import pesign-0.112-25.el8

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/certs.tar.xz
+SOURCES/pesign-0.112.tar.bz2

.pesign.metadata

@@ -0,0 +1,2 @@
+53d9b43ef6eadb4512ce9738b5a6efbb40477983 SOURCES/certs.tar.xz
+7cba5cfddabc425d0a927edfdd6865cc92f00c7b SOURCES/pesign-0.112.tar.bz2

SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch

@@ -0,0 +1,72 @@
+From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 21 Apr 2016 10:47:34 -0400
+Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686
+ and it's unused.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/cms_common.c | 34 ----------------------------------
+ src/cms_common.h |  1 -
+ 2 files changed, 35 deletions(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index b19bc62..6a4e6a7 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str)
+ 	return 0;
+ }
+ 
+-static SEC_ASN1Template IntegerTemplate[] = {
+-	{.kind = SEC_ASN1_INTEGER,
+-	 .offset = 0,
+-	 .sub = NULL,
+-	 .size = sizeof(long),
+-	},
+-	{ 0 },
+-};
+-
+-int
+-generate_integer(cms_context *cms, SECItem *der, unsigned long integer)
+-{
+-	void *ret;
+-
+-	uint32_t u32;
+-
+-	SECItem input = {
+-		.data = (void *)&integer,
+-		.len = sizeof(integer),
+-		.type = siUnsignedInteger,
+-	};
+-
+-	if (integer < 0x100000000) {
+-		u32 = integer & 0xffffffffUL;
+-		input.data = (void *)&u32;
+-		input.len = sizeof(u32);
+-	}
+-
+-	ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate);
+-	if (ret == NULL)
+-		cmsreterr(-1, cms, "could not encode data");
+-	return 0;
+-}
+-
+ int
+ generate_time(cms_context *cms, SECItem *encoded, time_t when)
+ {
+diff --git a/src/cms_common.h b/src/cms_common.h
+index 7d77faf..c7d7268 100644
+--- a/src/cms_common.h
++++ b/src/cms_common.h
+@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded,
+ 				SECOidTag tag);
+ extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded);
+ extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when);
+-extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer);
+ extern int generate_string(cms_context *cms, SECItem *der, char *str);
+ extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
+ extern int wrap_in_seq(cms_context *cms, SECItem *der,
+-- 
+2.13.4
+

SOURCES/0002-Fix-command-line-parsing.patch

@@ -0,0 +1,73 @@
+From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Thu, 9 Jun 2016 14:30:37 +0200
+Subject: [PATCH 02/29] Fix command line parsing
+
+The gettext translation domain should be passed as .arg, not .descrip,
+otherwise popt won't process any of the command line options (it stops
+looping over the struct poptOption array when an entry has unset
+longName, shortName and arg).
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+---
+ src/client.c     | 2 +-
+ src/efikeygen.c  | 2 +-
+ src/efisiglist.c | 2 +-
+ src/pesigcheck.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/client.c b/src/client.c
+index 028419f..575c873 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -555,7 +555,7 @@ main(int argc, char *argv[])
+ 
+ 	struct poptOption options[] = {
+ 		{.argInfo = POPT_ARG_INTL_DOMAIN,
+-		 .descrip = "pesign" },
++		 .arg = "pesign" },
+ 		{.longName = "token",
+ 		 .shortName = 't',
+ 		 .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
+diff --git a/src/efikeygen.c b/src/efikeygen.c
+index 6278849..8a515a5 100644
+--- a/src/efikeygen.c
++++ b/src/efikeygen.c
+@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
+ 	poptContext optCon;
+ 	struct poptOption options[] = {
+ 		{.argInfo = POPT_ARG_INTL_DOMAIN,
+-		 .descrip = "pesign" },
++		 .arg = "pesign" },
+ 		/* global nss-ish things */
+ 		{.longName = "dbdir",
+ 		 .shortName = 'd',
+diff --git a/src/efisiglist.c b/src/efisiglist.c
+index cd3f1ae..40d6a93 100644
+--- a/src/efisiglist.c
++++ b/src/efisiglist.c
+@@ -126,7 +126,7 @@ main(int argc, char *argv[])
+ 
+ 	struct poptOption options[] = {
+ 		{.argInfo = POPT_ARG_INTL_DOMAIN,
+-		 .descrip = "pesign" },
++		 .arg = "pesign" },
+ 		{.longName = "infile",
+ 		 .shortName = 'i',
+ 		 .argInfo = POPT_ARG_STRING,
+diff --git a/src/pesigcheck.c b/src/pesigcheck.c
+index 1328fe9..0d49c1a 100644
+--- a/src/pesigcheck.c
++++ b/src/pesigcheck.c
+@@ -214,7 +214,7 @@ main(int argc, char *argv[])
+ 	poptContext optCon;
+ 	struct poptOption options[] = {
+ 		{.argInfo = POPT_ARG_INTL_DOMAIN,
+-		 .descrip = "pesign" },
++		 .arg = "pesign" },
+ 		{.longName = "dbfile",
+ 		 .shortName = 'D',
+ 		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
+-- 
+2.13.4
+

SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch

@@ -0,0 +1,26 @@
+From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 10 Aug 2016 17:12:39 -0400
+Subject: [PATCH 03/29] gcc: don't error on stuff in includes.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index c97b452..3511080 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
+ CC	:= $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
+ CCLD	:= $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
+ CFLAGS	?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
+-	   -Wall -Werror -Wextra
++	   -Wall -Werror -Wextra -Wno-error=cpp
+ AS	:= $(CROSS_COMPILE)as
+ AR	:= $(CROSS_COMPILE)gcc-ar
+ RANLIB	:= $(CROSS_COMPILE)gcc-ranlib
+-- 
+2.13.4
+

SOURCES/0004-Fix-certficate-argument-name.patch

@@ -0,0 +1,39 @@
+From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 18 Apr 2017 19:00:34 -0400
+Subject: [PATCH 04/29] Fix "certficate" argument name.
+
+This fixes our typoed argument name by making the incorrectly spelled
+version be a popt alias, and fixing the real implementation to be
+spelled right in pesign.c .
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign.c    | 2 +-
+ src/pesign.popt | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/pesign.c b/src/pesign.c
+index af374b6..279a17a 100644
+--- a/src/pesign.c
++++ b/src/pesign.c
+@@ -438,7 +438,7 @@ main(int argc, char *argv[])
+ 		 .arg = &ctxp->outfile,
+ 		 .descrip = "specify output file",
+ 		 .argDescrip = "<outfile>" },
+-		{.longName = "certficate",
++		{.longName = "certificate",
+ 		 .shortName = 'c',
+ 		 .argInfo = POPT_ARG_STRING,
+ 		 .arg = &certname,
+diff --git a/src/pesign.popt b/src/pesign.popt
+index 7b3385d..5a97748 100644
+--- a/src/pesign.popt
++++ b/src/pesign.popt
+@@ -1,2 +1,3 @@
+ pesign alias --cert --certificate
++pesign alias --certficate --certificate
+ pesign alias --daemon --daemonize
+-- 
+2.13.4
+

SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch

@@ -0,0 +1,26 @@
+From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Mon, 27 Jun 2016 15:38:38 +0200
+Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage
+
+The --ascii option does not exist.
+---
+ src/pesign.1 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pesign.1 b/src/pesign.1
+index 47d1aec..29ae060 100644
+--- a/src/pesign.1
++++ b/src/pesign.1
+@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR
+ Export the certificate specified by \-\-certificate to \fIoutcert\fR
+ 
+ .TP
+-\fB-\-ascii\fR
++\fB-\-ascii\-armor\fR
+ Use ascii armoring on exported certificates.
+ 
+ .TP
+-- 
+2.13.4
+

SOURCES/0006-Make-ascii-work-since-we-documented-it.patch

@@ -0,0 +1,22 @@
+From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 18 Apr 2017 19:05:40 -0400
+Subject: [PATCH 06/29] Make --ascii work, since we documented it.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign.popt | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pesign.popt b/src/pesign.popt
+index 5a97748..5ae0c5c 100644
+--- a/src/pesign.popt
++++ b/src/pesign.popt
+@@ -1,3 +1,4 @@
+ pesign alias --cert --certificate
+ pesign alias --certficate --certificate
+ pesign alias --daemon --daemonize
++pesign alias --ascii --ascii-armor
+-- 
+2.13.4
+

SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch

@@ -0,0 +1,32 @@
+From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
+From: Pat Riehecky <riehecky@fnal.gov>
+Date: Mon, 7 Nov 2016 11:37:08 -0600
+Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros
+ rather than use hard coded values
+
+---
+ src/macros.pesign | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 18e5b5e..69280e9 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -41,11 +41,11 @@
+                  --certdir ${nss} -c signer %{-o}			\
+       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
+     elif [ -S /var/run/pesign/socket ]; then				\
+-      %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
+-                        -c "/CN=Fedora Secure Boot Signer"		\\\
++      %{_pesign_client} -t %{__pesign_token}				\\\
++                        -c %{__pesign_cert}				\\\
+                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
+     else								\
+-      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
++      %{_pesign} -t %{__pesign_token} -c %{__pesign_cert}		\\\
+ 		 --certdir ${_pesign_nssdir}				\\\
+                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
+     fi									\
+-- 
+2.13.4
+

SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch

@@ -0,0 +1,25 @@
+From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
+From: David Michael <david.michael@coreos.com>
+Date: Thu, 16 Feb 2017 15:08:30 -0800
+Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer
+
+---
+ src/certdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/certdb.c b/src/certdb.c
+index 2a08042..b7c99bb 100644
+--- a/src/certdb.c
++++ b/src/certdb.c
+@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ 	}
+ 	/* Verify the signature */
+ 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
+-						certUsageSSLServer,
++						certUsageObjectSigner,
+ 						digest, HASH_AlgSHA256,
+ 						PR_FALSE, atTime);
+ 	if (!result) {
+-- 
+2.13.4
+

SOURCES/0009-pesigcheck-make-certfile-actually-work.patch

@@ -0,0 +1,47 @@
+From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 24 Apr 2017 15:18:10 -0400
+Subject: [PATCH 09/29] pesigcheck: make --certfile actually work
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesigcheck.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/pesigcheck.c b/src/pesigcheck.c
+index 0d49c1a..d7be542 100644
+--- a/src/pesigcheck.c
++++ b/src/pesigcheck.c
+@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx)
+ 	cert_iter iter;
+ 
+ 	generate_digest(ctx->cms_ctx, ctx->inpe, 1);
+-	
++
+ 	if (check_db_hash(DBX, ctx) == FOUND)
+ 		return -1;
+ 
+@@ -225,6 +225,11 @@ main(int argc, char *argv[])
+ 		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
+ 		 .arg = (void *)callback,
+ 		 .descrip = (void *)ctxp },
++		{.longName = "certfile",
++		 .shortName = 'c',
++		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
++		 .arg = (void *)callback,
++		 .descrip = (void *)ctxp },
+ 		{.longName = "in",
+ 		 .shortName = 'i',
+ 		 .argInfo = POPT_ARG_STRING,
+@@ -258,7 +263,7 @@ main(int argc, char *argv[])
+ 		 .shortName = 'c',
+ 		 .argInfo = POPT_ARG_STRING,
+ 		 .arg = &certfile,
+-		 .descrip = "the certificate (in DER form) for verification ",
++		 .descrip = "import certfile (in DER encoding) for allowed certificate",
+ 		 .argDescrip = "<certfile>" },
+ 		POPT_AUTOALIAS
+ 		POPT_AUTOHELP
+-- 
+2.13.4
+

SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch

@@ -0,0 +1,27 @@
+From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 25 Apr 2017 16:15:07 -0400
+Subject: [PATCH 10/29] signerInfos: make sure err is always initialized
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/signed_data.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/signed_data.c b/src/signed_data.c
+index 721db90..9e0af23 100644
+--- a/src/signed_data.c
++++ b/src/signed_data.c
+@@ -132,7 +132,8 @@ int
+ generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type)
+ {
+ 	SpcSignerInfo **signerInfo_list;
+-	int err, rc;
++	int err = 0;
++	int rc;
+ 
+ 	if (!signerInfo_list_p)
+ 		return -1;
+-- 
+2.13.4
+

SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch

@@ -0,0 +1,26 @@
+From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 25 Apr 2017 16:23:36 -0400
+Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pesign.c b/src/pesign.c
+index 279a17a..5879cfc 100644
+--- a/src/pesign.c
++++ b/src/pesign.c
+@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx)
+ 	if (!ctx)
+ 		return;
+ 
+-	printf("hash: ");
++	printf("%s ", pctx->infile);
+ 	int j = ctx->selected_digest;
+ 	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
+ 		printf("%02x",
+-- 
+2.13.4
+

