From aeb28523d1d15b8421a46dc20e9604eaf65d92f3 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 19 May 2026 20:14:43 -0400 Subject: [PATCH] import UBI p11-kit-0.26.2-1.el9 --- .gitignore | 4 +- .p11-kit.metadata | 6 +- SOURCES/001-static-analysis.patch | 298 ------------------ .../p11-kit-0.25.5-trust-file-length.patch | 73 ----- .../p11-kit-0.26.1-pkcs11-legacy-defs.patch | 224 +++++++++++++ SPECS/p11-kit.spec | 57 +++- 6 files changed, 273 insertions(+), 389 deletions(-) delete mode 100644 SOURCES/001-static-analysis.patch delete mode 100644 SOURCES/p11-kit-0.25.5-trust-file-length.patch create mode 100644 SOURCES/p11-kit-0.26.1-pkcs11-legacy-defs.patch diff --git a/.gitignore b/.gitignore index 8c951cf..0259a7e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/p11-kit-0.25.3.tar.xz -SOURCES/p11-kit-0.25.3.tar.xz.sig +SOURCES/p11-kit-0.26.2.tar.xz +SOURCES/p11-kit-0.26.2.tar.xz.sig SOURCES/p11-kit-release-keyring.gpg diff --git a/.p11-kit.metadata b/.p11-kit.metadata index e4756ad..5b609da 100644 --- a/.p11-kit.metadata +++ b/.p11-kit.metadata @@ -1,3 +1,3 @@ -796f3b69cad054a52e04f520459beaaab936b99f SOURCES/p11-kit-0.25.3.tar.xz -4133131840ef3f9609403fe391ce414878bcb9f1 SOURCES/p11-kit-0.25.3.tar.xz.sig -6fecd5be3ee12d07f6f61a65e18523ee03e0f925 SOURCES/p11-kit-release-keyring.gpg +c6aa53aa656b4ba4b066e1f2c8d7d4870562ec46 SOURCES/p11-kit-0.26.2.tar.xz +94bb171d48aa99733e4f171a3b57509caddd6486 SOURCES/p11-kit-0.26.2.tar.xz.sig +0f7896b12a7eaea6919d3213795bcf328240826e SOURCES/p11-kit-release-keyring.gpg diff --git a/SOURCES/001-static-analysis.patch b/SOURCES/001-static-analysis.patch deleted file mode 100644 index a86486a..0000000 --- a/SOURCES/001-static-analysis.patch +++ /dev/null @@ -1,298 +0,0 @@ -From 58cd1c05e001a4fe250c15f3599e79974bc509e3 Mon Sep 17 00:00:00 2001 -From: Zoltan Fridrich -Date: Thu, 16 Nov 2023 10:12:14 +0100 -Subject: [PATCH] Fix issues found by static analysis - -Signed-off-by: Zoltan Fridrich ---- - common/frob-getprogname.c | 4 ++-- - common/test.c | 4 +--- - p11-kit/generate-keypair.c | 25 +++++++++---------------- - p11-kit/import-object.c | 22 +++++----------------- - p11-kit/lists.c | 1 + - p11-kit/print-config.c | 4 +++- - p11-kit/rpc-client.c | 6 ++++-- - p11-kit/test-uri.c | 4 ++-- - trust/test-trust.c | 2 +- - 9 files changed, 28 insertions(+), 44 deletions(-) - -diff --git a/common/frob-getprogname.c b/common/frob-getprogname.c -index ead658cc8..46e3b7fd3 100644 ---- a/common/frob-getprogname.c -+++ b/common/frob-getprogname.c -@@ -76,14 +76,14 @@ main (int argc, - execv (BUILDDIR "/common/frob-getprogname" EXEEXT, args); - } else { - int status; -- char buffer[1024]; -+ char buffer[1024] = { 0 }; - size_t offset = 0; - ssize_t nread; - char *p; - - close (pfds[1]); - while (1) { -- nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset); -+ nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset - 1); - if (nread < 0) { - perror ("read"); - exit (EXIT_FAILURE); -diff --git a/common/test.c b/common/test.c -index 3ed98da01..6cdbd1fa2 100644 ---- a/common/test.c -+++ b/common/test.c -@@ -272,7 +272,6 @@ p11_testx (void (* function) (void *), - test_item item = { TEST, }; - va_list va; - -- item.type = TEST; - item.x.test.func = function; - item.x.test.argument = argument; - -@@ -287,9 +286,8 @@ void - p11_fixture (void (* setup) (void *), - void (* teardown) (void *)) - { -- test_item item; -+ test_item item = { FIXTURE, }; - -- item.type = FIXTURE; - item.x.fix.setup = setup; - item.x.fix.teardown = teardown; - -diff --git a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c -index 49dc11830..695103d1d 100644 ---- a/p11-kit/generate-keypair.c -+++ b/p11-kit/generate-keypair.c -@@ -351,7 +351,7 @@ int - p11_kit_generate_keypair (int argc, - char *argv[]) - { -- int opt, ret = 2; -+ int opt, ret; - char *label = NULL; - CK_ULONG bits = 0; - const uint8_t *ec_params = NULL; -@@ -396,31 +396,27 @@ p11_kit_generate_keypair (int argc, - while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { - switch (opt) { - case opt_label: -- label = strdup (optarg); -- if (label == NULL) { -- p11_message (_("failed to allocate memory")); -- goto cleanup; -- } -+ label = optarg; - break; - case opt_type: - mechanism = get_mechanism (optarg); - if (mechanism.mechanism == CKA_INVALID) { - p11_message (_("unknown mechanism type: %s"), optarg); -- goto cleanup; -+ return 2; - } - break; - case opt_bits: - bits = strtol (optarg, NULL, 10); - if (bits == 0) { - p11_message (_("failed to parse bits value: %s"), optarg); -- goto cleanup; -+ return 2; - } - break; - case opt_curve: - ec_params = get_ec_params (optarg, &ec_params_len); - if (ec_params == NULL) { - p11_message (_("unknown curve name: %s"), optarg); -- goto cleanup; -+ return 2; - } - break; - case opt_login: -@@ -434,10 +430,9 @@ p11_kit_generate_keypair (int argc, - break; - case opt_help: - p11_tool_usage (usages, options); -- ret = 0; -- goto cleanup; -+ return 0; - case '?': -- goto cleanup; -+ return 2; - default: - assert_not_reached (); - break; -@@ -449,11 +444,11 @@ p11_kit_generate_keypair (int argc, - - if (argc != 1) { - p11_tool_usage (usages, options); -- goto cleanup; -+ return 2; - } - - if (!check_args (mechanism.mechanism, bits, ec_params)) -- goto cleanup; -+ return 2; - - #ifdef OS_UNIX - /* Register a fallback PIN callback that reads from terminal. -@@ -464,11 +459,9 @@ p11_kit_generate_keypair (int argc, - - ret = generate_keypair (*argv, label, mechanism, bits, ec_params, ec_params_len, login); - --cleanup: - #ifdef OS_UNIX - p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL); - #endif -- free (label); - - return ret; - } -diff --git a/p11-kit/import-object.c b/p11-kit/import-object.c -index 270a0e027..feee07659 100644 ---- a/p11-kit/import-object.c -+++ b/p11-kit/import-object.c -@@ -500,7 +500,7 @@ int - p11_kit_import_object (int argc, - char *argv[]) - { -- int opt, ret = 2; -+ int opt, ret; - char *label = NULL; - char *file = NULL; - bool login = false; -@@ -536,18 +536,10 @@ p11_kit_import_object (int argc, - while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { - switch (opt) { - case opt_label: -- label = strdup (optarg); -- if (label == NULL) { -- p11_message (_("failed to allocate memory")); -- goto cleanup; -- } -+ label = optarg; - break; - case opt_file: -- file = strdup (optarg); -- if (file == NULL) { -- p11_message (_("failed to allocate memory")); -- goto cleanup; -- } -+ file = optarg; - break; - case opt_login: - login = true; -@@ -574,12 +566,12 @@ p11_kit_import_object (int argc, - - if (argc != 1) { - p11_tool_usage (usages, options); -- goto cleanup; -+ return 2; - } - - if (file == NULL) { - p11_message (_("no file specified")); -- goto cleanup; -+ return 2; - } - - #ifdef OS_UNIX -@@ -595,10 +587,6 @@ p11_kit_import_object (int argc, - p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL); - #endif - --cleanup: -- free (label); -- free (file); -- - return ret; - } - -diff --git a/p11-kit/lists.c b/p11-kit/lists.c -index df58beb3f..007bb0f12 100644 ---- a/p11-kit/lists.c -+++ b/p11-kit/lists.c -@@ -295,6 +295,7 @@ print_modules (void) - if (rv != CKR_OK) { - p11_message (_("couldn't load module info: %s"), - p11_kit_strerror (rv)); -+ p11_kit_modules_finalize_and_release (module_list); - return 1; - } - -diff --git a/p11-kit/print-config.c b/p11-kit/print-config.c -index 173b55feb..29daf3871 100644 ---- a/p11-kit/print-config.c -+++ b/p11-kit/print-config.c -@@ -74,8 +74,10 @@ print_config (void) - P11_PACKAGE_CONFIG_MODULES, - P11_SYSTEM_CONFIG_MODULES, - P11_USER_CONFIG_MODULES); -- if (modules_conf == NULL) -+ if (modules_conf == NULL) { -+ p11_dict_free (global_conf); - return 1; -+ } - - printf ("[global]\n"); - p11_dict_iterate (global_conf, &i); -diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c -index fb39103eb..19b628b1a 100644 ---- a/p11-kit/rpc-client.c -+++ b/p11-kit/rpc-client.c -@@ -173,6 +173,8 @@ call_done (rpc_client *module, - p11_rpc_message *msg, - CK_RV ret) - { -+ p11_buffer *buf; -+ - assert (module != NULL); - assert (msg != NULL); - -@@ -189,9 +191,9 @@ call_done (rpc_client *module, - - /* We used the same buffer for input/output, so this frees both */ - assert (msg->input == msg->output); -- p11_rpc_buffer_free (msg->input); -- -+ buf = msg->input; - p11_rpc_message_clear (msg); -+ p11_rpc_buffer_free (buf); - - return ret; - } -diff --git a/p11-kit/test-uri.c b/p11-kit/test-uri.c -index 32e8da703..18b7a108a 100644 ---- a/p11-kit/test-uri.c -+++ b/p11-kit/test-uri.c -@@ -1019,7 +1019,7 @@ test_uri_get_set_unrecognized (void) - static void - test_uri_match_token (void) - { -- CK_TOKEN_INFO token; -+ CK_TOKEN_INFO token = { 0 }; - P11KitUri *uri; - int ret; - -@@ -1056,7 +1056,7 @@ test_uri_match_token (void) - static void - test_uri_match_module (void) - { -- CK_INFO info; -+ CK_INFO info = { 0 }; - P11KitUri *uri; - int ret; - -diff --git a/trust/test-trust.c b/trust/test-trust.c -index 29b2797b5..3b27a1f31 100644 ---- a/trust/test-trust.c -+++ b/trust/test-trust.c -@@ -258,7 +258,7 @@ test_check_symlink_msg (const char *file, - if (asprintf (&filename, "%s/%s", directory, name) < 0) - assert_not_reached (); - -- if (readlink (filename, buf, sizeof (buf)) < 0) -+ if (readlink (filename, buf, sizeof (buf) - 1) < 0) - p11_test_fail (file, line, function, "Couldn't read symlink: %s", filename); - - if (strcmp (destination, buf) != 0) diff --git