rpms/p11-kit
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9-beta
rpms:c9s
rpms:c10s
rpms:c10
rpms:c8s
rpms:c9
rpms:c8-beta
rpms:imports/c9-beta/p11-kit-0.26.2-1.el9
rpms:imports/c10s/p11-kit-0.26.2-1.el10
rpms:imports/c10s/p11-kit-0.26.1-1.el10
rpms:imports/c10s/p11-kit-0.25.10-1.el10
rpms:imports/c10s/p11-kit-0.25.9-1.el10
rpms:imports/c10/p11-kit-0.25.5-7.el10_0
rpms:imports/c9/p11-kit-0.25.3-3.el9_5
rpms:imports/c10s/p11-kit-0.25.5-7.el10
rpms:imports/c10s/p11-kit-0.25.5-4.el10
rpms:imports/c10s/p11-kit-0.25.5-1.el10
rpms:imports/c8/p11-kit-0.23.22-2.el8
rpms:imports/c9/p11-kit-0.25.3-2.el9
rpms:imports/c9/p11-kit-0.24.1-2.el9
rpms:imports/c9-beta/p11-kit-0.24.1-2.el9
rpms:imports/c9-beta/p11-kit-0.24.0-4.el9
rpms:imports/c8-beta/p11-kit-0.23.22-1.el8
rpms:imports/c8-beta/p11-kit-0.23.14-5.el8_0
rpms:imports/c8s/p11-kit-0.23.22-1.el8
rpms:imports/c8s/p11-kit-0.23.21-4.el8
rpms:imports/c8s/p11-kit-0.23.21-3.el8
rpms:imports/c8/p11-kit-0.23.22-1.el8
rpms:imports/c8/p11-kit-0.23.14-5.el8_0
rpms:imports/c8/p11-kit-0.23.14-4.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c9-beta
rpms:c9s
rpms:c10s
rpms:c10
rpms:c8s
rpms:c9
rpms:c8
rpms:c8-beta
rpms:imports/c9-beta/p11-kit-0.26.2-1.el9
rpms:imports/c10s/p11-kit-0.26.2-1.el10
rpms:imports/c10s/p11-kit-0.26.1-1.el10
rpms:imports/c10s/p11-kit-0.25.10-1.el10
rpms:imports/c10s/p11-kit-0.25.9-1.el10
rpms:imports/c10/p11-kit-0.25.5-7.el10_0
rpms:imports/c9/p11-kit-0.25.3-3.el9_5
rpms:imports/c10s/p11-kit-0.25.5-7.el10
rpms:imports/c10s/p11-kit-0.25.5-4.el10
rpms:imports/c10s/p11-kit-0.25.5-1.el10
rpms:imports/c8/p11-kit-0.23.22-2.el8
rpms:imports/c9/p11-kit-0.25.3-2.el9
rpms:imports/c9/p11-kit-0.24.1-2.el9
rpms:imports/c9-beta/p11-kit-0.24.1-2.el9
rpms:imports/c9-beta/p11-kit-0.24.0-4.el9
rpms:imports/c8-beta/p11-kit-0.23.22-1.el8
rpms:imports/c8-beta/p11-kit-0.23.14-5.el8_0
rpms:imports/c8s/p11-kit-0.23.22-1.el8
rpms:imports/c8s/p11-kit-0.23.21-4.el8
rpms:imports/c8s/p11-kit-0.23.21-3.el8
rpms:imports/c8/p11-kit-0.23.22-1.el8
rpms:imports/c8/p11-kit-0.23.14-5.el8_0
rpms:imports/c8/p11-kit-0.23.14-4.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

7 changed files with 498 additions and 1085 deletions
Show Stats Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
SOURCES/p11-kit-0.23.22.tar.xz
SOURCES/p11-kit-0.23.22.tar.xz.sig
SOURCES/p11-kit-0.26.2.tar.xz
SOURCES/p11-kit-0.26.2.tar.xz.sig
SOURCES/p11-kit-release-keyring.gpg

6
.p11-kit.metadata
View File

@ -1,3 +1,3 @@
526f07b62624739ba318a171bab3352af91d0134 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
339e5163ed50a9984a74739b9207ea8cd77fa7e2 SOURCES/p11-kit-0.23.22.tar.xz
1ab50d9f01bb186c60c32b56467c6f9f56e365da SOURCES/p11-kit-0.23.22.tar.xz.sig
c6aa53aa656b4ba4b066e1f2c8d7d4870562ec46 SOURCES/p11-kit-0.26.2.tar.xz
94bb171d48aa99733e4f171a3b57509caddd6486 SOURCES/p11-kit-0.26.2.tar.xz.sig
0f7896b12a7eaea6919d3213795bcf328240826e SOURCES/p11-kit-release-keyring.gpg

42
SOURCES/001-dt-needed.patch
View File

@ -1,42 +0,0 @@
From a91266ef087532e2332c75c4fd9244df66f30b64 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 18 Dec 2020 13:37:10 +0100
Subject: [PATCH] meson: Link trust/client modules explicitly to -ldl
This adds the -ldl link flag missing in the meson build, but present
in the autotools build. Although the use-case is unlikely, this
allows those modules to be linked as a normal shared library to a
program.
---
p11-kit/meson.build | 1 +
trust/meson.build | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/p11-kit/meson.build b/p11-kit/meson.build
index 7d57cd7..02147a9 100644
--- a/p11-kit/meson.build
+++ b/p11-kit/meson.build
@@ -92,6 +92,7 @@ if host_system != 'windows'
'client.c', 'client-init.c',
name_prefix: '',
include_directories: [configinc, commoninc],
+ dependencies: dlopen_deps,
link_args: p11_module_ldflags,
link_depends: [p11_module_symbol_map,
p11_module_symbol_def],
diff --git a/trust/meson.build b/trust/meson.build
index 482a3c1..d4a8e15 100644
--- a/trust/meson.build
+++ b/trust/meson.build
@@ -56,7 +56,7 @@ shared_module('p11-kit-trust',
'module-init.c',
name_prefix: '',
c_args: p11_kit_trust_c_args,
- dependencies: [asn_h_dep, libp11_library_dep] + libtasn1_deps,
+ dependencies: [asn_h_dep, libp11_library_dep] + dlopen_deps + libtasn1_deps,
link_args: p11_module_ldflags,
link_depends: [p11_module_symbol_map,
p11_module_symbol_def],
--
2.29.2

42
SOURCES/002-doc-dep.patch
View File

@ -1,42 +0,0 @@
From 9f01a8a45ba913a9b65894cef9369b6010005096 Mon Sep 17 00:00:00 2001
From: Eli Schwartz <eschwartz@archlinux.org>
Date: Tue, 11 Jan 2022 23:25:05 -0500
Subject: [PATCH] gtkdoc: remove dependencies on custom target files
Sadly, the `dependencies` kwarg does not actually do what it seems to be
trying to be used for, here. It is for listing dependency or library
objects whose compiler flags should be added to gtkdoc-scangobj.
It will not actually add ninja target dependencies. The similar kwarg in
other meson functions (e.g. genmarshal and compile_schemas) that *do*
allow adding target dependencies, is `depend_files`.
Older versions of meson simply did nothing in an if/elif/elif block
where these custom_targets never matched anything, and were thus
silently ignored.
