setfacl u:kojibuilder:rw /var/run/pesign/socket
- Fix command line checking in client - Add client stdin pin reading.
This commit is contained in:
Peter Jones
parent
9e2491cafb
commit
b58922c480
@ -1,7 +1,7 @@
|
||||
From 406a08cc45a2d0761294002d946ee3381a4706ee Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 09:53:07 -0400
|
||||
Subject: [PATCH 01/36] Use PK11_TraverseCertsForNicknameInSlot after all.
|
||||
Subject: [PATCH 01/41] Use PK11_TraverseCertsForNicknameInSlot after all.
|
||||
|
||||
As of 76bc13c it doesn't appear to be leaky any more, and it does a
|
||||
better job of disinguishing between certificates with the same nickname
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e4aa0a2755d7b00e31760a7f90561b0566445fa4 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 09:54:10 -0400
|
||||
Subject: [PATCH 02/36] Remove an unused field.
|
||||
Subject: [PATCH 02/41] Remove an unused field.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From df5afd0e6d92f31a804f5f1631b6fae3b8ef4d8b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 09:54:37 -0400
|
||||
Subject: [PATCH 03/36] Free the certificate list we make once we're done
|
||||
Subject: [PATCH 03/41] Free the certificate list we make once we're done
|
||||
using it.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From c13cc0b03dcae9a743cc49aaa62c3923a3e7d8f9 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 09:55:02 -0400
|
||||
Subject: [PATCH 04/36] Make sure we actually look up the certificate when not
|
||||
Subject: [PATCH 04/41] Make sure we actually look up the certificate when not
|
||||
in daemon mode.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 844138e07535a8aa2be80496378c9929acaa1687 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 10:35:41 -0400
|
||||
Subject: [PATCH 05/36] Fix check for allocations on tokenname,certname.
|
||||
Subject: [PATCH 05/41] Fix check for allocations on tokenname,certname.
|
||||
|
||||
If we didn't have anything to start with, we won't have anything when
|
||||
we're done...
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 682233d107460b49071017b4d88c0430373dbd35 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 10:55:25 -0400
|
||||
Subject: [PATCH 06/36] Update valgrind.supp for newer codepaths.
|
||||
Subject: [PATCH 06/41] Update valgrind.supp for newer codepaths.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 81bf0e36a82a3d746a01aee50d8ee460dc794b19 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 10:57:20 -0400
|
||||
Subject: [PATCH 07/36] Free the pid string once we're done writing it.
|
||||
Subject: [PATCH 07/41] Free the pid string once we're done writing it.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 50c50c8fbebab3d8b5efff35dc1a7ca4b44d6b19 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 11:08:30 -0400
|
||||
Subject: [PATCH 08/36] [valgrind] Don't complain about unlocking a key and
|
||||
Subject: [PATCH 08/41] [valgrind] Don't complain about unlocking a key and
|
||||
keeping the handle.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b71f1d2e8f7ad6853e5e68134a66baf9dea2471b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 11:26:04 -0400
|
||||
Subject: [PATCH 09/36] Only try to register OIDs once.
|
||||
Subject: [PATCH 09/41] Only try to register OIDs once.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f966137c17f74fc3e343dfb6e04300a9d179de03 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 12:05:29 -0400
|
||||
Subject: [PATCH 10/36] Check for NSS_Shutdown() failure.
|
||||
Subject: [PATCH 10/41] Check for NSS_Shutdown() failure.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 0dddfd5e738232403220b0d18888f94fa0032a59 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 12:17:39 -0400
|
||||
Subject: [PATCH 11/36] Don't destroy stdin/stdout/stderr if we don't fork.
|
||||
Subject: [PATCH 11/41] Don't destroy stdin/stdout/stderr if we don't fork.
|
||||
|
||||
I like being able to read my error messages.
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 19c8e797d092e17f2882d249d5446728a76db050 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 14:29:30 -0400
|
||||
Subject: [PATCH 12/36] [valgrind] Add SECMOD_LoadModule codepath.
|
||||
Subject: [PATCH 12/41] [valgrind] Add SECMOD_LoadModule codepath.
|
||||
|
||||
This is called once when we initialize the database.