a/SOURCES/p11-kit-0.25.5-trust-file-length.patch b/SOURCES/p11-kit-0.25.5-trust-file-length.patch deleted file mode 100644 index d84f858..0000000 --- a/SOURCES/p11-kit-0.25.5-trust-file-length.patch +++ /dev/null @@ -1,73 +0,0 @@ -From a8b94642dbe6d52aa7a7805fbb60b64c4cfd7245 Mon Sep 17 00:00:00 2001 -From: Zoltan Fridrich -Date: Thu, 3 Oct 2024 11:34:14 +0200 -Subject: [PATCH] trust: don't create file names longer then 255 - -Signed-off-by: Zoltan Fridrich ---- - trust/save.c | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) - -diff --git a/trust/save.c b/trust/save.c -index 057a9c5e3..acabcbf6d 100644 ---- a/trust/save.c -+++ b/trust/save.c -@@ -61,6 +61,8 @@ - #define O_DIRECTORY 0 - #endif - -+#define MAX_FILE_NAME 255 -+ - struct _p11_save_file { - char *bare; - char *extension; -@@ -414,12 +416,23 @@ make_unique_name (const char *bare, - p11_buffer buf; - int ret; - int i; -+ int bare_len, ext_len, diff; - - assert (bare != NULL); - assert (check != NULL); - - p11_buffer_init_null (&buf, 0); - -+ /* -+ * Make sure the name will not be longer then MAX_FILE_NAME -+ */ -+ bare_len = strlen (bare); -+ ext_len = extension ? strlen (extension) : 0; -+ diff = bare_len + ext_len + sizeof (unique) - MAX_FILE_NAME; -+ if (diff > 0) -+ bare_len -= diff; -+ return_val_if_fail (bare_len > 0, NULL); -+ - for (i = 0; true; i++) { - - p11_buffer_reset (&buf, 64); -@@ -431,7 +444,7 @@ make_unique_name (const char *bare, - * provided by the caller. - */ - case 0: -- p11_buffer_add (&buf, bare, -1); -+ p11_buffer_add (&buf, bare, bare_len); - break; - - /* -@@ -448,14 +461,14 @@ make_unique_name (const char *bare, - /* fall through */ - - default: -- p11_buffer_add (&buf, bare, -1); -+ p11_buffer_add (&buf, bare, bare_len); - snprintf (unique, sizeof (unique), ".%d", i); - p11_buffer_add (&buf, unique, -1); - break; - } - - if (extension) -- p11_buffer_add (&buf, extension, -1); -+ p11_buffer_add (&buf, extension, ext_len); - - return_val_if_fail (p11_buffer_ok (&buf), NULL); - diff --git a/SOURCES/p11-kit-0.26.1-pkcs11-legacy-defs.patch b/SOURCES/p11-kit-0.26.1-pkcs11-legacy-defs.patch new file mode 100644 index 0000000..2a431b1 --- /dev/null +++ b/SOURCES/p11-kit-0.26.1-pkcs11-legacy-defs.patch @@ -0,0 +1,224 @@ +diff --color -ruNp a/common/attrs.c b/common/attrs.c +--- a/common/attrs.c 2025-12-11 14:59:36.000000000 +0100 ++++ b/common/attrs.c 2026-01-22 09:47:40.761892180 +0100 +@@ -638,13 +638,15 @@ attribute_is_trust_value (const CK_ATTRI + case CKA_NSS_TRUST_IPSEC_TUNNEL: + case CKA_NSS_TRUST_IPSEC_USER: + case CKA_NSS_TRUST_TIME_STAMPING: ++ case CKA_TRUST_IPSEC_IKE: ++ case CKA_TRUST_OCSP_SIGNING: ++#ifdef USE_STANDARD_TRUST + case CKA_TRUST_SERVER_AUTH: + case CKA_TRUST_CLIENT_AUTH: + case CKA_TRUST_CODE_SIGNING: + case CKA_TRUST_EMAIL_PROTECTION: +- case CKA_TRUST_IPSEC_IKE: + case CKA_TRUST_TIME_STAMPING: +- case CKA_TRUST_OCSP_SIGNING: ++#endif + break; + default: + return false; +@@ -734,12 +736,14 @@ attribute_is_sensitive (const CK_ATTRIBU + X (CKA_DEFAULT_CMS_ATTRIBUTES) + X (CKA_SUPPORTED_CMS_ATTRIBUTES) + X (CKA_ALLOWED_MECHANISMS) ++#ifdef USE_STANDARD_TRUST + X (CKA_TRUST_SERVER_AUTH) + X (CKA_TRUST_CLIENT_AUTH) + X (CKA_TRUST_CODE_SIGNING) + X (CKA_TRUST_EMAIL_PROTECTION) +- X (CKA_TRUST_IPSEC_IKE) + X (CKA_TRUST_TIME_STAMPING) ++#endif ++ X (CKA_TRUST_IPSEC_IKE) + X (CKA_TRUST_OCSP_SIGNING) + X (CKA_X_ASSERTION_TYPE) + X (CKA_X_CERTIFICATE_VALUE) +diff --color -ruNp a/common/constants.c b/common/constants.c +--- a/common/constants.c 2025-12-11 14:59:36.000000000 +0100 ++++ b/common/constants.c 2026-01-22 09:48:12.843493106 +0100 +@@ -198,12 +198,16 @@ const p11_constant p11_constant_types[] + CT (CKA_VALIDATION_PROFILE, "validation-profile") + CT (CKA_ENCAPSULATE_TEMPLATE, "encapsulate-template") + CT (CKA_DECAPSULATE_TEMPLATE, "decapsulate_template") ++#ifdef USE_STANDARD_TRUST + CT (CKA_TRUST_SERVER_AUTH, "trust-server-auth") + CT (CKA_TRUST_CLIENT_AUTH, "trust-client-auth") + CT (CKA_TRUST_CODE_SIGNING, "trust-code-signing") + CT (CKA_TRUST_EMAIL_PROTECTION, "trust-email-protection") ++#endif + CT (CKA_TRUST_IPSEC_IKE, "trust-ipsec-ike") ++#ifdef USE_STANDARD_TRUST + CT (CKA_TRUST_TIME_STAMPING, "trust-time-stamping") ++#endif + CT (CKA_TRUST_OCSP_SIGNING, "trust-ocsp-signing") + CT (CKA_ENCAPSULATE, "encapsulate") + CT (CKA_DECAPSULATE, "decapsulate") +@@ -267,14 +271,25 @@ const p11_constant p11_constant_types[] + CT (CKA_NSS_TRUST_KEY_AGREEMENT, "nss-trust-key-agreement") + CT (CKA_NSS_TRUST_KEY_CERT_SIGN, "nss-trust-key-cert-sign") + CT (CKA_NSS_TRUST_CRL_SIGN, "nss-trust-crl-sign") ++#ifdef USE_STANDARD_TRUST + CT (CKA_NSS_TRUST_SERVER_AUTH, "nss-trust-server-auth") + CT (CKA_NSS_TRUST_CLIENT_AUTH, "nss-trust-client-auth") + CT (CKA_NSS_TRUST_CODE_SIGNING, "nss-trust-code-signing") + CT (CKA_NSS_TRUST_EMAIL_PROTECTION, "nss-trust-email-protection") ++#else ++ CT (CKA_NSS_TRUST_SERVER_AUTH, "trust-server-auth") ++ CT (CKA_NSS_TRUST_CLIENT_AUTH, "trust-client-auth") ++ CT (CKA_NSS_TRUST_CODE_SIGNING, "trust-code-signing") ++ CT (CKA_NSS_TRUST_EMAIL_PROTECTION, "trust-email-protection") ++#endif + CT (CKA_NSS_TRUST_IPSEC_END_SYSTEM, "nss-trust-ipsec-end-system") + CT (CKA_NSS_TRUST_IPSEC_TUNNEL, "nss-trust-ipsec-tunnel") + CT (CKA_NSS_TRUST_IPSEC_USER, "nss-trust-ipsec-user") ++#ifdef USE_STANDARD_TRUST + CT (CKA_NSS_TRUST_TIME_STAMPING, "nss-trust-time-stamping") ++#else ++ CT (CKA_NSS_TRUST_TIME_STAMPING, "trust-time-stamping") ++#endif + CT (CKA_NSS_TRUST_STEP_UP_APPROVED, "nss-trust-step-up-approved") + CT (CKA_NSS_CERT_SHA1_HASH, "nss-cert-sha1-hash") + CT (CKA_NSS_CERT_MD5_HASH, "nss-cert-md5-hash") +diff --color -ruNp a/common/persist.c b/common/persist.c +--- a/common/persist.c 2025-12-11 14:59:36.000000000 +0100 ++++ b/common/persist.c 2026-01-22 09:48:34.018889748 +0100 +@@ -296,11 +296,13 @@ format_ulong (CK_ATTRIBUTE *attr, + case CKA_NSS_TRUST_IPSEC_USER: + case CKA_NSS_TRUST_TIME_STAMPING: + case CKA_NSS_TRUST_STEP_UP_APPROVED: ++#ifdef USE_STANDARD_TRUST + case CKA_TRUST_SERVER_AUTH: + case CKA_TRUST_CLIENT_AUTH: + case CKA_TRUST_CODE_SIGNING: + case CKA_TRUST_EMAIL_PROTECTION: + case CKA_TRUST_TIME_STAMPING: ++#endif + case CKA_X_ASSERTION_TYPE: + case CKA_AUTH_PIN_FLAGS: + case CKA_HW_FEATURE_TYPE: +@@ -368,11 +370,13 @@ format_constant (CK_ATTRIBUTE *attr, + case CKA_NSS_TRUST_IPSEC_TUNNEL: + case CKA_NSS_TRUST_IPSEC_USER: + case CKA_NSS_TRUST_TIME_STAMPING: ++#ifdef USE_STANDARD_TRUST + case CKA_TRUST_SERVER_AUTH: + case CKA_TRUST_CLIENT_AUTH: + case CKA_TRUST_CODE_SIGNING: + case CKA_TRUST_EMAIL_PROTECTION: + case CKA_TRUST_TIME_STAMPING: ++#endif + table = p11_constant_trusts; + break; + case CKA_CLASS: +diff --color -ruNp a/common/pkcs11.h b/common/pkcs11.h +--- a/common/pkcs11.h 2025-12-11 14:59:36.000000000 +0100 ++++ b/common/pkcs11.h 2026-01-22 09:46:29.803959838 +0100 +@@ -578,12 +578,7 @@ extern "C" { + #define CKA_VALIDATION_PROFILE (0x629UL) + #define CKA_ENCAPSULATE_TEMPLATE (0x62AUL) + #define CKA_DECAPSULATE_TEMPLATE (0x62BUL) +-#define CKA_TRUST_SERVER_AUTH (0x62CUL) +-#define CKA_TRUST_CLIENT_AUTH (0x62DUL) +-#define CKA_TRUST_CODE_SIGNING (0x62EUL) +-#define CKA_TRUST_EMAIL_PROTECTION (0x62FUL) + #define CKA_TRUST_IPSEC_IKE (0x630UL) +-#define CKA_TRUST_TIME_STAMPING (0x631UL) + #define CKA_TRUST_OCSP_SIGNING (0x632UL) + #define CKA_ENCAPSULATE (0x633UL) + #define CKA_DECAPSULATE (0x634UL) +@@ -592,6 +587,22 @@ extern "C" { + #define CKA_SEED (0x637UL) + #define CKA_VENDOR_DEFINED ((unsigned long) (1UL << 31)) + ++#ifdef USE_STANDARD_TRUST ++/* Values introduced in PKCS#11 3.2 standard */ ++#define CKA_TRUST_SERVER_AUTH (0x62CUL) ++#define CKA_TRUST_CLIENT_AUTH (0x62DUL) ++#define CKA_TRUST_CODE_SIGNING (0x62EUL) ++#define CKA_TRUST_EMAIL_PROTECTION (0x62FUL) ++#define CKA_TRUST_TIME_STAMPING (0x631UL) ++#elif !defined(PKCS11_X_H_) ++/* Legacy values that collide with PKCS#11 standard values */ ++#define CKA_TRUST_SERVER_AUTH (0xce536358UL) ++#define CKA_TRUST_CLIENT_AUTH (0xce536359UL) ++#define CKA_TRUST_CODE_SIGNING (0xce53635aUL) ++#define CKA_TRUST_EMAIL_PROTECTION (0xce53635bUL) ++#define CKA_TRUST_TIME_STAMPING (0xce53635fUL) ++#endif ++ + /* CK_CERTIFICATE_CATEGORY */ + #define CK_CERTIFICATE_CATEGORY_UNSPECIFIED (0UL) + #define CK_CERTIFICATE_CATEGORY_TOKEN_USER (1UL) +diff --color -ruNp a/common/pkcs11x.h b/common/pkcs11x.h +--- a/common/pkcs11x.h 2025-12-11 14:59:36.000000000 +0100 ++++ b/common/pkcs11x.h 2026-01-22 09:46:39.783921400 +0100 +@@ -98,6 +98,32 @@ extern "C" { + #define CKA_NSS_CERT_SHA1_HASH 0xce5363b4UL + #define CKA_NSS_CERT_MD5_HASH 0xce5363b5UL + ++#ifndef USE_STANDARD_TRUST ++/* Legacy names */ ++#define CKA_TRUST_DIGITAL_SIGNATURE CKA_NSS_TRUST_DIGITAL_SIGNATURE ++#define CKA_TRUST_NON_REPUDIATION CKA_NSS_TRUST_NON_REPUDIATION ++#define CKA_TRUST_KEY_ENCIPHERMENT CKA_NSS_TRUST_KEY_ENCIPHERMENT ++#define CKA_TRUST_DATA_ENCIPHERMENT CKA_NSS_TRUST_DATA_ENCIPHERMENT ++#define CKA_TRUST_KEY_AGREEMENT CKA_NSS_TRUST_KEY_AGREEMENT ++#define CKA_TRUST_KEY_CERT_SIGN CKA_NSS_TRUST_KEY_CERT_SIGN ++#define CKA_TRUST_CRL_SIGN CKA_NSS_TRUST_CRL_SIGN ++#define CKA_TRUST_IPSEC_END_SYSTEM CKA_NSS_TRUST_IPSEC_END_SYSTEM ++#define CKA_TRUST_IPSEC_TUNNEL CKA_NSS_TRUST_IPSEC_TUNNEL ++#define CKA_TRUST_IPSEC_USER CKA_NSS_TRUST_IPSEC_USER ++#define CKA_TRUST_STEP_UP_APPROVED CKA_NSS_TRUST_STEP_UP_APPROVED ++#define CKA_CERT_SHA1_HASH CKA_NSS_CERT_SHA1_HASH ++#define CKA_CERT_MD5_HASH CKA_NSS_CERT_MD5_HASH ++ ++#ifndef