Meson 0.61 type-validates the arguments and rejects CustomTarget as
invalid:
```
doc/manual/meson.build:72:8: ERROR: gnome.gtkdoc keyword argument 'dependencies' was of type array[CustomTarget | PkgConfigDependency] but should have been array[Dependency | SharedLibrary | StaticLibrary]
```
Fixes #406
---
doc/manual/meson.build | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/manual/meson.build b/doc/manual/meson.build
index cf8758dbf..560df8dbc 100644
--- a/doc/manual/meson.build
+++ b/doc/manual/meson.build
@@ -73,7 +73,7 @@ if get_option('gtk_doc')
main_xml: 'p11-kit-docs.xml',
namespace: 'p11_kit',
src_dir: 'p11-kit',
- dependencies: libffi_deps + dlopen_deps + xml_deps,
+ dependencies: libffi_deps + dlopen_deps,
scan_args: [
'--ignore-headers=' + ' '.join(ignore_headers),
'--rebuild-types',

953
SOURCES/003-IBM-mechs-and-attrs.patch
View File

@ -1,953 +0,0 @@
diff --color -ruNp a/common/attrs.c b/common/attrs.c
--- a/common/attrs.c 2020-12-11 15:48:46.000000000 +0100
+++ b/common/attrs.c 2023-11-29 14:29:45.130552239 +0100
@@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBU
X (CKA_TRUST_STEP_UP_APPROVED)
X (CKA_CERT_SHA1_HASH)
X (CKA_CERT_MD5_HASH)
+ X (CKA_IBM_OPAQUE)
+ X (CKA_IBM_RESTRICTABLE)
+ X (CKA_IBM_NEVER_MODIFIABLE)
+ X (CKA_IBM_RETAINKEY)
+ X (CKA_IBM_ATTRBOUND)
+ X (CKA_IBM_KEYTYPE)
+ X (CKA_IBM_CV)
+ X (CKA_IBM_MACKEY)
+ X (CKA_IBM_USE_AS_DATA)
+ X (CKA_IBM_STRUCT_PARAMS)
+ X (CKA_IBM_STD_COMPLIANCE1)
+ X (CKA_IBM_PROTKEY_EXTRACTABLE)
+ X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE)
+ X (CKA_IBM_OPAQUE_PKEY)
+ X (CKA_IBM_DILITHIUM_KEYFORM)
+ X (CKA_IBM_DILITHIUM_RHO)
+ X (CKA_IBM_DILITHIUM_T1)
case CKA_VALUE:
return (klass != CKO_CERTIFICATE &&
klass != CKO_X_CERTIFICATE_EXTENSION);
diff --color -ruNp a/common/constants.c b/common/constants.c
--- a/common/constants.c 2020-12-11 15:48:46.000000000 +0100
+++ b/common/constants.c 2023-11-29 14:29:45.130552239 +0100
@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[]
CT (CKA_WRAP_TEMPLATE, "wrap-template")
CT (CKA_UNWRAP_TEMPLATE, "unwrap-template")
CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms")
+ CT (CKA_IBM_OPAQUE, "ibm-opaque")
+ CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable")
+ CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable")
+ CT (CKA_IBM_RETAINKEY, "ibm-retainkey")
+ CT (CKA_IBM_ATTRBOUND, "ibm-attrbound")
+ CT (CKA_IBM_KEYTYPE, "ibm-keytype")
+ CT (CKA_IBM_CV, "ibm-cv")
+ CT (CKA_IBM_MACKEY, "ibm-mackey")
+ CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data")
+ CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params")
+ CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1")
+ CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable")
+ CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable")
+ CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform")
+ CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho")
+ CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed")
+ CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr")
+ CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1")
+ CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2")
+ CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0")
+ CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1")
+ CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey")
CT (CKA_NSS_URL, "nss-url")
CT (CKA_NSS_EMAIL, "nss-email")
CT (CKA_NSS_SMIME_INFO, "nss-smime-constant")
@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] =
CT (CKK_AES, "aes")
CT (CKK_BLOWFISH, "blowfish")
CT (CKK_TWOFISH, "twofish")
+ CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium")
CT (CKK_NSS_PKCS8, "nss-pkcs8")
{ CKA_INVALID },
};
@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanis
CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen")
CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen")
CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen")
+ CT (CKM_IBM_SHA3_224, "ibm-sha3-224")
+ CT (CKM_IBM_SHA3_256, "ibm-sha3-256")
+ CT (CKM_IBM_SHA3_384, "ibm-sha3-384")
+ CT (CKM_IBM_SHA3_512, "ibm-sha3-512")
+ CT (CKM_IBM_CMAC, "ibm-cmac")
+ CT (CKM_IBM_EC_X25519, "ibm-ec-x25519")
+ CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512")
+ CT (CKM_IBM_EC_X448, "ibm-ec-x448")
+ CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3")
+ CT (CKM_IBM_DILITHIUM, "ibm-dilithium")
+ CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac")
+ CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac")
+ CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac")
+ CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac")
+ CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap")
{ CKA_INVALID },
};
diff --color -ruNp a/common/pkcs11x.h b/common/pkcs11x.h
--- a/common/pkcs11x.h 2020-12-11 16:24:01.000000000 +0100
+++ b/common/pkcs11x.h 2023-11-29 14:29:45.252554771 +0100
@@ -181,6 +181,71 @@ typedef CK_ULONG
#endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */
+/* Define this if you want the IBM specific symbols */
+#define CRYPTOKI_IBM_VENDOR_DEFINED 1
+#ifdef CRYPTOKI_IBM_VENDOR_DEFINED
+
+#define CKK_IBM_PQC_DILITHIUM CKK_VENDOR_DEFINED + 0x10023
+
+#define CKA_IBM_OPAQUE (CKA_VENDOR_DEFINED + 1)
+#define CKA_IBM_RESTRICTABLE (CKA_VENDOR_DEFINED + 0x10001)
+#define CKA_IBM_NEVER_MODIFIABLE (CKA_VENDOR_DEFINED + 0x10002)
+#define CKA_IBM_RETAINKEY (CKA_VENDOR_DEFINED + 0x10003)
+#define CKA_IBM_ATTRBOUND (CKA_VENDOR_DEFINED + 0x10004)
+#define CKA_IBM_KEYTYPE (CKA_VENDOR_DEFINED + 0x10005)
+#define CKA_IBM_CV (CKA_VENDOR_DEFINED + 0x10006)
+#define CKA_IBM_MACKEY (CKA_VENDOR_DEFINED + 0x10007)
+#define CKA_IBM_USE_AS_DATA (CKA_VENDOR_DEFINED + 0x10008)
+#define CKA_IBM_STRUCT_PARAMS (CKA_VENDOR_DEFINED + 0x10009)
+#define CKA_IBM_STD_COMPLIANCE1 (CKA_VENDOR_DEFINED + 0x1000a)
+#define CKA_IBM_PROTKEY_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000c)
+#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000d)
+#define CKA_IBM_DILITHIUM_KEYFORM (CKA_VENDOR_DEFINED + 0xd0001)
+#define CKA_IBM_DILITHIUM_RHO (CKA_VENDOR_DEFINED + 0xd0002)
+#define CKA_IBM_DILITHIUM_SEED (CKA_VENDOR_DEFINED + 0xd0003)
+#define CKA_IBM_DILITHIUM_TR (CKA_VENDOR_DEFINED + 0xd0004)
+#define CKA_IBM_DILITHIUM_S1 (CKA_VENDOR_DEFINED + 0xd0005)
+#define CKA_IBM_DILITHIUM_S2 (CKA_VENDOR_DEFINED + 0xd0006)
+#define CKA_IBM_DILITHIUM_T0 (CKA_VENDOR_DEFINED + 0xd0007)
+#define CKA_IBM_DILITHIUM_T1 (CKA_VENDOR_DEFINED + 0xd0008)
+#define CKA_IBM_OPAQUE_PKEY (CKA_VENDOR_DEFINED + 0xd0100)
+
+#define CKM_IBM_SHA3_224 (CKM_VENDOR_DEFINED + 0x10001)
+#define CKM_IBM_SHA3_256 (CKM_VENDOR_DEFINED + 0x10002)
+#define CKM_IBM_SHA3_384 (CKM_VENDOR_DEFINED + 0x10003)
+#define CKM_IBM_SHA3_512 (CKM_VENDOR_DEFINED + 0x10004)
+#define CKM_IBM_CMAC (CKM_VENDOR_DEFINED + 0x10007)
+#define CKM_IBM_EC_X25519 (CKM_VENDOR_DEFINED + 0x1001b)
+#define CKM_IBM_ED25519_SHA512 (CKM_VENDOR_DEFINED + 0x1001c)
+#define CKM_IBM_EC_X448 (CKM_VENDOR_DEFINED + 0x1001e)
+#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED + 0x1001f)
+#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED + 0x10023)
+#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED + 0x10025)
+#define CKM_IBM_SHA3_256_HMAC (CKM_VENDOR_DEFINED + 0x10026)
+#define CKM_IBM_SHA3_384_HMAC (CKM_VENDOR_DEFINED + 0x10027)
+#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028)
+#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004)
+
+/*
+ * If the caller is using the PKCS#11 GNU calling convention, then we cater
+ * to that here.