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 186b6d5d39a1feeaa5f9493d28dc4f53015d551d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 14:33:35 -0400
|
||||
Subject: [PATCH 13/36] Don't set up digests in cms_context_init.
|
||||
Subject: [PATCH 13/41] Don't set up digests in cms_context_init.
|
||||
|
||||
Move digest setup out of cms_context_init, so we can avoid leaking the
|
||||
reference to the digests by not having them in ctx->backup_cms in the
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e1f8d4e38f4ad08fb407691a3f59edc19a1f15e2 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 14:41:18 -0400
|
||||
Subject: [PATCH 14/36] Do register_oids() where we're doing NSS_Init()
|
||||
Subject: [PATCH 14/41] Do register_oids() where we're doing NSS_Init()
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 092e3f81233655849156b0948a53f3b5f51b8c97 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 14:43:58 -0400
|
||||
Subject: [PATCH 15/36] Make daemon shutdown actually close the NSS databases
|
||||
Subject: [PATCH 15/41] Make daemon shutdown actually close the NSS databases
|
||||
and whatnot.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b6ff405da1bf4627a40fc104457a539788c9f470 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 15:18:08 -0400
|
||||
Subject: [PATCH 16/36] Reformat a bunch of error messages to be vaguely
|
||||
Subject: [PATCH 16/41] Reformat a bunch of error messages to be vaguely
|
||||
consistent.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 8ffe6943f04d42314f81eb8b5e3350d4ccc41895 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 15:26:23 -0400
|
||||
Subject: [PATCH 17/36] Use PORT_ArenaStrdup() where appropriate.
|
||||
Subject: [PATCH 17/41] Use PORT_ArenaStrdup() where appropriate.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From c196b462ad5267e8ed20c0b855b9921268b22a7b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 15:26:47 -0400
|
||||
Subject: [PATCH 18/36] Minor whitespace fixes.
|
||||
Subject: [PATCH 18/41] Minor whitespace fixes.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 7a8c50f620c7484af9d750f484df8a6837e6b2a5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 15:27:03 -0400
|
||||
Subject: [PATCH 19/36] [daemon] Make sure inpe is initialized before all
|
||||
Subject: [PATCH 19/41] [daemon] Make sure inpe is initialized before all
|
||||
error handling.
|
||||
|
||||
find_certificate() and set_up_inpe() errors wind up being at the same
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 66d3353e6d24c9e69ce71735c5aa4741717a6d68 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 15:31:15 -0400
|
||||
Subject: [PATCH 20/36] Allocate pesign_context rather than having it on the
|
||||
Subject: [PATCH 20/41] Allocate pesign_context rather than having it on the
|
||||
stack.
|
||||
|
||||
This way it won't try to re-initialize cms_context when it's cleaned up.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 444a514e1a7c9a27953f914cf416d559ef5be083 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 15:32:57 -0400
|
||||
Subject: [PATCH 21/36] [pesign] initialize nss only if we're not a daemon.
|
||||
Subject: [PATCH 21/41] [pesign] initialize nss only if we're not a daemon.
|
||||
|
||||
If it's a deamon, NSS_Init, register_oids, and setup_digests will be
|
||||
done in the daemon code, not in the normal tool code.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From a1ce809e199c7fbbd6f5c0e75f27a4234fcbd2bc Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 15:34:00 -0400
|
||||
Subject: [PATCH 22/36] Handle errors on pesign_context_init()
|
||||
Subject: [PATCH 22/41] Handle errors on pesign_context_init()
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 4ed91a1bb65769401c0fd6c1c5b2a3c64c0c1266 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 16:35:43 -0400
|
||||
Subject: [PATCH 23/36] Add sanity checking to make sure we don't emit
|
||||
Subject: [PATCH 23/41] Add sanity checking to make sure we don't emit
|
||||
uninitialized hashes.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From d8ead122f34375a496d280bcc803f730542ca78d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 17:47:49 -0400
|
||||
Subject: [PATCH 24/36] Make sure we free the token/cert we get from the
|
||||
Subject: [PATCH 24/41] Make sure we free the token/cert we get from the
|
||||
command line.
|
||||
|
||||
This probably needs some further examination, but valgrind likes what's
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 2030d382b49a1b957de829a67f74d9cc127c55ee Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 17:48:44 -0400
|
||||
Subject: [PATCH 25/36] [pesign] Only shut down nss in pesign.c if we're not
|
||||
Subject: [PATCH 25/41] [pesign] Only shut down nss in pesign.c if we're not
|
||||
the daemon.