PKCS11_H ++/* Legacy names that collide with PKCS#11 standard names */ ++#define CKA_TRUST_SERVER_AUTH CKA_NSS_TRUST_SERVER_AUTH ++#define CKA_TRUST_CLIENT_AUTH CKA_NSS_TRUST_CLIENT_AUTH ++#define CKA_TRUST_CODE_SIGNING CKA_NSS_TRUST_CODE_SIGNING ++#define CKA_TRUST_EMAIL_PROTECTION CKA_NSS_TRUST_EMAIL_PROTECTION ++#define CKA_TRUST_TIME_STAMPING CKA_NSS_TRUST_TIME_STAMPING ++#endif ++#endif /* USE_STANDARD_TRUST */ ++ + /* NSS trust values */ + typedef CK_ULONG CK_TRUST; + #define CKT_NSS_TRUSTED 0xce534351UL +diff --color -ruNp a/trust/builder.c b/trust/builder.c +--- a/trust/builder.c 2026-01-19 12:05:20.000000000 +0100 ++++ b/trust/builder.c 2026-01-22 09:51:26.366291745 +0100 +@@ -993,12 +993,15 @@ const static builder_schema trust_schema + { CKA_SUBJECT, CREATE }, + { CKA_SERIAL_NUMBER, CREATE }, + /* official trust attributes */ ++#ifdef USE_STANDARD_TRUST + { CKA_TRUST_SERVER_AUTH, CREATE }, + { CKA_TRUST_CLIENT_AUTH, CREATE }, + { CKA_TRUST_CODE_SIGNING, CREATE }, + { CKA_TRUST_EMAIL_PROTECTION, CREATE }, +- { CKA_TRUST_IPSEC_IKE, CREATE }, + { CKA_TRUST_TIME_STAMPING, CREATE }, ++#endif ++ /* these do not collide with legacy NSS names */ ++ { CKA_TRUST_IPSEC_IKE, CREATE }, + { CKA_TRUST_OCSP_SIGNING, CREATE }, + /* vendor trust attributes previuosly used by NSS */ + { CKA_NSS_TRUST_SERVER_AUTH, CREATE }, +@@ -1363,12 +1366,14 @@ build_trust_object_eku (CK_ATTRIBUTE *ob + CK_ATTRIBUTE_TYPE type; + const char *oid; + } eku_attribute_map[] = { ++#ifdef USE_STANDARD_TRUST + /* official trust attributes */ + { CKA_TRUST_SERVER_AUTH, P11_OID_SERVER_AUTH_STR }, + { CKA_TRUST_CLIENT_AUTH, P11_OID_CLIENT_AUTH_STR }, + { CKA_TRUST_CODE_SIGNING, P11_OID_CODE_SIGNING_STR }, + { CKA_TRUST_EMAIL_PROTECTION, P11_OID_EMAIL_PROTECTION_STR }, + { CKA_TRUST_TIME_STAMPING, P11_OID_TIME_STAMPING_STR }, ++#endif + /* vendor trust attributes previuosly used by NSS */ + { CKA_NSS_TRUST_SERVER_AUTH, P11_OID_SERVER_AUTH_STR }, + { CKA_NSS_TRUST_CLIENT_AUTH, P11_OID_CLIENT_AUTH_STR }, diff --git a/SPECS/p11-kit.spec b/SPECS/p11-kit.spec index 7705aa8..2188bc1 100644 --- a/SPECS/p11-kit.spec +++ b/SPECS/p11-kit.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 0.25.3 -Release: 3%{?dist} +Version: 0.26.2 +Release: 1%{?dist} Name: p11-kit Summary: Library for loading and sharing PKCS#11 modules @@ -12,8 +12,9 @@ Source2: https://p11-glue.github.io/p11-glue/p11-kit/p11-kit-release-keyr Source3: trust-extract-compat Source4: p11-kit-client.service -Patch: 001-static-analysis.patch -Patch: p11-kit-0.25.5-trust-file-length.patch +# Support for legacy PKCS11 definitions to prevent backwards incompatibility +# Remove this in RHEL-11 +Patch0: p11-kit-0.26.1-pkcs11-legacy-defs.patch BuildRequires: gcc BuildRequires: libtasn1-devel >= 2.3 @@ -22,7 +23,7 @@ BuildRequires: gettext BuildRequires: gtk-doc BuildRequires: meson BuildRequires: systemd-devel -BuildRequires: bash-completion +BuildRequires: pkgconfig(bash-completion) # Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147 # Remove this once it is fixed BuildRequires: pkgconfig(glib-2.0) @@ -57,9 +58,21 @@ The %{name}-trust package contains a system