+ */
+#ifdef CRYPTOKI_GNU
+#define hSignVerifyKey h_sign_verify_key
+#endif
+
+struct ck_ibm_attributebound_wrap {
+ CK_OBJECT_HANDLE hSignVerifyKey;
+};
+
+typedef struct ck_ibm_attributebound_wrap CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS;
+
+#ifdef CRYPTOKI_GNU
+#undef hSignVerifyKey
+#endif
+
+#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */
+
#if defined(__cplusplus)
}
#endif
diff --color -ruNp a/p11-kit/meson.build b/p11-kit/meson.build
--- a/p11-kit/meson.build 2023-11-29 14:27:53.265231072 +0100
+++ b/p11-kit/meson.build 2023-11-29 14:29:45.264555020 +0100
@@ -211,6 +211,9 @@ gnu_h = gnu_h_gen.process(pkcs11_gnu_hea
static_library('p11-kit-pkcs11-gnu',
gnu_h,
'pkcs11-gnu.c',
+ c_args: [
+ '-DCRYPTOKI_GNU=1', '-DP11_KIT_FUTURE_UNSTABLE_API=1',
+ ],
include_directories: [configinc, commoninc])
# Tests ----------------------------------------------------------------
diff --color -ruNp a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h
--- a/p11-kit/p11-kit.h 2020-12-11 15:48:46.000000000 +0100
+++ b/p11-kit/p11-kit.h 2023-11-29 14:29:45.265555041 +0100
@@ -43,12 +43,17 @@
*/
#ifdef CRYPTOKI_GNU
typedef ck_rv_t CK_RV;
+typedef ck_object_handle_t CK_OBJECT_HANDLE;
+typedef unsigned long int CK_ULONG;
typedef struct ck_function_list* CK_FUNCTION_LIST_PTR;
typedef struct ck_function_list CK_FUNCTION_LIST;
#endif
#include "p11-kit/deprecated.h"
+/* For size_t. */
+#include <stddef.h>
+
#ifdef __cplusplus
extern "C" {
#endif
diff --color -ruNp a/p11-kit/pkcs11-gnu.c b/p11-kit/pkcs11-gnu.c
--- a/p11-kit/pkcs11-gnu.c 2020-12-11 15:48:46.000000000 +0100
+++ b/p11-kit/pkcs11-gnu.c 2023-11-29 14:29:45.265555041 +0100
@@ -1,3 +1,8 @@
+#include "config.h"
+
+#include "p11-kit.h"
+#include "pkcs11x.h"
+
#include "pkcs11-gnu-iter.h"
#include "pkcs11-gnu-pin.h"
#include "pkcs11-gnu-uri.h"
diff --color -ruNp a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
--- a/p11-kit/rpc-client.c 2020-12-11 15:48:46.000000000 +0100
+++ b/p11-kit/rpc-client.c 2023-11-29 14:29:45.220554107 +0100
@@ -570,7 +570,7 @@ proto_read_sesssion_info (p11_rpc_messag
#define IN_BYTE_BUFFER(arr, len) \
if (len == NULL) \
{ _ret = CKR_ARGUMENTS_BAD; goto _cleanup; } \
- if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? *len : 0)) \
+ if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? (*len > 0 ? *len : (uint32_t)-1) : 0)) \
{ _ret = CKR_HOST_MEMORY; goto _cleanup; }
#define IN_BYTE_ARRAY(arr, len) \
@@ -1489,8 +1489,6 @@ rpc_C_SignUpdate (CK_X_FUNCTION_LIST *se
CK_BYTE_PTR part,
CK_ULONG part_len)
{
- return_val_if_fail (part_len, CKR_ARGUMENTS_BAD);
-
BEGIN_CALL_OR (C_SignUpdate, self, CKR_SESSION_HANDLE_INVALID);
IN_ULONG (session);
IN_BYTE_ARRAY (part, part_len);
diff --color -ruNp a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
--- a/p11-kit/rpc-message.c 2020-12-11 16:25:36.000000000 +0100
+++ b/p11-kit/rpc-message.c 2023-11-29 14:29:45.243554584 +0100
@@ -372,7 +372,7 @@ p11_rpc_message_write_byte_array (p11_rp
assert (!msg->signature || p11_rpc_message_verify_part (msg, "ay"));
/* No array, no data, just length */
- if (!arr) {
+ if (!arr && num != 0) {
p11_rpc_buffer_add_byte (msg->output, 0);
p11_rpc_buffer_add_uint32 (msg->output, num);
} else {
@@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUT
case CKA_RESET_ON_INIT:
case CKA_HAS_RESET:
case CKA_COLOR:
+ case CKA_IBM_RESTRICTABLE:
+ case CKA_IBM_NEVER_MODIFIABLE:
+ case CKA_IBM_RETAINKEY:
+ case CKA_IBM_ATTRBOUND:
+ case CKA_IBM_USE_AS_DATA:
+ case CKA_IBM_PROTKEY_EXTRACTABLE:
+ case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE:
return P11_RPC_VALUE_BYTE;
case CKA_CLASS:
case CKA_CERTIFICATE_TYPE:
@@ -821,9 +828,13 @@ map_attribute_to_value_type (CK_ATTRIBUT
case CKA_CHAR_COLUMNS:
case CKA_BITS_PER_PIXEL:
case CKA_MECHANISM_TYPE:
+ case CKA_IBM_DILITHIUM_KEYFORM:
+ case CKA_IBM_STD_COMPLIANCE1:
+ case CKA_IBM_KEYTYPE:
return P11_RPC_VALUE_ULONG;
case CKA_WRAP_TEMPLATE:
case CKA_UNWRAP_TEMPLATE:
+ case CKA_DERIVE_TEMPLATE:
return P11_RPC_VALUE_ATTRIBUTE_ARRAY;
case CKA_ALLOWED_MECHANISMS:
return P11_RPC_VALUE_MECHANISM_TYPE_ARRAY;
@@ -869,6 +880,18 @@ map_attribute_to_value_type (CK_ATTRIBUT
case CKA_REQUIRED_CMS_ATTRIBUTES:
case CKA_DEFAULT_CMS_ATTRIBUTES:
case CKA_SUPPORTED_CMS_ATTRIBUTES:
+ case CKA_IBM_OPAQUE:
+ case CKA_IBM_CV:
+ case CKA_IBM_MACKEY:
+ case CKA_IBM_STRUCT_PARAMS:
+ case CKA_IBM_OPAQUE_PKEY:
+ case CKA_IBM_DILITHIUM_RHO:
+ case CKA_IBM_DILITHIUM_SEED:
+ case CKA_IBM_DILITHIUM_TR:
+ case CKA_IBM_DILITHIUM_S1:
+ case CKA_IBM_DILITHIUM_S2:
+ case CKA_IBM_DILITHIUM_T0:
+ case CKA_IBM_DILITHIUM_T1:
return P11_RPC_VALUE_BYTE_ARRAY;
}
}
@@ -1406,9 +1429,466 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechani
return true;
}
+void
+p11_rpc_buffer_add_ecdh1_derive_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_ECDH1_DERIVE_PARAMS params;
+
+ /* Check if value can be converted to CK_ECDH1_DERIVE_PARAMS. */
+ if (value_length != sizeof (CK_ECDH1_DERIVE_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.kdf can be converted to uint64_t. */
+ if (params.kdf > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_uint64 (buffer, params.kdf);
+
+ /* parmas.shared_data can only be an array of CK_BYTE or
+ * NULL */
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.shared_data,
+ params.shared_data_len);
+
+ /* parmas.public_data can only be an array of CK_BYTE or
+ * NULL */
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.public_data,
+ params.public_data_len);
+}
+
+bool
+p11_rpc_buffer_get_ecdh1_derive_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+ const unsigned char *data1, *data2;
+ size_t len1, len2;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1))
+ return false;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2))
+ return false;
+
+
+ if (value) {
+ CK_ECDH1_DERIVE_PARAMS params;
+
+ params.kdf = val;
+ params.shared_data = (void *) data1;
+ params.shared_data_len = len1;
+ params.public_data = (void *) data2;
+ params.public_data_len = len2;
+
+ memcpy (value, &params, sizeof (CK_ECDH1_DERIVE_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_ECDH1_DERIVE_PARAMS);
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
+
+ /* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */
+ if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.hSignVerifyKey can be converted to uint64_t. */
+ if (params.hSignVerifyKey > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey);
+}
+
+bool
+p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+
+ if (value) {
+ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
+
+ params.hSignVerifyKey = val;
+
+ memcpy (value, &params, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS);
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ /* Check if value can be converted to an AES IV. */
+ if (value_length != 16) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)value,
+ value_length);
+}
+
+bool
+p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (len != 16)
+ return false;
+
+ if (value)
+ memcpy (value, data, len);
+
+ if (value_length)
+ *value_length = len;
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_AES_CTR_PARAMS params;
+
+ /* Check if value can be converted to CK_AES_CTR_PARAMS. */
+ if (value_length != sizeof (CK_AES_CTR_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.counter_bits can be converted to uint64_t. */
+ if (params.counter_bits > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_uint64 (buffer, params.counter_bits);
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.cb,
+ sizeof(params.cb));
+}
+
+bool
+p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (value) {
+ CK_AES_CTR_PARAMS params;
+
+ params.ulCounterBits = val;
+
+ if (len != sizeof (params.cb))
+ return false;
+
+ memcpy (params.cb, data, sizeof (params.cb));
+ memcpy (value, &params, sizeof (CK_AES_CTR_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_AES_CTR_PARAMS);
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_GCM_PARAMS params;
+
+ /* Check if value can be converted to CK_GCM_PARAMS. */
+ if (value_length != sizeof (CK_GCM_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.ulTagBits/ulIvBits can be converted to uint64_t. */
+ if (params.ulTagBits > UINT64_MAX || params.ulIvBits > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.pIv,
+ params.ulIvLen);
+ p11_rpc_buffer_add_uint64 (buffer, params.ulIvBits);
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.pAAD,
+ params.ulAADLen);
+ p11_rpc_buffer_add_uint64 (buffer, params.ulTagBits);
+}
+
+bool
+p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val1, val2;
+ const unsigned char *data1, *data2;
+ size_t len1, len2;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1))
+ return false;
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1))
+ return false;
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2))
+ return false;
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val2))
+ return false;
+
+ if (value) {
+ CK_GCM_PARAMS params;
+
+ params.pIv = (void *) data1;
+ params.ulIvLen = len1;
+ params.ulIvBits = val1;
+ params.pAAD = (void *) data2;
+ params.ulAADLen = len2;
+ params.ulTagBits = val2;
+
+ memcpy (value, &params, sizeof (CK_GCM_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_GCM_PARAMS);
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ /* Check if value can be converted to an DES IV. */
+ if (value_length != 8) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)value,
+ value_length);
+}
+
+bool
+p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (len != 8)
+ return false;
+
+ if (value)
+ memcpy (value, data, len);
+
+ if (value_length)
+ *value_length = len;
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_mac_general_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_ULONG val;
+ uint64_t params;
+
+ /*
+ * Check if value can be converted to an CK_MAC_GENERAL_PARAMS which
+ * is a CK_ULONG.