SOURCES/0012-Add-coverity-build-scripts.patch

@@ -0,0 +1,104 @@
+From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 10 May 2017 10:49:57 -0400
+Subject: [PATCH 12/29] Add coverity build scripts
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ .gitignore    |  1 +
+ Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
+ Make.defaults |  2 ++
+ Make.rules    |  4 ++++
+ Makefile      |  1 +
+ 5 files changed, 45 insertions(+)
+ create mode 100644 Make.coverity
+
+diff --git a/.gitignore b/.gitignore
+index 1635ba2..847e172 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -12,3 +12,4 @@
+ *.tar.*
+ *.rpm
+ core.*
++cov-int
+diff --git a/Make.coverity b/Make.coverity
+new file mode 100644
+index 0000000..b80b091
+--- /dev/null
++++ b/Make.coverity
+@@ -0,0 +1,37 @@
++include $(TOPDIR)/Make.version
++include $(TOPDIR)/Make.rules
++include $(TOPDIR)/Make.defaults
++
++COV_EMAIL=$(call get-config,coverity.email)
++COV_TOKEN=$(call get-config,coverity.token)
++COV_URL=$(call get-config,coverity.url)
++COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2
++
++cov-int : clean
++	cov-build --dir cov-int make all
++
++cov-clean :
++	@rm -vf $(NAME)-coverity-*.tar.*
++	@if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi
++
++cov-file : | $(COV_FILE)
++
++$(COV_FILE) : cov-int
++	tar caf $@ cov-int
++
++cov-upload :
++	@if [[ -n "$(COV_URL)" ]] &&					\
++	    [[ -n "$(COV_TOKEN)" ]] &&					\
++	    [[ -n "$(COV_EMAIL)" ]] ;					\
++	then								\
++		echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
++		curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
++	else								\
++		echo Coverity output is in $(COV_FILE) ;		\
++	fi
++
++coverity : cov-file cov-upload
++
++clean : | cov-clean
++
++.PHONY : coverity cov-upload cov-clean cov-file
+diff --git a/Make.defaults b/Make.defaults
+index 3511080..39b78f0 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -1,3 +1,5 @@
++NAME	= pesign
++COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master)
+ prefix	?= /usr/
+ prefix	:= $(abspath $(prefix))/
+ libdir	?= $(prefix)lib64/
+diff --git a/Make.rules b/Make.rules
+index af5ecfe..5e3c83d 100644
+--- a/Make.rules
++++ b/Make.rules
+@@ -79,3 +79,7 @@ endef
+ 
+ $(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% :
+ 	$(MAKE) -C $(TOPDIR)/libdpe $(notdir $@)
++
++define get-config =
++$(shell git config --local --get "$(NAME).$(1)")
++endef
+diff --git a/Makefile b/Makefile
+index db8eb7e..ca1a359 100644
+--- a/Makefile
++++ b/Makefile
+@@ -4,6 +4,7 @@ TOPDIR = $(realpath .)
+ include $(TOPDIR)/Make.version
+ include $(TOPDIR)/Make.rules
+ include $(TOPDIR)/Make.defaults
++include $(TOPDIR)/Make.coverity
+ 
+ SUBDIRS := include libdpe src
+ 
+-- 
+2.13.4
+

SOURCES/0013-Document-implicit-fallthrough.patch

@@ -0,0 +1,25 @@
+From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Sat, 8 Jul 2017 16:31:18 -0400
+Subject: [PATCH 13/29] Document implicit fallthrough.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/authvar.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/authvar.c b/src/authvar.c
+index ad659ca..03e0c47 100644
+--- a/src/authvar.c
++++ b/src/authvar.c
+@@ -511,6 +511,7 @@ main(int argc, char *argv[])
+ 	case IMPORT|SET:
+ 	case IMPORT|SIGN|SET:
+ 		fprintf(stderr, "authvar: not implemented\n");
++		/* fallthrough. */
+ 	case IMPORT|SIGN|EXPORT:
+ 	default:
+ 		fprintf(stderr, "authvar: invalid flags: ");
+-- 
+2.13.4
+

SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch

@@ -0,0 +1,50 @@
+From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 16 May 2016 15:25:53 -0400
+Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-authorize-groups | 6 +++---
+ src/pesign-authorize-users  | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index a4f895e..cf51fb6 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
+ 		setfacl -m g:${group}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
+-	for x in /etc/pki/pesign* ; do
++	for x in /etc/pki/pesign*/ ; do
+ 	    if [ -d ${x} ]; then
+-		setfacl -m g:${group}:rx /etc/pki/pesign
+-		for y in ${x}/{cert8,key3,secmod}.db ; do
++		setfacl -m g:${group}:rx ${x}
++		for y in ${x}{cert8,key3,secmod}.db ; do
+ 		    setfacl -m g:${group}:rw ${y}
+ 		done
+ 	    fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 8b9a885..940138e 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
+ 		setfacl -m g:${username}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
+-	for x in /etc/pki/pesign* ; do
++	for x in /etc/pki/pesign*/ ; do
+ 	    if [ -d ${x} ]; then
+-		setfacl -m g:${username}:rx /etc/pki/pesign
+-		for y in ${x}/{cert8,key3,secmod}.db ; do
++		setfacl -m g:${username}:rx ${x}
++		for y in ${x}{cert8,key3,secmod}.db ; do
+ 		    setfacl -m g:${username}:rw ${y}
+ 		done
+ 	    fi
+-- 
+2.13.4
+

SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch

@@ -0,0 +1,59 @@
+From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 22 Aug 2016 13:31:38 -0400
+Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
+ indices.
+
+That was all kinds of wrong.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/oid.c | 10 +++++++---
+ src/oid.h |  1 +
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/oid.c b/src/oid.c
+index 9d8154f..7037e1e 100644
+--- a/src/oid.c
++++ b/src/oid.c
+@@ -33,6 +33,7 @@ static uint8_t oiddata[] = {
+ 	0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f,
+ 	0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15,
+ 	0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01,
++	0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02,
+ };
+ 
+ #define OID(num, desc_s, oidtype, length, value)		\
+@@ -53,11 +54,14 @@ static struct {
+ 	OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10,
+ 		&oiddata[10]),
+ 	OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10,
+-		&oiddata[30]),
++		&oiddata[20]),
+ 	OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID,
+-		10, &oiddata[40]),
++		10, &oiddata[30]),
+ 	OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version",
+-		siAsciiString, 9, &oiddata[50]),
++		siAsciiString, 9, &oiddata[40]),
++	OID(SHIM_EKU_MODULE_SIGNING_ONLY,
++		"Certificate is used for kernel modules only", siDEROID, 10,
++		&oiddata[49]),
+ 	{ .oid = END_OID_LIST }
+ };
+ 
+diff --git a/src/oid.h b/src/oid.h
+index 599f49d..0e00781 100644
+--- a/src/oid.h
++++ b/src/oid.h
+@@ -25,6 +25,7 @@ typedef enum {
+ 	SPC_PE_IMAGE_DATA_OBJID,		/* 1.3.6.1.4.1.311.2.1.15 */
+ 	SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID,	/* 1.3.6.1.4.1.311.2.1.21 */
+ 	szOID_CERTSRV_CA_VERSION,		/* 1.3.6.1.4.1.311.21.1 */
++	SHIM_EKU_MODULE_SIGNING_ONLY,		/* 1.3.6.1.4.1.2312.16.1.2 */
+ 	END_OID_LIST
+ } ms_oid_t;
+ 
+-- 
+2.13.4
+

