X (CKA_TRUST_CODE_SIGNING)
X (CKA_TRUST_EMAIL_PROTECTION)
- X (CKA_TRUST_IPSEC_IKE)
X (CKA_TRUST_TIME_STAMPING)
+#endif
+ X (CKA_TRUST_IPSEC_IKE)
X (CKA_TRUST_OCSP_SIGNING)
X (CKA_X_ASSERTION_TYPE)
X (CKA_X_CERTIFICATE_VALUE)
diff --color -ruNp a/common/constants.c b/common/constants.c
--- a/common/constants.c 2025-12-11 14:59:36.000000000 +0100
+++ b/common/constants.c 2026-01-22 09:48:12.843493106 +0100
@@ -198,12 +198,16 @@ const p11_constant p11_constant_types[]
CT (CKA_VALIDATION_PROFILE, "validation-profile")
CT (CKA_ENCAPSULATE_TEMPLATE, "encapsulate-template")
CT (CKA_DECAPSULATE_TEMPLATE, "decapsulate_template")
+#ifdef USE_STANDARD_TRUST
CT (CKA_TRUST_SERVER_AUTH, "trust-server-auth")
CT (CKA_TRUST_CLIENT_AUTH, "trust-client-auth")
CT (CKA_TRUST_CODE_SIGNING, "trust-code-signing")
CT (CKA_TRUST_EMAIL_PROTECTION, "trust-email-protection")
+#endif
CT (CKA_TRUST_IPSEC_IKE, "trust-ipsec-ike")
+#ifdef USE_STANDARD_TRUST
CT (CKA_TRUST_TIME_STAMPING, "trust-time-stamping")
+#endif
CT (CKA_TRUST_OCSP_SIGNING, "trust-ocsp-signing")
CT (CKA_ENCAPSULATE, "encapsulate")
CT (CKA_DECAPSULATE, "decapsulate")
@@ -267,14 +271,25 @@ const p11_constant p11_constant_types[]
CT (CKA_NSS_TRUST_KEY_AGREEMENT, "nss-trust-key-agreement")
CT (CKA_NSS_TRUST_KEY_CERT_SIGN, "nss-trust-key-cert-sign")
CT (CKA_NSS_TRUST_CRL_SIGN, "nss-trust-crl-sign")
+#ifdef USE_STANDARD_TRUST
CT (CKA_NSS_TRUST_SERVER_AUTH, "nss-trust-server-auth")
CT (CKA_NSS_TRUST_CLIENT_AUTH, "nss-trust-client-auth")
CT (CKA_NSS_TRUST_CODE_SIGNING, "nss-trust-code-signing")
CT (CKA_NSS_TRUST_EMAIL_PROTECTION, "nss-trust-email-protection")
+#else
+ CT (CKA_NSS_TRUST_SERVER_AUTH, "trust-server-auth")
+ CT (CKA_NSS_TRUST_CLIENT_AUTH, "trust-client-auth")
+ CT (CKA_NSS_TRUST_CODE_SIGNING, "trust-code-signing")
+ CT (CKA_NSS_TRUST_EMAIL_PROTECTION, "trust-email-protection")
+#endif
CT (CKA_NSS_TRUST_IPSEC_END_SYSTEM, "nss-trust-ipsec-end-system")
CT (CKA_NSS_TRUST_IPSEC_TUNNEL, "nss-trust-ipsec-tunnel")
CT (CKA_NSS_TRUST_IPSEC_USER, "nss-trust-ipsec-user")
+#ifdef USE_STANDARD_TRUST
CT (CKA_NSS_TRUST_TIME_STAMPING, "nss-trust-time-stamping")
+#else
+ CT (CKA_NSS_TRUST_TIME_STAMPING, "trust-time-stamping")
+#endif
CT (CKA_NSS_TRUST_STEP_UP_APPROVED, "nss-trust-step-up-approved")
CT (CKA_NSS_CERT_SHA1_HASH, "nss-cert-sha1-hash")
CT (CKA_NSS_CERT_MD5_HASH, "nss-cert-md5-hash")
diff --color -ruNp a/common/persist.c b/common/persist.c
--- a/common/persist.c 2025-12-11 14:59:36.000000000 +0100
+++ b/common/persist.c 2026-01-22 09:48:34.018889748 +0100
@@ -296,11 +296,13 @@ format_ulong (CK_ATTRIBUTE *attr,
case CKA_NSS_TRUST_IPSEC_USER:
case CKA_NSS_TRUST_TIME_STAMPING:
case CKA_NSS_TRUST_STEP_UP_APPROVED:
+#ifdef USE_STANDARD_TRUST
case CKA_TRUST_SERVER_AUTH:
case CKA_TRUST_CLIENT_AUTH:
case CKA_TRUST_CODE_SIGNING:
case CKA_TRUST_EMAIL_PROTECTION:
case CKA_TRUST_TIME_STAMPING:
+#endif
case CKA_X_ASSERTION_TYPE:
case CKA_AUTH_PIN_FLAGS:
case CKA_HW_FEATURE_TYPE:
@@ -368,11 +370,13 @@ format_constant (CK_ATTRIBUTE *attr,
case CKA_NSS_TRUST_IPSEC_TUNNEL:
case CKA_NSS_TRUST_IPSEC_USER:
case CKA_NSS_TRUST_TIME_STAMPING:
+#ifdef USE_STANDARD_TRUST
case CKA_TRUST_SERVER_AUTH:
case CKA_TRUST_CLIENT_AUTH:
case CKA_TRUST_CODE_SIGNING:
case CKA_TRUST_EMAIL_PROTECTION:
case CKA_TRUST_TIME_STAMPING:
+#endif
table = p11_constant_trusts;
break;
case CKA_CLASS:
diff --color -ruNp a/common/pkcs11.h b/common/pkcs11.h
--- a/common/pkcs11.h 2025-12-11 14:59:36.000000000 +0100
+++ b/common/pkcs11.h 2026-01-22 09:46:29.803959838 +0100
@@ -578,12 +578,7 @@ extern "C" {
#define CKA_VALIDATION_PROFILE (0x629UL)
#define CKA_ENCAPSULATE_TEMPLATE (0x62AUL)
#define CKA_DECAPSULATE_TEMPLATE (0x62BUL)
-#define CKA_TRUST_SERVER_AUTH (0x62CUL)
-#define CKA_TRUST_CLIENT_AUTH (0x62DUL)
-#define CKA_TRUST_CODE_SIGNING (0x62EUL)
-#define CKA_TRUST_EMAIL_PROTECTION (0x62FUL)
#define CKA_TRUST_IPSEC_IKE (0x630UL)
-#define CKA_TRUST_TIME_STAMPING (0x631UL)
#define CKA_TRUST_OCSP_SIGNING (0x632UL)
#define CKA_ENCAPSULATE (0x633UL)
#define CKA_DECAPSULATE (0x634UL)
@@ -592,6 +587,22 @@ extern "C" {
#define CKA_SEED (0x637UL)
#define CKA_VENDOR_DEFINED ((unsigned long) (1UL << 31))
+#ifdef USE_STANDARD_TRUST
+/* Values introduced in PKCS#11 3.2 standard */
+#define CKA_TRUST_SERVER_AUTH (0x62CUL)
+#define CKA_TRUST_CLIENT_AUTH (0x62DUL)
+#define CKA_TRUST_CODE_SIGNING (0x62EUL)
+#define CKA_TRUST_EMAIL_PROTECTION (0x62FUL)
+#define CKA_TRUST_TIME_STAMPING (0x631UL)
+#elif !defined(PKCS11_X_H_)
+/* Legacy values that collide with PKCS#11 standard values */
+#define CKA_TRUST_SERVER_AUTH (0xce536358UL)
+#define CKA_TRUST_CLIENT_AUTH (0xce536359UL)
+#define CKA_TRUST_CODE_SIGNING (0xce53635aUL)
+#define CKA_TRUST_EMAIL_PROTECTION (0xce53635bUL)
+#define CKA_TRUST_TIME_STAMPING (0xce53635fUL)
+#endif
+
/* CK_CERTIFICATE_CATEGORY */
#define CK_CERTIFICATE_CATEGORY_UNSPECIFIED (0UL)
#define CK_CERTIFICATE_CATEGORY_TOKEN_USER (1UL)
diff --color -ruNp a/common/pkcs11x.h b/common/pkcs11x.h
--- a/common/pkcs11x.h 2025-12-11 14:59:36.000000000 +0100
+++ b/common/pkcs11x.h 2026-01-22 09:46:39.783921400 +0100
@@ -98,6 +98,32 @@ extern "C" {
#define CKA_NSS_CERT_SHA1_HASH 0xce5363b4UL
#define CKA_NSS_CERT_MD5_HASH 0xce5363b5UL
+#ifndef USE_STANDARD_TRUST
+/* Legacy names */
+#define CKA_TRUST_DIGITAL_SIGNATURE CKA_NSS_TRUST_DIGITAL_SIGNATURE
+#define CKA_TRUST_NON_REPUDIATION CKA_NSS_TRUST_NON_REPUDIATION
+#define CKA_TRUST_KEY_ENCIPHERMENT CKA_NSS_TRUST_KEY_ENCIPHERMENT
+#define CKA_TRUST_DATA_ENCIPHERMENT CKA_NSS_TRUST_DATA_ENCIPHERMENT
+#define CKA_TRUST_KEY_AGREEMENT CKA_NSS_TRUST_KEY_AGREEMENT
+#define CKA_TRUST_KEY_CERT_SIGN CKA_NSS_TRUST_KEY_CERT_SIGN
+#define CKA_TRUST_CRL_SIGN CKA_NSS_TRUST_CRL_SIGN
+#define CKA_TRUST_IPSEC_END_SYSTEM CKA_NSS_TRUST_IPSEC_END_SYSTEM
+#define CKA_TRUST_IPSEC_TUNNEL CKA_NSS_TRUST_IPSEC_TUNNEL
+#define CKA_TRUST_IPSEC_USER CKA_NSS_TRUST_IPSEC_USER
+#define CKA_TRUST_STEP_UP_APPROVED CKA_NSS_TRUST_STEP_UP_APPROVED
+#define CKA_CERT_SHA1_HASH CKA_NSS_CERT_SHA1_HASH
+#define CKA_CERT_MD5_HASH CKA_NSS_CERT_MD5_HASH
+
+#ifndef PKCS11_H