+ */
+ if (value_length != sizeof (CK_ULONG)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&val, value, value_length);
+ params = val;
+
+ p11_rpc_buffer_add_uint64 (buffer, params);
+}
+
+bool
+p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+ CK_ULONG params;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+
+ params = val;
+
+ if (value)
+ memcpy (value, &params, sizeof (params));
+
+ if (value_length)
+ *value_length = sizeof (params);
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ /* Mechanism parameter is public value of the other party */
+ if (value_length == 0) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)value,
+ value_length);
+}
+
+bool
+p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (len == 0)
+ return false;
+
+ if (value)
+ memcpy (value, data, len);
+
+ if (value_length)
+ *value_length = len;
+
+ return true;
+}
+
static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
- { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }
+ { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA224_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA256_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA384_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA512_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value },
+ { CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
+ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value },
+ { CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
+ { CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
+ { CKM_AES_CBC, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CBC_PAD, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_OFB, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB1, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB8, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value },
+ { CKM_AES_GCM, p11_rpc_buffer_add_aes_gcm_mechanism_value, p11_rpc_buffer_get_aes_gcm_mechanism_value },
+ { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES3_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_SHA_1_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA384_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA512_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA512_224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA512_256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_AES_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_DH_PKCS_DERIVE, p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value, p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value },
};
static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
@@ -1453,6 +1933,7 @@ mechanism_has_no_parameters (CK_MECHANIS
case CKM_MD2_RSA_PKCS:
case CKM_MD5_RSA_PKCS:
case CKM_SHA1_RSA_PKCS:
+ case CKM_SHA224_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
@@ -1467,6 +1948,10 @@ mechanism_has_no_parameters (CK_MECHANIS
case CKM_EC_KEY_PAIR_GEN:
case CKM_ECDSA:
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA224:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
case CKM_DH_PKCS_KEY_PAIR_GEN:
case CKM_DH_PKCS_PARAMETER_GEN:
case CKM_X9_42_DH_KEY_PAIR_GEN:
@@ -1480,6 +1965,7 @@ mechanism_has_no_parameters (CK_MECHANIS
case CKM_AES_KEY_GEN:
case CKM_AES_ECB:
case CKM_AES_MAC:
+ case CKM_AES_CMAC:
case CKM_DES_KEY_GEN:
case CKM_DES2_KEY_GEN:
case CKM_DES3_KEY_GEN:
@@ -1505,6 +1991,7 @@ mechanism_has_no_parameters (CK_MECHANIS
case CKM_RC2_MAC:
case CKM_DES_MAC:
case CKM_DES3_MAC:
+ case CKM_DES3_CMAC:
case CKM_CDMF_MAC:
case CKM_CAST_MAC:
case CKM_CAST3_MAC:
@@ -1521,18 +2008,46 @@ mechanism_has_no_parameters (CK_MECHANIS
case CKM_MD5_HMAC:
case CKM_SHA_1:
case CKM_SHA_1_HMAC:
+ case CKM_SHA1_KEY_DERIVATION:
+ case CKM_SHA224:
+ case CKM_SHA224_HMAC:
+ case CKM_SHA224_KEY_DERIVATION:
case CKM_SHA256:
case CKM_SHA256_HMAC:
+ case CKM_SHA256_KEY_DERIVATION:
case CKM_SHA384:
case CKM_SHA384_HMAC:
+ case CKM_SHA384_KEY_DERIVATION:
case CKM_SHA512:
case CKM_SHA512_HMAC:
+ case CKM_SHA512_KEY_DERIVATION:
+ case CKM_SHA512_T:
+ case CKM_SHA512_T_HMAC:
+ case CKM_SHA512_T_KEY_DERIVATION:
+ case CKM_SHA512_224:
+ case CKM_SHA512_224_HMAC:
+ case CKM_SHA512_224_KEY_DERIVATION:
+ case CKM_SHA512_256:
+ case CKM_SHA512_256_HMAC:
+ case CKM_SHA512_256_KEY_DERIVATION:
case CKM_FASTHASH:
case CKM_RIPEMD128:
case CKM_RIPEMD128_HMAC:
case CKM_RIPEMD160:
case CKM_RIPEMD160_HMAC:
case CKM_KEY_WRAP_LYNKS:
+ case CKM_IBM_SHA3_224:
+ case CKM_IBM_SHA3_256:
+ case CKM_IBM_SHA3_384:
+ case CKM_IBM_SHA3_512:
+ case CKM_IBM_CMAC:
+ case CKM_IBM_DILITHIUM:
+ case CKM_IBM_SHA3_224_HMAC:
+ case CKM_IBM_SHA3_256_HMAC:
+ case CKM_IBM_SHA3_384_HMAC:
+ case CKM_IBM_SHA3_512_HMAC:
+ case CKM_IBM_ED25519_SHA512:
+ case CKM_IBM_ED448_SHA3:
return true;
default:
return false;
diff --color -ruNp a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
--- a/p11-kit/rpc-message.h 2020-12-11 16:25:36.000000000 +0100
+++ b/p11-kit/rpc-message.h 2023-11-29 14:29:45.243554584 +0100
@@ -42,6 +42,7 @@
#include "buffer.h"
#include "pkcs11.h"
+#include "pkcs11x.h"
/* The calls, must be in sync with array below */
enum {
@@ -478,5 +479,85 @@ bool p11_rpc_buffer_get_rsa_
size_t *offset,
void *value,
CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_ecdh1_derive_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_ecdh1_derive_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_mac_general_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_mac_general_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
#endif /* _RPC_MESSAGE_H */
diff --color -ruNp a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
--- a/p11-kit/rpc-server.c 2020-12-11 16:25:36.000000000 +0100