SOURCES/0016-efikeygen-add-modsign.patch

@@ -0,0 +1,197 @@
+From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 22 Aug 2016 13:43:56 -0400
+Subject: [PATCH 16/29] efikeygen: add --modsign
+
+---
+ src/cms_common.c | 29 ++++++++++++++++++++++++++++
+ src/cms_common.h |  1 +
+ src/efikeygen.c  | 59 ++++++++++++++++++++++++++++++++++++++++++++------------
+ 3 files changed, 77 insertions(+), 12 deletions(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 6a4e6a7..2df2cfe 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
+ 	return 0;
+ }
+ 
++static SEC_ASN1Template EKUOidSequence[] = {
++	{
++	.kind = SEC_ASN1_OBJECT_ID,
++	.offset = 0,
++	.sub = &SEC_AnyTemplate,
++	.size = sizeof (SECItem),
++	},
++	{ 0 }
++};
++
++int
++make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag)
++{
++	void *rv;
++	SECOidData *oid_data;
++
++	oid_data = SECOID_FindOIDByTag(oid_tag);
++	if (!oid_data)
++		cmsreterr(-1, cms, "could not encode eku oid data");
++
++	rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid,
++				EKUOidSequence);
++	if (rv == NULL)
++		cmsreterr(-1, cms, "could not encode eku oid data");
++
++	encoded->type = siBuffer;
++	return 0;
++}
++
+ int
+ generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
+ {
+diff --git a/src/cms_common.h b/src/cms_common.h
+index c7d7268..7a31273 100644
+--- a/src/cms_common.h
++++ b/src/cms_common.h
+@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
+ 			SECItem *items, int num_items);
+ extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
+ 			SECItem *original);
++extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
+ extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
+ 				time_t end);
+ extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
+diff --git a/src/efikeygen.c b/src/efikeygen.c
+index 8a515a5..9390578 100644
+--- a/src/efikeygen.c
++++ b/src/efikeygen.c
+@@ -49,6 +49,7 @@
+ #include <libdpe/libdpe.h>
+ 
+ #include "cms_common.h"
++#include "oid.h"
+ #include "util.h"
+ 
+ typedef struct {
+@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle)
+ }
+ 
+ static int
+-add_extended_key_usage(cms_context *cms, void *extHandle)
++add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
+ {
+-	SECItem value = {
+-		.data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01"
+-					 "\x05\x05\x07\x03\x03",
+-		.len = 12,
+-		.type = siBuffer
+-	};
++	SECItem values[2];
++	SECItem wrapped = { 0 };
++	SECStatus status;
++	SECOidTag tag;
++	int rc;
++
++	if (modsign_only < 1 || modsign_only > 2)
++		cmsreterr(-1, cms, "could not encode extended key usage");
+ 
++	rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
++	if (rc < 0)
++		cmsreterr(-1, cms, "could not encode extended key usage");
++
++	tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY);
++	printf("tag: %d\n", tag);
++	rc = make_eku_oid(cms, &values[1], tag);
++	if (rc < 0)
++		cmsreterr(-1, cms, "could not encode extended key usage");
++
++	rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
++	if (rc < 0)
++		cmsreterr(-1, cms, "could not encode extended key usage");
+ 
+-	SECStatus status;
+ 
+ 	status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
+-					&value, PR_FALSE, PR_TRUE);
++					&wrapped, PR_FALSE, PR_TRUE);
+ 	if (status != SECSuccess)
+ 		cmsreterr(-1, cms, "could not encode extended key usage");
+ 
+@@ -294,7 +309,7 @@ static int
+ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
+ 			int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,
+ 			SECKEYPublicKey *spubkey,
+-			char *url)
++			char *url, int modsign_only)
+ {
+ 	void *mark = PORT_ArenaMark(cms->arena);
+ 
+@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
+ 	if (rc < 0)
+ 		cmsreterr(-1, cms, "could not generate certificate extensions");
+ 
+-	rc = add_extended_key_usage(cms, extHandle);
++	rc = add_extended_key_usage(cms, modsign_only, extHandle);
+ 	if (rc < 0)
+ 		cmsreterr(-1, cms, "could not generate certificate extensions");
+ 
+@@ -469,6 +484,7 @@ int main(int argc, char *argv[])
+ {
+ 	int is_ca = 0;
+ 	int is_self_signed = -1;
++	int modsign_only = 0;
+ 	char *tokenname = "NSS Certificate DB";
+ 	char *signer = NULL;
+ 	char *nickname = NULL;
+@@ -522,6 +538,18 @@ int main(int argc, char *argv[])
+ 		 .descrip = "Generate a self-signed certificate" },
+ 
+ 		/* stuff about the generated key */
++		{.longName = "kernel",
++		 .shortName = 'k',
++		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
++		 .arg = &modsign_only,
++		 .val = 1,
++		 .descrip = "Generate a kernel-signing certificate" },
++		{.longName = "module",
++		 .shortName = 'm',
++		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
++		 .arg = &modsign_only,
++		 .val = 2,
++		 .descrip = "Generate a module-signing certificate" },
+ 		{.longName = "nickname",
+ 		 .shortName = 'n',
+ 		 .argInfo = POPT_ARG_STRING,
+@@ -628,6 +656,9 @@ int main(int argc, char *argv[])
+ 			liberr(1, "could not allocate cms context");
+ 	}
+ 
++	if (modsign_only < 1 || modsign_only > 2)
++		errx(1, "either --kernel or --module must be used");
++
+ 	SECStatus status = NSS_InitReadWrite(dbdir);
+ 	if (status != SECSuccess)
+ 		nsserr(1, "could not initialize NSS");
+@@ -639,6 +670,10 @@ int main(int argc, char *argv[])
+ 	SECKEYPublicKey *pubkey = NULL;
+ 	SECKEYPrivateKey *privkey = NULL;
+ 
++	status = register_oids(cms);
++	if (status != SECSuccess)
++		nsserr(1, "Could not register OIDs");
++
+ 	PK11SlotInfo *slot = NULL;
+ 	if (pubfile) {
+ 		rc = get_pubkey_from_file(pubfile, &pubkey);
+@@ -713,7 +748,7 @@ int main(int argc, char *argv[])
+ 	crq = CERT_CreateCertificateRequest(name, spki, &attributes);
+ 
+ 	rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,
+-					spubkey, url);
++					spubkey, url, modsign_only);
+ 	if (rc < 0)
+ 		exit(1);
+ 
+-- 
+2.13.4
+

SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch

@@ -0,0 +1,121 @@
+From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 25 Apr 2017 16:25:02 -0400
+Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
+ validation time.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 66 insertions(+), 9 deletions(-)
+
+diff --git a/src/certdb.c b/src/certdb.c
+index b7c99bb..1a4baf1 100644
+--- a/src/certdb.c
++++ b/src/certdb.c
+@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx)
+ 	return check_db(which, ctx, check_hash, NULL, 0);
+ }
+ 
+-static PRTime
+-determine_reasonable_time(CERTCertificate *cert)
++static void
++find_cert_times(SEC_PKCS7ContentInfo *cinfo,
++		PRTime *notBefore, PRTime *notAfter)
+ {
+-	PRTime notBefore, notAfter;
+-	CERT_GetCertTimes(cert, &notBefore, &notAfter);
+-	return notBefore;
++	CERTCertDBHandle *defaultdb, *certdb;
++	SEC_PKCS7SignedData *sdp;
++	CERTCertificate **certs = NULL;
++	SECItem **rawcerts;
++	int i, certcount;
++	SECStatus rv;
++
++	if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) {
++err:
++		*notBefore = 0;
++		*notAfter = 0x7fffffffffffffff;
++		return;
++	}
++
++	sdp = cinfo->content.signedData;
++	rawcerts = sdp->rawCerts;
++
++	defaultdb = CERT_GetDefaultCertDB();
++
++	certdb = defaultdb;
++	if (certdb == NULL)
++		goto err;
++
++	certcount = 0;
++	if (rawcerts != NULL) {
++		for (; rawcerts[certcount] != NULL; certcount++)
++			;
++	}
++	rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount,
++			      rawcerts, &certs, PR_FALSE, PR_FALSE, NULL);
++	if (rv != SECSuccess)
++		goto err;
++
++	for (i = 0; i < certcount; i++) {
++		PRTime nb = 0, na = 0x7fffffffffff;
++		CERT_GetCertTimes(certs[i], &nb, &na);
++		if (*notBefore < nb)
++			*notBefore = nb;
++		if (*notAfter > na)
++			*notAfter = na;
++	}
++
++	CERT_DestroyCertArray(certs, certcount);
+ }
+ 
+ static db_status
+@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ 	PRBool result;
+ 	SECStatus rv;
+ 	db_status status = NOT_FOUND;
++	PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
++	PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
+ 
+ 	efi_guid_t efi_x509 = efi_guid_x509_cert;
+ 
+@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ 	}
+ 	cert->timeOK = PR_TRUE;
+ 
++	find_cert_times(cinfo, &notBefore, &notAfter);
++	if (earlyNow < notBefore)
++		earlyNow = notBefore;
++	if (lateNow > notAfter)
++		lateNow = notAfter;
++
+ 	SECItem *eTime;
+ 	PRTime atTime;
+ 	// atTime = determine_reasonable_time(cert);
+ 	eTime = SEC_PKCS7GetSigningTime(cinfo);
+ 	if (eTime != NULL) {
+-		if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess)
+-			atTime = determine_reasonable_time(cert);
+-	} else {
+-		atTime = determine_reasonable_time(cert);
++		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
++			if (earlyNow < atTime)
++				earlyNow = atTime;
++			if (lateNow > atTime)
++				lateNow = atTime;
++		}
+ 	}
++
++	if (lateNow < earlyNow)
++		printf("Impossible time constraints: %ld <= %ld\n",
++		       earlyNow / 1000000, lateNow / 1000000);
++	atTime = earlyNow / 2 + lateNow / 2;
++
+ 	/* Verify the signature */
+ 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
+ 						certUsageObjectSigner,
+-- 
+2.13.4
+

SOURCES/0018-show-which-db-we-re-checking.patch

@@ -0,0 +1,137 @@
+From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 25 Apr 2017 16:58:50 -0400
+Subject: [PATCH 18/29] show which db we're checking
+
+---
+ src/certdb.c             | 35 ++++++++++++++++++++++++++++++++++-
+ src/pesigcheck_context.c |  2 ++
+ src/pesigcheck_context.h |  1 +
+ 3 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/src/certdb.c b/src/certdb.c
+index 1a4baf1..673e074 100644
+--- a/src/certdb.c
++++ b/src/certdb.c
+@@ -18,6 +18,7 @@
+  */
+ 
+ #include <fcntl.h>
++#include <libgen.h>
+ #include <sys/mman.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
+ 		return -1;
+ 
+ 	db->type = type;
+-
+ 	db->fd = open(dbfile, O_RDONLY);
+ 	if (db->fd < 0) {
+ 		save_errno(free(db));
+ 		return -1;
+ 	}
+ 
++	char *path = strdup(dbfile);
++	if (!path) {
++		save_errno(close(db->fd);
++			   free(db));
++		return -1;
++	}
++
++	db->path = basename(path);
++	db->path = strdup(db->path);
++	free(path);
++	if (!db->path) {
++		save_errno(close(db->fd);
++			   free(db));
++		return -1;
++	}
++
+ 	struct stat sb;
+ 	int rc = fstat(db->fd, &sb);
+ 	if (rc < 0) {
+ 		save_errno(close(db->fd);
++			   free(db->path);
+ 			   free(db));
+ 		return -1;
+ 	}
+@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
+ 		rc = read_file(db->fd, (char **)&db->map, &sz);
+ 		if (rc < 0) {
+ 			save_errno(close(db->fd);
++				   free(db->path);
+ 				   free(db));
+ 			return -1;
+ 		}
+@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename)
+ #define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
+ #define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23"
+ #define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
++#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23"
+ 
+ void
+ init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
+@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
+ 			"database \"%s\": %m\n", DBX_PATH);
+ 		exit(1);
+ 	}
++
++	rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR);
++	if (rc < 0 && errno != ENOENT) {
++		fprintf(stderr, "pesigcheck: Could not add key database "
++			"\"%s\": %m\n", MOKX_PATH);
++		exit(1);
++	}
++
++	if (ctx->dbx == NULL) {
++		fprintf(stderr, "pesigcheck: warning: "
++			"No key recovation database available\n");
++	}
+ }
+ 
+ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
+@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
+ 	sig.type = siBuffer;
+ 
+ 	while (dbl) {
++		printf("Searching %s %s\n", which == DB ? "db" : "dbx",
++		       dbl->path);
+ 		EFI_SIGNATURE_LIST *certlist;
+ 		EFI_SIGNATURE_DATA *cert;
+ 		size_t dbsize = dbl->datalen;
+diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c
+index b934cbe..5a355b1 100644
+--- a/src/pesigcheck_context.c
++++ b/src/pesigcheck_context.c
+@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
+ 		munmap(db->map, db->size);
+ 		close(db->fd);
+ 		ctx->db = db->next;
++		free(db->path);
+ 		free(db);
+ 	}
+ 	while (ctx->dbx) {
+@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
+ 		if (db->type == DB_CERT)
+ 			free(db->data);
+ 		munmap(db->map, db->size);
++		free(db->path);
+ 		close(db->fd);
+ 		ctx->dbx = db->next;
+ 		free(db);
+diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
+index 1b916e3..7b5cc89 100644
+--- a/src/pesigcheck_context.h
++++ b/src/pesigcheck_context.h
+@@ -34,6 +34,7 @@ typedef enum {
+ 
+ struct dblist {
+ 	db_f_type type;
++	char *path;
+ 	int fd;
+ 	struct dblist *next;
+ 	size_t size;
+-- 
+2.13.4
+