+/* Legacy names that collide with PKCS#11 standard names */
+#define CKA_TRUST_SERVER_AUTH CKA_NSS_TRUST_SERVER_AUTH
+#define CKA_TRUST_CLIENT_AUTH CKA_NSS_TRUST_CLIENT_AUTH
+#define CKA_TRUST_CODE_SIGNING CKA_NSS_TRUST_CODE_SIGNING
+#define CKA_TRUST_EMAIL_PROTECTION CKA_NSS_TRUST_EMAIL_PROTECTION
+#define CKA_TRUST_TIME_STAMPING CKA_NSS_TRUST_TIME_STAMPING
+#endif
+#endif /* USE_STANDARD_TRUST */
+
/* NSS trust values */
typedef CK_ULONG CK_TRUST;
#define CKT_NSS_TRUSTED 0xce534351UL
diff --color -ruNp a/trust/builder.c b/trust/builder.c
--- a/trust/builder.c 2026-01-19 12:05:20.000000000 +0100
+++ b/trust/builder.c 2026-01-22 09:51:26.366291745 +0100
@@ -993,12 +993,15 @@ const static builder_schema trust_schema
{ CKA_SUBJECT, CREATE },
{ CKA_SERIAL_NUMBER, CREATE },
/* official trust attributes */
+#ifdef USE_STANDARD_TRUST
{ CKA_TRUST_SERVER_AUTH, CREATE },
{ CKA_TRUST_CLIENT_AUTH, CREATE },
{ CKA_TRUST_CODE_SIGNING, CREATE },
{ CKA_TRUST_EMAIL_PROTECTION, CREATE },
- { CKA_TRUST_IPSEC_IKE, CREATE },
{ CKA_TRUST_TIME_STAMPING, CREATE },
+#endif
+ /* these do not collide with legacy NSS names */
+ { CKA_TRUST_IPSEC_IKE, CREATE },
{ CKA_TRUST_OCSP_SIGNING, CREATE },
/* vendor trust attributes previuosly used by NSS */
{ CKA_NSS_TRUST_SERVER_AUTH, CREATE },
@@ -1363,12 +1366,14 @@ build_trust_object_eku (CK_ATTRIBUTE *ob
CK_ATTRIBUTE_TYPE type;
const char *oid;
} eku_attribute_map[] = {
+#ifdef USE_STANDARD_TRUST
/* official trust attributes */
{ CKA_TRUST_SERVER_AUTH, P11_OID_SERVER_AUTH_STR },
{ CKA_TRUST_CLIENT_AUTH, P11_OID_CLIENT_AUTH_STR },
{ CKA_TRUST_CODE_SIGNING, P11_OID_CODE_SIGNING_STR },
{ CKA_TRUST_EMAIL_PROTECTION, P11_OID_EMAIL_PROTECTION_STR },
{ CKA_TRUST_TIME_STAMPING, P11_OID_TIME_STAMPING_STR },
+#endif
/* vendor trust attributes previuosly used by NSS */
{ CKA_NSS_TRUST_SERVER_AUTH, P11_OID_SERVER_AUTH_STR },
{ CKA_NSS_TRUST_CLIENT_AUTH, P11_OID_CLIENT_AUTH_STR },

57
SPECS/p11-kit.spec
View File

@ -1,6 +1,6 @@
# This spec file has been automatically updated
Version: 0.25.3
Release: 3%{?dist}
Version: 0.26.2
Release: 1%{?dist}
Name: p11-kit
Summary: Library for loading and sharing PKCS#11 modules
@ -12,8 +12,9 @@ Source2: https://p11-glue.github.io/p11-glue/p11-kit/p11-kit-release-keyr
Source3: trust-extract-compat
Source4: p11-kit-client.service
Patch: 001-static-analysis.patch
Patch: p11-kit-0.25.5-trust-file-length.patch
# Support for legacy PKCS11 definitions to prevent backwards incompatibility
# Remove this in RHEL-11
Patch0: p11-kit-0.26.1-pkcs11-legacy-defs.patch
BuildRequires: gcc
BuildRequires: libtasn1-devel >= 2.3
@ -22,7 +23,7 @@ BuildRequires: gettext
BuildRequires: gtk-doc
BuildRequires: meson
BuildRequires: systemd-devel
BuildRequires: bash-completion
BuildRequires: pkgconfig(bash-completion)
# Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147
# Remove this once it is fixed
BuildRequires: pkgconfig(glib-2.0)
@ -57,9 +58,21 @@ The %{name}-trust package contains a system trust PKCS#11 module which
contains certificate anchors and blocklists.