trust PKCS#11 module which contains certificate anchors and blocklists. -%package server -Summary: Server and client commands for %{name} +%package client +Summary: Client module from %{name} Requires: %{name}%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-server < 0.25.5-8 + +%description client +The %{name}-client package contains a PKCS#11 module that enables +accessing other PKCS#11 modules over a Unix domain socket. Note that +this feature is still experimental. + + +%package server +Summary: Server command for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-server < 0.25.5-8 %description server The %{name}-server package contains command line tools that enable to @@ -82,7 +95,7 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %autosetup -p1 %build -# These paths are the source paths that come from the plan here: +# These paths are the source paths that come from the plan here: # https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks %meson -Dgtk_doc=true -Dman=true -Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source %meson_build @@ -103,12 +116,12 @@ install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir} %post trust -%{_sbindir}/alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30 +alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30 %postun trust if [ $1 -eq 0 ] ; then # package removal - %{_sbindir}/alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so + alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so fi @@ -121,6 +134,7 @@ fi %dir %{_sysconfdir}/pkcs11/modules %dir %{_datadir}/p11-kit %dir %{_datadir}/p11-kit/modules +%dir %{_libdir}/pkcs11 %dir %{_libexecdir}/p11-kit %{_bindir}/p11-kit %{_libdir}/libp11-kit.so.* @@ -130,6 +144,7 @@ fi %{_mandir}/man8/p11-kit.8.gz %{_mandir}/man5/pkcs11.conf.5.gz %{_datadir}/bash-completion/completions/p11-kit +%{_datadir}/zsh/site-functions/_p11-kit %files devel %{_includedir}/p11-kit-1/ @@ -139,25 +154,41 @@ fi %files trust %{_bindir}/trust -%dir %{_libdir}/pkcs11 %ghost %{_libdir}/libnssckbi.so %{_libdir}/pkcs11/p11-kit-trust.so %{_datadir}/p11-kit/modules/p11-kit-trust.module %{_libexecdir}/p11-kit/trust-extract-compat %{_datadir}/bash-completion/completions/trust +%{_datadir}/zsh/site-functions/_trust -%files server +%files client %{_libdir}/pkcs11/p11-kit-client.so %{_userunitdir}/p11-kit-client.service + +%files server %{_libexecdir}/p11-kit/p11-kit-server %{_userunitdir}/p11-kit-server.service %{_userunitdir}/p11-kit-server.socket %changelog +* Tue Feb 10 2026 Zoltan Fridrich - 0.26.2-1 +- Rebase to 0.26.2 + Resolves: RHEL-147825 + +* Thu Jan 22 2026 Zoltan Fridrich - 0.26.1-1 +- Rebase to 0.26.1 + Resolves: RHEL-139075, RHEL-118361, RHEL-126132 + +* Mon Sep 22 2025 Zoltan Fridrich - 0.25.10-1 +- Update to new upstream release 0.25.10 + Resolves: RHEL-115453 + * Fri Oct 25 2024 Zoltan Fridrich - 0.25.3-3 - Fix regression in trust where file creation fails for long cert labels - Resolves: RHEL-64917 + Resolves: RHEL-58899 +- Fix usage message in p11-kit list-tokens command + Resolves: RHEL-31810 * Thu Nov 23 2023 Zoltan Fridrich - 0.25.3-2 - Fix issues found by static analysis