SOURCES/0019-more-about-the-time.patch

@@ -0,0 +1,97 @@
+From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 25 Apr 2017 17:00:46 -0400
+Subject: [PATCH 19/29] more about the time
+
+---
+ src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 33 insertions(+), 26 deletions(-)
+
+diff --git a/src/certdb.c b/src/certdb.c
+index 673e074..1078a8a 100644
+--- a/src/certdb.c
++++ b/src/certdb.c
+@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ 	PRBool result;
+ 	SECStatus rv;
+ 	db_status status = NOT_FOUND;
++	PRTime atTime = PR_Now();
++	SECItem *eTime;
+ 	PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
+-	PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
++	PRTime notBefore, notAfter;
+ 
+ 	efi_guid_t efi_x509 = efi_guid_x509_cert;
+ 
+@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ 	if (!cinfo)
+ 		goto out;
+ 
++	notBefore = earlyNow;
++	notAfter = lateNow;
++	find_cert_times(cinfo, &notBefore, &notAfter);
++	if (earlyNow < notBefore)
++		earlyNow = notBefore;
++	if (lateNow > notAfter)
++		lateNow = notAfter;
++
++	// atTime = determine_reasonable_time(cert);
++	eTime = SEC_PKCS7GetSigningTime(cinfo);
++	if (eTime != NULL) {
++		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
++			if (earlyNow < atTime)
++				earlyNow = atTime;
++			if (lateNow > atTime)
++				lateNow = atTime;
++		}
++	}
++
++	if (lateNow < earlyNow)
++		printf("Signature has impossible time constraint: %ld <= %ld\n",
++		       earlyNow / 1000000, lateNow / 1000000);
++	atTime = earlyNow / 2 + lateNow / 2;
++
++
++	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
++				    NULL, NULL);
++	if (!cinfo)
++		goto out;
++
+ 	/* Generate the digest of contentInfo */
+ 	/* XXX support only sha256 for now */
+ 	digest = SECITEM_AllocItem(NULL, NULL, 32);
+@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ 			PORT_ErrorToString(PORT_GetError()));
+ 		goto out;
+ 	}
+-	cert->timeOK = PR_TRUE;
+-
+-	find_cert_times(cinfo, &notBefore, &notAfter);
+-	if (earlyNow < notBefore)
+-		earlyNow = notBefore;
+-	if (lateNow > notAfter)
+-		lateNow = notAfter;
+-
+-	SECItem *eTime;
+-	PRTime atTime;
+-	// atTime = determine_reasonable_time(cert);
+-	eTime = SEC_PKCS7GetSigningTime(cinfo);
+-	if (eTime != NULL) {
+-		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+-			if (earlyNow < atTime)
+-				earlyNow = atTime;
+-			if (lateNow > atTime)
+-				lateNow = atTime;
+-		}
+-	}
+-
+-	if (lateNow < earlyNow)
+-		printf("Impossible time constraints: %ld <= %ld\n",
+-		       earlyNow / 1000000, lateNow / 1000000);
+-	atTime = earlyNow / 2 + lateNow / 2;
+ 
+ 	/* Verify the signature */
+ 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
+-- 
+2.13.4
+