+++ b/p11-kit/rpc-server.c 2023-11-29 14:29:45.221554128 +0100
@@ -84,6 +84,12 @@ proto_read_byte_buffer (p11_rpc_message
*n_buffer = length;
*buffer = NULL;
+ /* length = -1 indicates length = 0, but buffer not NULL */
+ if (length == (uint32_t)-1) {
+ *n_buffer = 0;
+ length = 1; /*allocate 1 dummy byte */
+ }
+
/* If set to zero, then they just want the length */
if (length == 0)
return CKR_OK;

224
SOURCES/p11-kit-0.26.1-pkcs11-legacy-defs.patch Normal file
View File

@ -0,0 +1,224 @@
diff --color -ruNp a/common/attrs.c b/common/attrs.c
--- a/common/attrs.c 2025-12-11 14:59:36.000000000 +0100
+++ b/common/attrs.c 2026-01-22 09:47:40.761892180 +0100
@@ -638,13 +638,15 @@ attribute_is_trust_value (const CK_ATTRI
case CKA_NSS_TRUST_IPSEC_TUNNEL:
case CKA_NSS_TRUST_IPSEC_USER:
case CKA_NSS_TRUST_TIME_STAMPING:
+ case CKA_TRUST_IPSEC_IKE:
+ case CKA_TRUST_OCSP_SIGNING:
+#ifdef USE_STANDARD_TRUST
case CKA_TRUST_SERVER_AUTH:
case CKA_TRUST_CLIENT_AUTH:
case CKA_TRUST_CODE_SIGNING:
case CKA_TRUST_EMAIL_PROTECTION:
- case CKA_TRUST_IPSEC_IKE:
case CKA_TRUST_TIME_STAMPING:
- case CKA_TRUST_OCSP_SIGNING:
+#endif
break;
default:
return false;
@@ -734,12 +736,14 @@ attribute_is_sensitive (const CK_ATTRIBU
X (CKA_DEFAULT_CMS_ATTRIBUTES)
X (CKA_SUPPORTED_CMS_ATTRIBUTES)
X (CKA_ALLOWED_MECHANISMS)
+#ifdef USE_STANDARD_TRUST
X (CKA_TRUST_SERVER_AUTH)
X (CKA_TRUST_CLIENT_AUTH)
X (CKA_TRUST_CODE_SIGNING)
X (CKA_TRUST_EMAIL_PROTECTION)
- X (CKA_TRUST_IPSEC_IKE)
X (CKA_TRUST_TIME_STAMPING)
+#endif
+ X (CKA_TRUST_IPSEC_IKE)
X (CKA_TRUST_OCSP_SIGNING)
X (CKA_X_ASSERTION_TYPE)
X (CKA_X_CERTIFICATE_VALUE)
diff --color -ruNp a/common/constants.c b/common/constants.c
--- a/common/constants.c 2025-12-11 14:59:36.000000000 +0100
+++ b/common/constants.c 2026-01-22 09:48:12.843493106 +0100
@@ -198,12 +198,16 @@ const p11_constant p11_constant_types[]
CT (CKA_VALIDATION_PROFILE, "validation-profile")
CT (CKA_ENCAPSULATE_TEMPLATE, "encapsulate-template")
CT (CKA_DECAPSULATE_TEMPLATE, "decapsulate_template")
+#ifdef USE_STANDARD_TRUST
CT (CKA_TRUST_SERVER_AUTH, "trust-server-auth")
CT (CKA_TRUST_CLIENT_AUTH, "trust-client-auth")
CT (CKA_TRUST_CODE_SIGNING, "trust-code-signing")
CT (CKA_TRUST_EMAIL_PROTECTION, "trust-email-protection")
+#endif
CT (CKA_TRUST_IPSEC_IKE, "trust-ipsec-ike")
+#ifdef USE_STANDARD_TRUST
CT (CKA_TRUST_TIME_STAMPING, "trust-time-stamping")
+#endif
CT (CKA_TRUST_OCSP_SIGNING, "trust-ocsp-signing")
CT (CKA_ENCAPSULATE, "encapsulate")
CT (CKA_DECAPSULATE, "decapsulate")
@@ -267,14 +271,25 @@ const p11_constant p11_constant_types[]
CT (CKA_NSS_TRUST_KEY_AGREEMENT, "nss-trust-key-agreement")
CT (CKA_NSS_TRUST_KEY_CERT_SIGN, "nss-trust-key-cert-sign")
CT (CKA_NSS_TRUST_CRL_SIGN, "nss-trust-crl-sign")
+#ifdef USE_STANDARD_TRUST
CT (CKA_NSS_TRUST_SERVER_AUTH, "nss-trust-server-auth")
CT (CKA_NSS_TRUST_CLIENT_AUTH, "nss-trust-client-auth")
CT (CKA_NSS_TRUST_CODE_SIGNING, "nss-trust-code-signing")
CT (CKA_NSS_TRUST_EMAIL_PROTECTION, "nss-trust-email-protection")
+#else
+ CT (CKA_NSS_TRUST_SERVER_AUTH, "trust-server-auth")
+ CT (CKA_NSS_TRUST_CLIENT_AUTH, "trust-client-auth")
+ CT (CKA_NSS_TRUST_CODE_SIGNING, "trust-code-signing")
+ CT (CKA_NSS_TRUST_EMAIL_PROTECTION, "trust-email-protection")
+#endif
CT (CKA_NSS_TRUST_IPSEC_END_SYSTEM, "nss-trust-ipsec-end-system")
CT (CKA_NSS_TRUST_IPSEC_TUNNEL, "nss-trust-ipsec-tunnel")
CT (CKA_NSS_TRUST_IPSEC_USER, "nss-trust-ipsec-user")
+#ifdef USE_STANDARD_TRUST
CT (CKA_NSS_TRUST_TIME_STAMPING, "nss-trust-time-stamping")
+#else
+ CT (CKA_NSS_TRUST_TIME_STAMPING, "trust-time-stamping")
+#endif
CT (CKA_NSS_TRUST_STEP_UP_APPROVED, "nss-trust-step-up-approved")
CT (CKA_NSS_CERT_SHA1_HASH, "nss-cert-sha1-hash")
CT (CKA_NSS_CERT_MD5_HASH, "nss-cert-md5-hash")
diff --color -ruNp a/common/persist.c b/common/persist.c
--- a/common/persist.c 2025-12-11 14:59:36.000000000 +0100
+++ b/common/persist.c 2026-01-22 09:48:34.018889748 +0100
@@ -296,11 +296,13 @@ format_ulong (CK_ATTRIBUTE *attr,
case CKA_NSS_TRUST_IPSEC_USER:
case CKA_NSS_TRUST_TIME_STAMPING:
case CKA_NSS_TRUST_STEP_UP_APPROVED:
+#ifdef USE_STANDARD_TRUST
case CKA_TRUST_SERVER_AUTH:
case CKA_TRUST_CLIENT_AUTH:
case CKA_TRUST_CODE_SIGNING:
case CKA_TRUST_EMAIL_PROTECTION:
case CKA_TRUST_TIME_STAMPING:
+#endif
case CKA_X_ASSERTION_TYPE:
case CKA_AUTH_PIN_FLAGS:
case CKA_HW_FEATURE_TYPE:
@@ -368,11 +370,13 @@ format_constant (CK_ATTRIBUTE *attr,
case CKA_NSS_TRUST_IPSEC_TUNNEL:
case CKA_NSS_TRUST_IPSEC_USER:
case CKA_NSS_TRUST_TIME_STAMPING:
+#ifdef USE_STANDARD_TRUST
case CKA_TRUST_SERVER_AUTH:
case CKA_TRUST_CLIENT_AUTH:
case CKA_TRUST_CODE_SIGNING:
case CKA_TRUST_EMAIL_PROTECTION:
case CKA_TRUST_TIME_STAMPING:
+#endif
table = p11_constant_trusts;
break;
case CKA_CLASS:
diff --color -ruNp a/common/pkcs11.h b/common/pkcs11.h
--- a/common/pkcs11.h 2025-12-11 14:59:36.000000000 +0100
+++ b/common/pkcs11.h 2026-01-22 09:46:29.803959838 +0100
@@ -578,12 +578,7 @@ extern "C" {
#define CKA_VALIDATION_PROFILE (0x629UL)
#define CKA_ENCAPSULATE_TEMPLATE (0x62AUL)
#define CKA_DECAPSULATE_TEMPLATE (0x62BUL)
-#define CKA_TRUST_SERVER_AUTH (0x62CUL)
-#define CKA_TRUST_CLIENT_AUTH (0x62DUL)
-#define CKA_TRUST_CODE_SIGNING (0x62EUL)
-#define CKA_TRUST_EMAIL_PROTECTION (0x62FUL)
#define CKA_TRUST_IPSEC_IKE (0x630UL)
-#define CKA_TRUST_TIME_STAMPING (0x631UL)
#define CKA_TRUST_OCSP_SIGNING (0x632UL)
#define CKA_ENCAPSULATE (0x633UL)
#define CKA_DECAPSULATE (0x634UL)
@@ -592,6 +587,22 @@ extern "C" {
#define CKA_SEED (0x637UL)
#define CKA_VENDOR_DEFINED ((unsigned long) (1UL << 31))
+#ifdef USE_STANDARD_TRUST
+/* Values introduced in PKCS#11 3.2 standard */
+#define CKA_TRUST_SERVER_AUTH (0x62CUL)