%package server
Summary: Server and client commands for %{name}
%package client
Summary: Client module from %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-server < 0.25.5-8
%description client
The %{name}-client package contains a PKCS#11 module that enables
accessing other PKCS#11 modules over a Unix domain socket. Note that
this feature is still experimental.
%package server
Summary: Server command for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-server < 0.25.5-8
%description server
The %{name}-server package contains command line tools that enable to
@ -82,7 +95,7 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%autosetup -p1
%build
# These paths are the source paths that come from the plan here:
# These paths are the source paths that come from the plan here:
# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks
%meson -Dgtk_doc=true -Dman=true -Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source
%meson_build
@ -103,12 +116,12 @@ install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir}
%post trust
%{_sbindir}/alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
%postun trust
if [ $1 -eq 0 ] ; then
# package removal
%{_sbindir}/alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
fi
@ -121,6 +134,7 @@ fi
%dir %{_sysconfdir}/pkcs11/modules
%dir %{_datadir}/p11-kit
%dir %{_datadir}/p11-kit/modules
%dir %{_libdir}/pkcs11
%dir %{_libexecdir}/p11-kit
%{_bindir}/p11-kit
%{_libdir}/libp11-kit.so.*
@ -130,6 +144,7 @@ fi
%{_mandir}/man8/p11-kit.8.gz
%{_mandir}/man5/pkcs11.conf.5.gz
%{_datadir}/bash-completion/completions/p11-kit
%{_datadir}/zsh/site-functions/_p11-kit
%files devel
%{_includedir}/p11-kit-1/
@ -139,25 +154,41 @@ fi
%files trust
%{_bindir}/trust
%dir %{_libdir}/pkcs11
%ghost %{_libdir}/libnssckbi.so
%{_libdir}/pkcs11/p11-kit-trust.so
%{_datadir}/p11-kit/modules/p11-kit-trust.module
%{_libexecdir}/p11-kit/trust-extract-compat
%{_datadir}/bash-completion/completions/trust
%{_datadir}/zsh/site-functions/_trust
%files server
%files client
%{_libdir}/pkcs11/p11-kit-client.so
%{_userunitdir}/p11-kit-client.service
%files server
%{_libexecdir}/p11-kit/p11-kit-server
%{_userunitdir}/p11-kit-server.service
%{_userunitdir}/p11-kit-server.socket
%changelog
* Tue Feb 10 2026 Zoltan Fridrich <zfridric@redhat.com> - 0.26.2-1
- Rebase to 0.26.2
Resolves: RHEL-147825
* Thu Jan 22 2026 Zoltan Fridrich <zfridric@redhat.com> - 0.26.1-1
- Rebase to 0.26.1
Resolves: RHEL-139075, RHEL-118361, RHEL-126132
* Mon Sep 22 2025 Zoltan Fridrich <zfridric@redhat.com> - 0.25.10-1
- Update to new upstream release 0.25.10
Resolves: RHEL-115453
* Fri Oct 25 2024 Zoltan Fridrich <zfridric@redhat.com> - 0.25.3-3
- Fix regression in trust where file creation fails for long cert labels
Resolves: RHEL-64917
Resolves: RHEL-58899
- Fix usage message in p11-kit list-tokens command
Resolves: RHEL-31810
* Thu Nov 23 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.25.3-2
- Fix issues found by static analysis