SOURCES/0020-try-to-say-why-something-fails.patch

@@ -0,0 +1,419 @@
+From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 25 Apr 2017 17:01:13 -0400
+Subject: [PATCH 20/29] try to say why something fails
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/certdb.c             |  15 ++-
+ src/certdb.h             |   2 +-
+ src/pesigcheck.c         | 244 ++++++++++++++++++++++++++++++++++++++++++-----
+ src/pesigcheck_context.h |   1 +
+ 4 files changed, 233 insertions(+), 29 deletions(-)
+
+diff --git a/src/certdb.c b/src/certdb.c
+index 1078a8a..fae80af 100644
+--- a/src/certdb.c
++++ b/src/certdb.c
+@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
+ 
+ static db_status
+ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
+-	 void *data, ssize_t datalen)
++	 void *data, ssize_t datalen, SECItem *match)
+ {
+ 	SECItem pkcs7sig, sig;
+ 	dblist *dbl = which == DB ? ctx->db : ctx->dbx;
+@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
+ 				found = check(ctx, &sig,
+ 					      &certlist->SignatureType,
+ 					      &pkcs7sig);
+-				if (found == FOUND)
++				if (found == FOUND) {
++					if (match)
++						memcpy(match, &sig,
++						       sizeof(sig));
+ 					return FOUND;
++				}
+ 				cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +
+ 				        certlist->SignatureSize);
+ 			}
+@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ db_status
+ check_db_hash(db_specifier which, pesigcheck_context *ctx)
+ {
+-	return check_db(which, ctx, check_hash, NULL, 0);
++	return check_db(which, ctx, check_hash, NULL, 0, NULL);
+ }
+ 
+ static void
+@@ -459,7 +463,8 @@ out:
+ }
+ 
+ db_status
+-check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)
++check_db_cert(db_specifier which, pesigcheck_context *ctx,
++	      void *data, ssize_t datalen, SECItem *match)
+ {
+-	return check_db(which, ctx, check_cert, data, datalen);
++	return check_db(which, ctx, check_cert, data, datalen, match);
+ }
+diff --git a/src/certdb.h b/src/certdb.h
+index ccf3c87..8402299 100644
+--- a/src/certdb.h
++++ b/src/certdb.h
+@@ -43,7 +43,7 @@ typedef struct {
+ 
+ extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
+ extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
+-				void *data, ssize_t datalen);
++				void *data, ssize_t datalen, SECItem *match);
+ 
+ extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
+ extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
+diff --git a/src/pesigcheck.c b/src/pesigcheck.c
+index d7be542..c8e1086 100644
+--- a/src/pesigcheck.c
++++ b/src/pesigcheck.c
+@@ -17,7 +17,9 @@
+  * Author(s): Peter Jones <pjones@redhat.com>
+  */
+ 
++#include <err.h>
+ #include <fcntl.h>
++#include <stdbool.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)
+ }
+ 
+ static int
+-cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
++cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,
++		    SECItem *digest_out)
+ {
+ 	SECItem sig, *pe_digest, *content;
+ 	uint8_t *digest;
+@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
+ 	pe_digest = ctx->cms_ctx->digests[0].pe_digest;
+ 	content = cinfo->content.signedData->contentInfo.content.data;
+ 	digest = content->data + content->len - pe_digest->len;
++	if (digest_out) {
++		digest_out->data = malloc(pe_digest->len);
++		digest_out->len = pe_digest->len;
++		digest_out->type = pe_digest->type;
++		memcpy(digest_out->data, digest, pe_digest->len);
++	}
+ 	if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)
+ 		goto out;
+ 
+@@ -120,22 +129,149 @@ out:
+ 	return ret;
+ }
+ 
++struct reason {
++	enum {
++		WHITELISTED = 0,
++		INVALID = 1,
++		BLACKLISTED = 2,
++		NO_WHITELIST = 3,
++	} reason;
++	enum {
++		NONE = 0,
++		DIGEST = 1,
++		SIGNATURE = 2,
++	} type;
++	union {
++		struct {
++			SECItem digest;
++		};
++		struct {
++			SECItem sig;
++			SECItem db_cert;
++		};
++	};
++};
++
++static void
++print_digest(SECItem *digest)
++{
++	char buf[digest->len * 2 + 2];
++
++	for (unsigned int i = 0; i < digest->len; i++)
++		snprintf(buf + i * 2, digest->len * 2, "%02x",
++			 digest->data[i]);
++	buf[digest->len * 2] = '\0';
++	printf("%s\n", buf);
++}
++
++static void
++print_certificate(SECItem *cert)
++{
++	printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
++	printf("cert: %p\n", cert);
++}
++
++static void
++print_signatures(SECItem *database_cert, SECItem *signature)
++{
++	printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
++	print_certificate(database_cert);
++	print_certificate(signature);
++}
++
++static void
++print_reason(struct reason *reason)
++{
++	switch (reason->reason) {
++	case WHITELISTED:
++		printf("Whitelist entry: ");
++		if (reason->type == DIGEST)
++			print_digest(&reason->digest);
++		else if (reason->type == SIGNATURE)
++			print_signatures(&reason->sig, &reason->db_cert);
++		else
++			errx(1, "Unknown data type %d\n", reason->type);
++		break;
++	case INVALID:
++		if (reason->type == DIGEST) {
++			printf("Invalid digest: ");
++			print_digest(&reason->digest);
++		} else if (reason->type == SIGNATURE) {
++			printf("Invalid signature: ");
++			print_signatures(&reason->sig, &reason->db_cert);
++		} else {
++			errx(1, "Unknown data type %d\n", reason->type);
++		}
++		break;
++	case BLACKLISTED:
++		if (reason->type == DIGEST) {
++			printf("Invalid digest: ");
++			print_digest(&reason->digest);
++		} else if (reason->type == SIGNATURE) {
++			printf("Invalid signature: ");
++			print_signatures(&reason->sig, &reason->db_cert);
++		} else {
++			errx(1, "Unknown data type %d\n", reason->type);
++		}
++		break;
++	case NO_WHITELIST:
++		if (reason->type == NONE)
++			printf("No matching whitelist entry.\n");
++		else
++			errx(1, "Invalid data type %d\n", reason->type);
++		break;
++	default:
++		errx(1, "Unknown reason type %d\n", reason->reason);
++		break;
++	}
++}
++
++static void
++get_digest(pesigcheck_context *ctx, SECItem *digest)
++{
++	struct cms_context *cms = ctx->cms_ctx;
++	struct digest *cms_digest = &cms->digests[cms->selected_digest];
++
++	memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
++}
++
+ static int
+-check_signature(pesigcheck_context *ctx)
++check_signature(pesigcheck_context *ctx, int *nreasons,
++		struct reason **reasons)
+ {
+-	int has_valid_cert = 0;
+-	int has_invalid_cert = 0;
++	bool has_valid_cert = false;
++	bool is_invalid = false;
++	struct reason *reasonps = NULL, *reason;
++	int num_reasons = 16;
++	int nreason = 0;
+ 	int rc = 0;
++	int ret = -1;
+ 
+ 	cert_iter iter;
+ 
++	reasonps = calloc(sizeof(struct reason), 512);
++	if (!reasonps)
++		err(1, "check_signature");
++
+ 	generate_digest(ctx->cms_ctx, ctx->inpe, 1);
+ 
+-	if (check_db_hash(DBX, ctx) == FOUND)
+-		return -1;
++	if (check_db_hash(DBX, ctx) == FOUND) {
++		reason = &reasonps[nreason];
++		reason->reason = BLACKLISTED;
++		reason->type = DIGEST;
++		get_digest(ctx, &reason->digest);
++		reason += 1;
++		is_invalid = true;
++	}
+ 
+-	if (check_db_hash(DB, ctx) == FOUND)
+-		has_valid_cert = 1;
++	if (check_db_hash(DB, ctx) == FOUND) {
++		reason = &reasonps[nreason];
++		reason->reason = WHITELISTED;
++		reason->type = DIGEST;
++		get_digest(ctx, &reason->digest);
++		nreason += 1;
++		has_valid_cert = true;
++	}
+ 
+ 	rc = cert_iter_init(&iter, ctx->inpe);
+ 	if (rc < 0)
+@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)
+ 	ssize_t datalen;
+ 
+ 	while (1) {
++		/*
++		 * Make sure we always have enough for this iteration of the
++		 * loop, plus one "NO_WHITELIST" entry at the end.
++		 */
++		if (nreason >= num_reasons - 4) {
++			struct reason *new_reasons;
++
++			num_reasons += 16;
++
++			new_reasons = calloc(sizeof(struct reason), num_reasons);
++			if (!new_reasons)
++				err(1, "check_signature");
++			reasonps = new_reasons;
++		}
++
+ 		rc = next_cert(&iter, &data, &datalen);
+ 		if (rc <= 0)
+ 			break;
+ 
+-		if (cert_matches_digest(ctx, data, datalen) < 0) {
+-			has_invalid_cert = 1;
+-			break;
++		reason = &reasonps[nreason];
++		if (cert_matches_digest(ctx, data, datalen,
++					&reason->digest) < 0) {
++			reason->reason = INVALID;
++			reason->type = DIGEST;
++			nreason += 1;
++			is_invalid = true;
+ 		}
+ 
+-		if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {
+-			has_invalid_cert = 1;
+-			break;
++		reason = &reasonps[nreason];
++		if (check_db_cert(DBX, ctx, data, datalen,
++				  &reason->db_cert) == FOUND) {
++			reason->reason = INVALID;
++			reason->type = SIGNATURE;
++			reason->sig.data = data;
++			reason->sig.len = datalen;
++			reason->type = siBuffer;
++			nreason += 1;
++			is_invalid = true;
+ 		}
+ 
+-		if (check_db_cert(DB, ctx, data, datalen) == FOUND)
+-			has_valid_cert = 1;
++		reason = &reasonps[nreason];
++		if (check_db_cert(DB, ctx, data, datalen,
++				  &reason->db_cert) == FOUND) {
++			reason->reason = WHITELISTED;
++			reason->type = SIGNATURE;
++			reason->sig.data = data;
++			reason->sig.len = datalen;
++			reason->type = siBuffer;
++			nreason += 1;
++			has_valid_cert = true;
++		}
+ 	}
+ 
+ err:
+-	if (has_invalid_cert)
+-		return -1;
++	if (has_valid_cert != true) {
++		if (is_invalid != true) {
++			reason = &reasonps[nreason];
++			reason->reason = NO_WHITELIST;
++			reason->type = NONE;
++			nreason += 1;
++		}
++		is_invalid = true;
++	}
+ 
+-	if (has_valid_cert)
+-		return 0;
++	if (is_invalid == false)
++		ret = 0;
+ 
+-	return -1;
++	if (nreasons && reasons) {
++		*nreasons = nreason;
++		*reasons = reasonps;
++	} else {
++		free(reasonps);
++	}
++
++	return ret;
+ }
+ 
+ void
+@@ -204,6 +389,9 @@ main(int argc, char *argv[])
+ 
+ 	pesigcheck_context ctx, *ctxp = &ctx;
+ 
++	struct reason *reasons = NULL;
++	int nreasons = 0;
++
+ 	char *dbfile = NULL;
+ 	char *dbxfile = NULL;
+ 	char *certfile = NULL;
+@@ -242,6 +430,12 @@ main(int argc, char *argv[])
+ 		 .arg = &ctx.quiet,
+ 		 .val = 1,
+ 		 .descrip = "return only; no text output." },
++		{.longName = "verbose",
++		 .shortName = 'v',
++		 .argInfo = POPT_BIT_SET,
++		 .arg = &ctx.verbose,
++		 .val = 1,
++		 .descrip = "print reasons for success and failure." },
+ 		{.longName = "no-system-db",
+ 		 .shortName = 'n',
+ 		 .argInfo = POPT_ARG_INT,
+@@ -308,12 +502,16 @@ main(int argc, char *argv[])
+ 		exit(1);
+ 	}
+ 
+-	rc = check_signature(ctxp);
++	rc = check_signature(ctxp, &nreasons, &reasons);
+ 
+-	close_input(ctxp);
++	if (!ctx.quiet && ctx.verbose) {
++		for (int i = 0; i < nreasons; i++)
++			print_reason(&reasons[i]);
++	}
+ 	if (!ctx.quiet)
+ 		printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,
+ 			rc >= 0 ? "valid" : "invalid");
++	close_input(ctxp);
+ 	pesigcheck_context_fini(&ctx);
+ 
+ 	NSS_Shutdown();
+diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
+index 7b5cc89..aec415e 100644
+--- a/src/pesigcheck_context.h
++++ b/src/pesigcheck_context.h
+@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {
+ 	Pe *inpe;
+ 
+ 	int quiet;
++	int verbose;
+ 
+ 	hashlist *hashes;
+ 
+-- 
+2.13.4
+

SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch

@@ -0,0 +1,34 @@
+From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Sat, 6 May 2017 22:45:34 +0200
+Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword
+
+A side effect of echoOff is to discard unread input, so if we print the
+prompt before echoOff, the user (or process) at the other end might
+react to it by writing the password in between those steps, which is
+then discarded.  This bit me when trying to drive pesign with an expect
+script.
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+---
+ src/password.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/password.c b/src/password.c
+index cd1c07e..d4eae0d 100644
+--- a/src/password.c
++++ b/src/password.c
+@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
+     for (;;) {
+ 	/* Prompt for password */
+ 	if (isTTY) {
++	    echoOff(infd);
+ 	    fprintf(output, "%s", prompt);
+             fflush (output);
+-	    echoOff(infd);
+ 	}
+ 
+ 	fgets ( phrase, sizeof(phrase), input);
+-- 
+2.13.4
+

SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch

@@ -0,0 +1,27 @@
+From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
+From: David Michael <david.michael@coreos.com>
+Date: Tue, 13 Jun 2017 13:20:16 -0700
+Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime
+
+This better supports non-systemd configurations with tmpfs on /run.
+---
+ src/pesign.sysvinit.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
+index d8fffca..dc508d8 100644
+--- a/src/pesign.sysvinit.in
++++ b/src/pesign.sysvinit.in
+@@ -20,6 +20,9 @@ RETVAL=0
+ 
+ start(){
+     echo -n "Starting pesign: "
++    mkdir /var/run/pesign 2>/dev/null &&
++        chown pesign:pesign /var/run/pesign &&
++        chmod 0770 /var/run/pesign
+     daemon /usr/bin/pesign --daemonize
+     RETVAL=$?
+     echo
+-- 
+2.13.4
+

SOURCES/0023-Better-authorization-scripts.-Again.patch

@@ -0,0 +1,217 @@
+From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 8 Aug 2017 15:44:44 -0400
+Subject: [PATCH 23/29] Better authorization scripts.  Again.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/Makefile                | 12 ++++++----
+ src/pesign-authorize        | 56 +++++++++++++++++++++++++++++++++++++++++++++
+ src/pesign-authorize-groups | 30 ------------------------