+#define CKA_TRUST_CLIENT_AUTH (0x62DUL)
+#define CKA_TRUST_CODE_SIGNING (0x62EUL)
+#define CKA_TRUST_EMAIL_PROTECTION (0x62FUL)
+#define CKA_TRUST_TIME_STAMPING (0x631UL)
+#elif !defined(PKCS11_X_H_)
+/* Legacy values that collide with PKCS#11 standard values */
+#define CKA_TRUST_SERVER_AUTH (0xce536358UL)
+#define CKA_TRUST_CLIENT_AUTH (0xce536359UL)
+#define CKA_TRUST_CODE_SIGNING (0xce53635aUL)
+#define CKA_TRUST_EMAIL_PROTECTION (0xce53635bUL)
+#define CKA_TRUST_TIME_STAMPING (0xce53635fUL)
+#endif
+
/* CK_CERTIFICATE_CATEGORY */
#define CK_CERTIFICATE_CATEGORY_UNSPECIFIED (0UL)
#define CK_CERTIFICATE_CATEGORY_TOKEN_USER (1UL)
diff --color -ruNp a/common/pkcs11x.h b/common/pkcs11x.h
--- a/common/pkcs11x.h 2025-12-11 14:59:36.000000000 +0100
+++ b/common/pkcs11x.h 2026-01-22 09:46:39.783921400 +0100
@@ -98,6 +98,32 @@ extern "C" {
#define CKA_NSS_CERT_SHA1_HASH 0xce5363b4UL
#define CKA_NSS_CERT_MD5_HASH 0xce5363b5UL
+#ifndef USE_STANDARD_TRUST
+/* Legacy names */
+#define CKA_TRUST_DIGITAL_SIGNATURE CKA_NSS_TRUST_DIGITAL_SIGNATURE
+#define CKA_TRUST_NON_REPUDIATION CKA_NSS_TRUST_NON_REPUDIATION
+#define CKA_TRUST_KEY_ENCIPHERMENT CKA_NSS_TRUST_KEY_ENCIPHERMENT
+#define CKA_TRUST_DATA_ENCIPHERMENT CKA_NSS_TRUST_DATA_ENCIPHERMENT
+#define CKA_TRUST_KEY_AGREEMENT CKA_NSS_TRUST_KEY_AGREEMENT
+#define CKA_TRUST_KEY_CERT_SIGN CKA_NSS_TRUST_KEY_CERT_SIGN
+#define CKA_TRUST_CRL_SIGN CKA_NSS_TRUST_CRL_SIGN
+#define CKA_TRUST_IPSEC_END_SYSTEM CKA_NSS_TRUST_IPSEC_END_SYSTEM
+#define CKA_TRUST_IPSEC_TUNNEL CKA_NSS_TRUST_IPSEC_TUNNEL
+#define CKA_TRUST_IPSEC_USER CKA_NSS_TRUST_IPSEC_USER
+#define CKA_TRUST_STEP_UP_APPROVED CKA_NSS_TRUST_STEP_UP_APPROVED
+#define CKA_CERT_SHA1_HASH CKA_NSS_CERT_SHA1_HASH
+#define CKA_CERT_MD5_HASH CKA_NSS_CERT_MD5_HASH
+
+#ifndef PKCS11_H
+/* Legacy names that collide with PKCS#11 standard names */
+#define CKA_TRUST_SERVER_AUTH CKA_NSS_TRUST_SERVER_AUTH
+#define CKA_TRUST_CLIENT_AUTH CKA_NSS_TRUST_CLIENT_AUTH
+#define CKA_TRUST_CODE_SIGNING CKA_NSS_TRUST_CODE_SIGNING
+#define CKA_TRUST_EMAIL_PROTECTION CKA_NSS_TRUST_EMAIL_PROTECTION
+#define CKA_TRUST_TIME_STAMPING CKA_NSS_TRUST_TIME_STAMPING
+#endif
+#endif /* USE_STANDARD_TRUST */
+
/* NSS trust values */
typedef CK_ULONG CK_TRUST;
#define CKT_NSS_TRUSTED 0xce534351UL
diff --color -ruNp a/trust/builder.c b/trust/builder.c
--- a/trust/builder.c 2026-01-19 12:05:20.000000000 +0100
+++ b/trust/builder.c 2026-01-22 09:51:26.366291745 +0100
@@ -993,12 +993,15 @@ const static builder_schema trust_schema
{ CKA_SUBJECT, CREATE },
{ CKA_SERIAL_NUMBER, CREATE },
/* official trust attributes */
+#ifdef USE_STANDARD_TRUST
{ CKA_TRUST_SERVER_AUTH, CREATE },
{ CKA_TRUST_CLIENT_AUTH, CREATE },
{ CKA_TRUST_CODE_SIGNING, CREATE },
{ CKA_TRUST_EMAIL_PROTECTION, CREATE },
- { CKA_TRUST_IPSEC_IKE, CREATE },
{ CKA_TRUST_TIME_STAMPING, CREATE },
+#endif
+ /* these do not collide with legacy NSS names */
+ { CKA_TRUST_IPSEC_IKE, CREATE },
{ CKA_TRUST_OCSP_SIGNING, CREATE },
/* vendor trust attributes previuosly used by NSS */
{ CKA_NSS_TRUST_SERVER_AUTH, CREATE },
@@ -1363,12 +1366,14 @@ build_trust_object_eku (CK_ATTRIBUTE *ob
CK_ATTRIBUTE_TYPE type;
const char *oid;
} eku_attribute_map[] = {
+#ifdef USE_STANDARD_TRUST
/* official trust attributes */
{ CKA_TRUST_SERVER_AUTH, P11_OID_SERVER_AUTH_STR },
{ CKA_TRUST_CLIENT_AUTH, P11_OID_CLIENT_AUTH_STR },
{ CKA_TRUST_CODE_SIGNING, P11_OID_CODE_SIGNING_STR },
{ CKA_TRUST_EMAIL_PROTECTION, P11_OID_EMAIL_PROTECTION_STR },
{ CKA_TRUST_TIME_STAMPING, P11_OID_TIME_STAMPING_STR },
+#endif
/* vendor trust attributes previuosly used by NSS */
{ CKA_NSS_TRUST_SERVER_AUTH, P11_OID_SERVER_AUTH_STR },
{ CKA_NSS_TRUST_CLIENT_AUTH, P11_OID_CLIENT_AUTH_STR },

310
SPECS/p11-kit.spec
View File

@ -1,6 +1,6 @@
# This spec file has been automatically updated
Version: 0.23.22
Release: 2%{?dist}
Version: 0.26.2
Release: 1%{?dist}
Name: p11-kit
Summary: Library for loading and sharing PKCS#11 modules
@ -8,25 +8,22 @@ License: BSD-3-Clause
URL: http://p11-glue.freedesktop.org/p11-kit.html
Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz
Source1: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig
Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
Source2: https://p11-glue.github.io/p11-glue/p11-kit/p11-kit-release-keyring.gpg
Source3: trust-extract-compat
Source4: p11-kit-client.service
Patch0: 001-dt-needed.patch
Patch1: 002-doc-dep.patch
# commits: 4059f17, d07a8ff, 218e971, c4ade85, 242e5db, ac0da82, 7235af6,
# b72aa47, 506b941, 3c0be1d, 7ea5901, 7675f86, d1782b6
Patch2: 003-IBM-mechs-and-attrs.patch
# Support for legacy PKCS11 definitions to prevent backwards incompatibility
# Remove this in RHEL-11
Patch0: p11-kit-0.26.1-pkcs11-legacy-defs.patch
BuildRequires: gcc
BuildRequires: libtasn1-devel >= 2.3
BuildRequires: libtasn1-tools
BuildRequires: libffi-devel
BuildRequires: gettext
BuildRequires: gtk-doc
BuildRequires: meson
BuildRequires: systemd-devel
BuildRequires: bash-completion
BuildRequires: pkgconfig(bash-completion)
# Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147
# Remove this once it is fixed
BuildRequires: pkgconfig(glib-2.0)
@ -61,9 +58,21 @@ The %{name}-trust package contains a system trust PKCS#11 module which
contains certificate anchors and blocklists.
%package server
Summary: Server and client commands for %{name}
%package client
Summary: Client module from %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-server < 0.25.5-8
%description client
The %{name}-client package contains a PKCS#11 module that enables
accessing other PKCS#11 modules over a Unix domain socket. Note that
this feature is still experimental.