|
||||
|
||||
The daemon does its own init and shutdown.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 4efe979d6b781e064fe1afa946753ead9e3bbb9d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 17:49:17 -0400
|
||||
Subject: [PATCH 26/36] Rework setup_digests() and teardown_digests()
|
||||
Subject: [PATCH 26/41] Rework setup_digests() and teardown_digests()
|
||||
|
||||
This fixes the problem I was seeing with empty content_info digests, and
|
||||
makes the code a /little/ bit cleaner in some ways.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 15cd554d35c5ea8d31671b346dffd84e27e7c6ec Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 17:52:57 -0400
|
||||
Subject: [PATCH 27/36] We shouldn't need
|
||||
Subject: [PATCH 27/41] We shouldn't need
|
||||
Environment=NSS_STRICT_NOFORK=DISABLED any more.
|
||||
|
||||
Since NSS_Init is called from the daemon now, we should get past its
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 1b94dd90f5a1c65df16ffe3b0619ce5dc0ca1f06 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 19:59:49 -0400
|
||||
Subject: [PATCH 28/36] Fix errors found by coverity.
|
||||
Subject: [PATCH 28/41] Fix errors found by coverity.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 95c0fe1d512fcdf3b397359fb0f54dc44e5947c2 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 18 Oct 2012 09:12:25 -0400
|
||||
Subject: [PATCH 29/36] Don't keep the DEPS list twice.
|
||||
Subject: [PATCH 29/41] Don't keep the DEPS list twice.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 44aad110fd3f0a12e1817d95047f882c4d8b0fce Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 18 Oct 2012 11:36:10 -0400
|
||||
Subject: [PATCH 30/36] Don't build util/ right now.
|
||||
Subject: [PATCH 30/41] Don't build util/ right now.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 4c13f6d393db0aa5ff5b327cb5e842ee21522236 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 18 Oct 2012 13:09:58 -0400
|
||||
Subject: [PATCH 31/36] Make "install_systemd" and "install_sysvinit" separate
|
||||
Subject: [PATCH 31/41] Make "install_systemd" and "install_sysvinit" separate
|
||||
targets
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From df1b69e304f2a7eb82e2f94e50f07099afbf4578 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 18 Oct 2012 13:10:28 -0400
|
||||
Subject: [PATCH 32/36] Get rid of an unnecessary allocation.
|
||||
Subject: [PATCH 32/41] Get rid of an unnecessary allocation.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 24a63eab7ddbe2be3ab6b25b04602d8e3fe5d775 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 18 Oct 2012 14:28:36 -0400
|
||||
Subject: [PATCH 33/36] Allow use of -e from rpm macro.
|
||||
Subject: [PATCH 33/41] Allow use of -e from rpm macro.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e5c632516a2a31f3e184d0ca9d8ac5ceba1f9015 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 18 Oct 2012 14:55:07 -0400
|
||||
Subject: [PATCH 34/36] Make client use -e like pesign does, rather than
|
||||
Subject: [PATCH 34/41] Make client use -e like pesign does, rather than
|
||||
--detached.
|
||||
|
||||
This way we can use the same macros for them.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f1a2f097cfb290951702251703abcd34ca0bf9e6 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 18 Oct 2012 15:13:11 -0400
|
||||
Subject: [PATCH 35/36] Fix shutdown by systemd to remove socket and pidfile.
|
||||
Subject: [PATCH 35/41] Fix shutdown by systemd to remove socket and pidfile.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 22308fbfb540b5215efb9ce96a4dfdce08ef9165 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 18 Oct 2012 15:16:05 -0400
|
||||
Subject: [PATCH 36/36] Make the macros use the default (fedora) signer if
|
||||
Subject: [PATCH 36/41] Make the macros use the default (fedora) signer if
|
||||
there's a daemon running.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
|
||||
28
0037-Fix-command-line-checking-for-s.patch
Normal file
28
0037-Fix-command-line-checking-for-s.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From abe7981ba049b23ae9c42da92559576c6e0cc53b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 19 Oct 2012 10:07:40 -0400
|
||||
Subject: [PATCH 37/41] Fix command line checking for -s.