%package server
Summary: Server command for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-server < 0.25.5-8
%description server
The %{name}-server package contains command line tools that enable to
@ -86,7 +95,7 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%autosetup -p1
%build
# These paths are the source paths that come from the plan here:
# These paths are the source paths that come from the plan here:
# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks
%meson -Dgtk_doc=true -Dman=true -Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source
%meson_build
@ -107,12 +116,12 @@ install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir}
%post trust
%{_sbindir}/alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
%postun trust
if [ $1 -eq 0 ] ; then
# package removal
%{_sbindir}/alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
fi
@ -125,6 +134,7 @@ fi
%dir %{_sysconfdir}/pkcs11/modules
%dir %{_datadir}/p11-kit
%dir %{_datadir}/p11-kit/modules
%dir %{_libdir}/pkcs11
%dir %{_libexecdir}/p11-kit
%{_bindir}/p11-kit
%{_libdir}/libp11-kit.so.*
@ -134,6 +144,7 @@ fi
%{_mandir}/man8/p11-kit.8.gz
%{_mandir}/man5/pkcs11.conf.5.gz
%{_datadir}/bash-completion/completions/p11-kit
%{_datadir}/zsh/site-functions/_p11-kit
%files devel
%{_includedir}/p11-kit-1/
@ -143,60 +154,275 @@ fi
%files trust
%{_bindir}/trust
%dir %{_libdir}/pkcs11
%ghost %{_libdir}/libnssckbi.so
%{_libdir}/pkcs11/p11-kit-trust.so
%{_datadir}/p11-kit/modules/p11-kit-trust.module
%{_libexecdir}/p11-kit/trust-extract-compat
%{_datadir}/bash-completion/completions/trust
%{_datadir}/zsh/site-functions/_trust
%files server
%files client
%{_libdir}/pkcs11/p11-kit-client.so
%{_userunitdir}/p11-kit-client.service
%files server
%{_libexecdir}/p11-kit/p11-kit-server
%{_userunitdir}/p11-kit-server.service
%{_userunitdir}/p11-kit-server.socket
%changelog
* Fri Dec 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.23.22-2
* Tue Feb 10 2026 Zoltan Fridrich <zfridric@redhat.com> - 0.26.2-1
- Rebase to 0.26.2
Resolves: RHEL-147825
* Thu Jan 22 2026 Zoltan Fridrich <zfridric@redhat.com> - 0.26.1-1
- Rebase to 0.26.1
Resolves: RHEL-139075, RHEL-118361, RHEL-126132
* Mon Sep 22 2025 Zoltan Fridrich <zfridric@redhat.com> - 0.25.10-1
- Update to new upstream release 0.25.10
Resolves: RHEL-115453
* Fri Oct 25 2024 Zoltan Fridrich <zfridric@redhat.com> - 0.25.3-3
- Fix regression in trust where file creation fails for long cert labels
Resolves: RHEL-58899
- Fix usage message in p11-kit list-tokens command
Resolves: RHEL-31810
* Thu Nov 23 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.25.3-2
- Fix issues found by static analysis
Related: RHEL-14834
* Wed Nov 15 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.25.3-1
- Update to new upstream release 0.25.3
Resolves: RHEL-14834
* Wed Nov 8 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.25.2-1
- Update to new upstream release 0.25.2
Resolves: RHEL-14834
- Add IBM specific mechanisms and attributes
Resolves: RHEL-10571
Resolves: RHEL-10570
* Mon Jan 11 2021 Daiki Ueno <dueno@redhat.com> - 0.23.22-1
- Rebase to 0.23.22 to fix memory safety issues (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363)
- Preserve DT_NEEDED information from the previous version, flagged by rpmdiff
- Add xsltproc to BR
* Tue Feb 1 2022 Daiki Ueno <dueno@redhat.com> - 0.24.1-2
- Replace "black list" with "blocklist" in -trust subpackage description (#2026457)
* Tue Nov 10 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-4
- Fix realloc usage on proxy cleanup (#1894979)
- Make 'trust anchor --store' preserve all attributes from .p11-kit files
* Mon Jan 17 2022 Packit Service <user-cont-team+packit-service@redhat.com> - 0.24.1-1
- Release 0.24.1 (Daiki Ueno)
- common: Support copying attribute array recursively (Daiki Ueno)
- common: Add assert_ptr_cmp (Daiki Ueno)
- gtkdoc: remove dependencies on custom target files (Eli Schwartz)
- doc: Replace occurrence of black list with blocklist (Daiki Ueno)
- build: Suppress cppcheck false-positive on array bounds (Daiki Ueno)
- ci: Use Docker image from the same repository (Daiki Ueno)
- ci: Integrate Docker image building to GitHub workflow (Daiki Ueno)
- rpc: Fallback to version 0 if server does not support negotiation (Daiki Ueno)
- build: Port e850e03be65ed573d0b69ee0408e776c08fad8a3 to meson (Daiki Ueno)
- Link libp11-kit so that it cannot unload (Emmanuel Dreyfus)
- trust: Use dngettext for plurals (Daiki Ueno)
- rpc: Support protocol version negotiation (Daiki Ueno)
- rpc: Separate authentication step from transaction (Daiki Ueno)
- Meson: p11_system_config_modules instead of p11_package_config_modules (Issam E. Maghni)
- shell: test -a|o is not POSIX (Issam E. Maghni)
- Meson: Add libtasn1 to trust programs (Issam E. Maghni)
- meson: optionalise glib's development files for gtk_doc (Đoàn Trần Công Danh)
* Tue Nov 3 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-3
- Restore clobbered changelog entry
* Wed Aug 18 2021 DJ Delorie <dj@redhat.com> - 0.24.0-4
- Rebuilt for libffi 3.4.2 SONAME transition.
Related: rhbz#1891914
* Mon Nov 2 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-2
- Update p11-kit-invalid-config.patch to be more thorough (thanks to
Alexander Sosedkin)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.24.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Oct 20 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-1
- Update to upstream 0.23.21 release
* Tue Jul 13 2021 Daiki Ueno <dueno@redhat.com> - 0.24.0-2
- Rebuild with newer GCC to fix annocheck failures
* Fri Mar 29 2019 Daiki Ueno <dueno@redhat.com> - 0.23.14-5
- Fix crash on unloading the library, when it is both linked and dlopen'ed
* Thu Jun 03 2021 Packit Service <user-cont-team+packit-service@redhat.com> - 0.24.0-1
- common: Only check strndup behavior when replacement is used (Daiki Ueno)
- Release 0.24.0 (Daiki Ueno)
- Release 0.23.22 (Daiki Ueno)
- rpc: Tighten attribute array check with manual enumeration (Daiki Ueno)
- Check for SUN_LEN and provide fallback (Claes Nästén)
- Do not define _XOPEN_SOURCE in compat.c on Solaris (Claes Nästén)
- make autogen.sh a bit more portable (Claes Nästén)
- rpc-server: Disable parsing CKF_ARRAY_ATTRIBUTE (Daiki Ueno)
- Update README.md (Daiki Ueno)
- README.md: Suggest using only meson sub-commands instead of ninja (Daiki Ueno)
- p11-kit: Add missing <limits.h> include for SIZE_MAX (Daiki Ueno)
- packit: drop synced_files (Tomas Tomecek)
- packit: fedora renamed master branch to rawhide (Tomas Tomecek)
- Fix minor typo (Yuri Chornoivan)
- po: Add trust/trust.c to POTFILES.in (Daiki Ueno)
- po: Update POTFILES.in (Daiki Ueno)
- trust: Make more strings translatable (Daiki Ueno)
- p11-kit: Make more strings translatable (Daiki Ueno)
- common: Enable message translation in p11_tool_main (Daiki Ueno)
- meson: Make sure to set PROJECT_NAME and ENABLE_NLS for 'nls' option (Daiki Ueno)
- build: Add fuzz/meson.build in the distribution (Daiki Ueno)
- fuzz: Move the directory out of build/ (Daiki Ueno)
- Release all library/mock resources before exit (David Cook)
- Add separate oss-fuzz Makefile target (David Cook)
- Add build targets for future additional fuzzers (David Cook)
- Build fuzzer target from meson/ninja (David Cook)
- Explicit dependency for virtual-fixed-generated.h (David Cook)
- Build fuzzer target from automake (David Cook)
- rpc_fuzzer: Clean up buffer before exit (David Cook)
- New set of fuzzer seeds (David Cook)
- github: Remove unnecessary SRCDIR envvar (Daiki Ueno)
- github: Use runuser instead of su for building and testing (Daiki Ueno)
- github: Use composite action to simplify the main recipe (Daiki Ueno)
- github: Use pre-built container image for building (Daiki Ueno)
- README.md: Add GitHub workflow status (Daiki Ueno)
- travis: Remove configurations other than FreeBSD (Daiki Ueno)
- autotools: Fix for VPATH build (Daiki Ueno)
- github actions: Initial CI setup (Anderson Toshiyuki Sasaki)
- modules: p11_kit_initialize_module: Remove redundant module unref (Daiki Ueno)
- server: Account for NUL byte at the end of Unix domain socket path (Daiki Ueno)
- compat: Expose FreeBSD specific issetugid, getresuid, and getresgid (Daiki Ueno)
- compat: Remove <unistd.h> inclusion from compat.h (Daiki Ueno)
- compat: Avoid unused variables warning in fdwalk emulation (Daiki Ueno)
- compat: Pacify ASan complaints on intentionally leaked buffer (Daiki Ueno)
- meson: Link trust/client modules explicitly to -ldl (Daiki Ueno)
- p11-kit/lists.c: Add stdint.h to fix compilation (Daniel Engberg)
- Follow-up to arithmetic overflow fix (David Cook)
- Check for arithmetic overflows before allocating (David Cook)
- Check attribute length against buffer size (David Cook)
- Fix bounds check in p11_rpc_buffer_get_byte_array (David Cook)
- Fix buffer overflow in log_token_info (David Cook)
- common: Don't assume __STDC_VERSION__ is always defined (Daiki Ueno)
- compat: getauxval: correct compiler macro for FreeBSD (Daiki Ueno)
- compat: fdwalk: add guard for Linux specific local variables (Daiki Ueno)
- meson: Add missing libtasn1 dependency (Daiki Ueno)
- travis: Add freebsd build (Daiki Ueno)
- anchor: Prefer persistent format when storing anchor (Daiki Ueno)
- travis: Run "make check" along with "make distcheck" for coverage (Daiki Ueno)
- travis: Use python3 as the default Python interpreter (Daiki Ueno)
- travis: Route to Ubuntu 20.04 base image (Daiki Ueno)
- meson: Set -fstack-protector for MinGW64 cross build (Daiki Ueno)
- meson: expand ternary operator in function call for compatibility (Daiki Ueno)
- meson: Use custom_target for generating external XML entities (Daiki Ueno)
- meson: Allow building manpages without gtk-doc (Jan Alexander Steffens (heftig))
- Rename is_path_component to is_path_separator (Alexander Sosedkin)
- Use is_path_component in one more place (Alexander Sosedkin)
- Remove more duplicate separators in p11_path_build (Alexander Sosedkin)
- common: Fix infloop in p11_path_build (Daiki Ueno)
- Use inclusive language on certificate distrust (Daiki Ueno)
- proxy: C_CloseAllSessions: Make sure that calloc args are non-zero (Daiki Ueno)
- build: Use calloc in a consistent manner (Daiki Ueno)
- meson: Allow override of default bashcompdir. Fixes meson regression (issue #322). Pass -Dbashcompdir=/xxx to meson. (John Hein)
- common: Check for a NULL locale before freeing it (Tavian Barnes)
- p11_test_copy_setgid: Skip setgid tests on nosuid filesystems (Anders Kaseorg)
- unix-peer: replace incorrect include1 (Rosen Penev)
- test-compat: Skip getprogname test if BUILDDIR contains a symlink (Daiki Ueno)
- add trust-extract-compat into EXTRA-DIST (X Ruoyao)
- meson: install trust-extract-compat (X Ruoyao)
- rename trust-extract-compat.in to trust-extract-compat (X Ruoyao)
* Mon Oct 29 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-4
- Prefer fixed closures to libffi closures
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.23.22-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Oct 17 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-3
- Update p11-kit-coverity.patch
* Tue Jan 26 2021 Daiki Ueno <dueno@redhat.com> - 0.23.22-3
- Suppress intentional memleak in getprogname emulation (#1905581)
* Tue Oct 16 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-2
- Fix issues spotted by coverity
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.22-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Oct 10 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-1
* Fri Dec 11 2020 Packit Service <user-cont-team+packit-service@redhat.com> - 0.23.22-1
- Release 0.23.22 (Daiki Ueno)
- Follow-up to arithmetic overflow fix (David Cook)
- Check for arithmetic overflows before allocating (David Cook)
- Check attribute length against buffer size (David Cook)
- Fix bounds check in p11_rpc_buffer_get_byte_array (David Cook)
- Fix buffer overflow in log_token_info (David Cook)
- common: Don't assume __STDC_VERSION__ is always defined (Daiki Ueno)
- compat: getauxval: correct compiler macro for FreeBSD (Daiki Ueno)
- compat: fdwalk: add guard for Linux specific local variables (Daiki Ueno)
- meson: Add missing libtasn1 dependency (Daiki Ueno)
- travis: Add freebsd build (Daiki Ueno)
- anchor: Prefer persistent format when storing anchor (Daiki Ueno)
- travis: Run "make check" along with "make distcheck" for coverage (Daiki Ueno)
- travis: Use python3 as the default Python interpreter (Daiki Ueno)
- travis: Route to Ubuntu 20.04 base image (Daiki Ueno)
- meson: Set -fstack-protector for MinGW64 cross build (Daiki Ueno)
- meson: expand ternary operator in function call for compatibility (Daiki Ueno)
- meson: Use custom_target for generating external XML entities (Daiki Ueno)
- meson: Allow building manpages without gtk-doc (Jan Alexander Steffens (heftig))
- Rename is_path_component to is_path_separator (Alexander Sosedkin)
- Use is_path_component in one more place (Alexander Sosedkin)
- Remove more duplicate separators in p11_path_build (Alexander Sosedkin)
- common: Fix infloop in p11_path_build (Daiki Ueno)
- proxy: C_CloseAllSessions: Make sure that calloc args are non-zero (Daiki Ueno)
- build: Use calloc in a consistent manner (Daiki Ueno)
- meson: Allow override of default bashcompdir. Fixes meson regression (issue #322). Pass -Dbashcompdir=/xxx to meson. (John Hein)
- common: Check for a NULL locale before freeing it (Tavian Barnes)
- p11_test_copy_setgid: Skip setgid tests on nosuid filesystems (Anders Kaseorg)
- unix-peer: replace incorrect include1 (Rosen Penev)
- test-compat: Skip getprogname test if BUILDDIR contains a symlink (Daiki Ueno)
- add trust-extract-compat into EXTRA-DIST (X Ruoyao)
- meson: install trust-extract-compat (X Ruoyao)
- rename trust-extract-compat.in to trust-extract-compat (X Ruoyao)
* Thu Nov 12 2020 Alexander Sosedkin <asosedkin@redhat.com> - 0.23.21-3
- Add an explicit build dependency on xsltproc
* Tue Aug 18 2020 Packit Service <user-cont-team+packit-service@redhat.com> - 0.23.21-2
- new upstream release: 0.23.21
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.20-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Daiki Ueno <dueno@redhat.com> - 0.23.20-1
- Update to upstream 0.23.20 release
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 0.23.19-1
- Update to upstream 0.23.19 release
- Check archive signature in %%prep
- Switch to using Meson as the build system
* Mon Sep 30 2019 Daiki Ueno <dueno@redhat.com> - 0.23.18.1-1
- Update to upstream 0.23.18.1 release
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.16.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu May 23 2019 Daiki Ueno <dueno@redhat.com> - 0.23.16.1-1
- Update to upstream 0.23.16.1 release
* Thu May 23 2019 Daiki Ueno <dueno@redhat.com> - 0.23.16-1
- Update to upstream 0.23.16 release
* Mon Feb 18 2019 Daiki Ueno <dueno@redhat.com> - 0.23.15-3
- trust: Ignore unreadable content in anchors
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.15-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 21 2019 Daiki Ueno <dueno@redhat.com> - 0.23.15-1
- Update to upstream 0.23.15 release
* Fri Jan 11 2019 Nils Philippsen <nils@tiptoe.de> - 0.23.14-3
- use spaces instead of tabs consistently
- prefer fixed closures to libffi closures (#1656245, patch by Daiki Ueno)
* Mon Oct 29 2018 James Antill <james.antill@redhat.com> - 0.23.14-2
- Remove ldconfig scriptlet, now done via. transfiletrigger in glibc.
* Fri Sep 07 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-1
- Update to upstream 0.23.14 release
* Wed Aug 15 2018 Daiki Ueno <dueno@redhat.com> - 0.23.13-3
- Forcibly link with libpthread to avoid regressions (rhbz#1615038)
* Wed Aug 15 2018 Daiki Ueno <dueno@redhat.com> - 0.23.13-2
- Fix invalid memory access on proxy cleanup
* Fri Aug 10 2018 Daiki Ueno <dueno@redhat.com> - 0.23.13-1
- Update to upstream 0.23.13 release
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.12-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed May 30 2018 Daiki Ueno <dueno@redhat.com> - 0.23.12-1
- Update to upstream 0.23.11 release