|
||||
|
||||
Accidentally applied when not using -s. Woops.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/client.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/client.c b/src/client.c
|
||||
index 5e5399d..777197a 100644
|
||||
--- a/src/client.c
|
||||
+++ b/src/client.c
|
||||
@@ -496,7 +496,7 @@ main(int argc, char *argv[])
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- if (!outfile && !exportfile) {
|
||||
+ if (action & SIGN_BINARY && (!outfile && !exportfile)) {
|
||||
fprintf(stderr, "pesign-client: neither --outfile nor --export "
|
||||
"specified\n");
|
||||
exit(1);
|
||||
--
|
||||
1.7.12.1
|
||||
|
||||
178
0038-Add-support-to-read-the-pin-from-stdin-in-client.patch
Normal file
178
0038-Add-support-to-read-the-pin-from-stdin-in-client.patch
Normal file
@ -0,0 +1,178 @@
|
||||
From 8067d9bace148a254528fdf752f083d2a0debada Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 19 Oct 2012 10:08:26 -0400
|
||||
Subject: [PATCH 38/41] Add support to read the pin from stdin in client.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/client.c | 10 +++++++---
|
||||
src/password.c | 41 +++++++++++++++++++++++++++++++++++++++++
|
||||
src/password.h | 1 +
|
||||
src/signer_info.c | 45 +--------------------------------------------
|
||||
4 files changed, 50 insertions(+), 47 deletions(-)
|
||||
|
||||
diff --git a/src/client.c b/src/client.c
|
||||
index 777197a..1ec582b 100644
|
||||
--- a/src/client.c
|
||||
+++ b/src/client.c
|
||||
@@ -212,10 +212,14 @@ get_token_pin(int pinfd, char *pinfile, char *envname)
|
||||
|
||||
fclose(pinf);
|
||||
return pin;
|
||||
- } else
|
||||
- return strdup(getenv(envname));
|
||||
+ } else {
|
||||
+ pin = getenv(envname);
|
||||
+ if (pin)
|
||||
+ return strdup(pin);
|
||||
+ }
|
||||
|
||||
- return NULL;
|
||||
+ pin = readpw(NULL, PR_FALSE, NULL);
|
||||
+ return pin;
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/src/password.c b/src/password.c
|
||||
index 100c584..c663955 100644
|
||||
--- a/src/password.c
|
||||
+++ b/src/password.c
|
||||
@@ -17,6 +17,7 @@
|
||||
* Author(s): Peter Jones <pjones@redhat.com>
|
||||
*/
|
||||
|
||||
+#include <limits.h>
|
||||
#include <stdlib.h>
|
||||
#include <termios.h>
|
||||
#include <unistd.h>
|
||||
@@ -289,4 +290,44 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+#if 0
|
||||
+#warning investigate killing readpw
|
||||
+#endif
|
||||
+char *
|
||||
+readpw(PK11SlotInfo *slot, PRBool retry, void *arg)
|
||||
+{
|
||||
+ struct termios sio, tio;
|
||||
+ char line[LINE_MAX], *p;
|
||||
|
||||
+ if (tcgetattr(fileno(stdin), &sio) < 0) {
|
||||
+ fprintf(stderr, "Could not read password from standard input.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ tio = sio;
|
||||
+ tio.c_lflag &= ~ECHO;
|
||||
+ if (tcsetattr(fileno(stdin), 0, &tio) < 0) {
|
||||
+ fprintf(stderr, "Could not read password from standard input.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ fprintf(stdout, "Enter passphrase for private key: ");
|
||||
+ if (fgets(line, sizeof(line), stdin) == NULL) {
|
||||
+ fprintf(stdout, "\n");
|
||||
+ tcsetattr(fileno(stdin), 0, &sio);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ fprintf(stdout, "\n");
|
||||
+ tcsetattr(fileno(stdin), 0, &sio);
|
||||
+
|
||||
+ p = line + strcspn(line, "\r\n");
|
||||
+ if (p != NULL)
|
||||
+ *p = '\0';
|
||||
+
|
||||
+ char *ret = strdup(line);
|
||||
+ memset(line, '\0', sizeof (line));
|
||||
+ if (!ret) {
|
||||
+ fprintf(stderr, "Could not read passphrase.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/src/password.h b/src/password.h
|
||||
index 853bd5a..bcbac44 100644
|
||||
--- a/src/password.h
|
||||
+++ b/src/password.h
|
||||
@@ -22,5 +22,6 @@
|
||||
extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
|
||||
extern char *get_password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg);
|
||||
extern char *get_password_fail(PK11SlotInfo *slot, PRBool retry, void *arg);
|
||||
+extern char *readpw(PK11SlotInfo *slot, PRBool retry, void *arg);
|
||||
|
||||
#endif /* PASSWORD_H */
|
||||
diff --git a/src/signer_info.c b/src/signer_info.c
|
||||
index 932b896..f755bf6 100644
|
||||
--- a/src/signer_info.c
|
||||
+++ b/src/signer_info.c
|
||||
@@ -19,10 +19,8 @@
|
||||
|
||||
#include "pesign.h"
|
||||
|
||||
-#include <limits.h>
|
||||
#include <string.h>
|
||||
#include <syslog.h>
|
||||
-#include <termios.h>
|
||||
#include <time.h>
|
||||
#include <unistd.h>
|
||||
|
||||
@@ -159,47 +157,6 @@ err:
|
||||
return -1;
|
||||
}
|
||||
|
||||
-#if 0
|
||||
-#warning investigate killing getpw
|
||||
-#endif
|
||||
-static char *getpw(PK11SlotInfo *slot, PRBool retry, void *arg)
|
||||
-{
|
||||
- struct termios sio, tio;
|
||||
- char line[LINE_MAX], *p;
|
||||
-
|
||||
- if (tcgetattr(fileno(stdin), &sio) < 0) {
|
||||
- fprintf(stderr, "Could not read password from standard input.\n");
|
||||
- return NULL;
|
||||
- }
|
||||
- tio = sio;
|
||||
- tio.c_lflag &= ~ECHO;
|
||||
- if (tcsetattr(fileno(stdin), 0, &tio) < 0) {
|
||||
- fprintf(stderr, "Could not read password from standard input.\n");
|
||||
- return NULL;
|
||||
- }
|
||||
-
|
||||
- fprintf(stdout, "Enter passphrase for private key: ");
|
||||
- if (fgets(line, sizeof(line), stdin) == NULL) {
|
||||
- fprintf(stdout, "\n");
|
||||
- tcsetattr(fileno(stdin), 0, &sio);
|
||||
- return NULL;
|
||||
- }
|
||||
- fprintf(stdout, "\n");
|
||||
- tcsetattr(fileno(stdin), 0, &sio);
|
||||
-
|
||||
- p = line + strcspn(line, "\r\n");
|
||||
- if (p != NULL)
|
||||
- *p = '\0';
|
||||
-
|
||||
- char *ret = strdup(line);
|
||||
- memset(line, '\0', sizeof (line));
|
||||
- if (!ret) {
|
||||
- fprintf(stderr, "Could not read passphrase.\n");
|
||||
- return NULL;
|
||||
- }
|
||||
- return ret;
|
||||
-}
|
||||
-
|
||||
static int
|
||||
sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
|
||||
{
|
||||
@@ -216,7 +173,7 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
|
||||
if (!oid)
|
||||
goto err;
|
||||
|
||||
- PK11_SetPasswordFunc(cms->func ? cms->func : getpw);
|
||||
+ PK11_SetPasswordFunc(cms->func ? cms->func : readpw);
|
||||
SECKEYPrivateKey *privkey = PK11_FindKeyByAnyCert(cms->cert,
|
||||
cms->pwdata ? cms->pwdata : NULL);
|
||||
if (!privkey) {
|
||||
--
|
||||
1.7.12.1
|
||||
|
||||
@ -0,0 +1,60 @@
|
||||
From 3ceb3eb5b1c36ead2a862bcec5e527f74dc91381 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 19 Oct 2012 10:08:49 -0400
|
||||
Subject: [PATCH 39/41] Fix token auth authentication failure error reporting.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/cms_common.c | 4 +++-
|
||||
src/daemon.c | 4 ++--
|
||||
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index 898ddfb..2f3683e 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -316,6 +316,7 @@ unlock_nss_token(cms_context *cms)
|
||||
secuPWData pwdata_val = { 0, 0 };
|
||||
void *pwdata = cms->pwdata ? cms->pwdata : &pwdata_val;
|
||||
PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
|
||||
+ int rc = -1;
|
||||
|
||||
PK11SlotList *slots = NULL;
|
||||
slots = PK11_GetAllTokens(CKM_RSA_PKCS, PR_FALSE, PR_TRUE, pwdata);
|
||||
@@ -323,7 +324,7 @@ unlock_nss_token(cms_context *cms)
|
||||
cms->log(cms, LOG_ERR, "Could not find certificate \"%s\"",
|
||||
cms->tokenname);
|
||||
err:
|
||||
- return -1;
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
PK11SlotListElement *psle = NULL;
|
||||
@@ -351,6 +352,7 @@ err_slots:
|
||||
cms->log(cms, LOG_ERR, "Authentication failed for "
|
||||
"token \"%s\"", cms->tokenname);
|
||||
PK11_DestroySlotListElement(slots, &psle);
|
||||
+ rc = -2;
|
||||
goto err_slots;
|
||||
}
|
||||
}
|
||||
diff --git a/src/daemon.c b/src/daemon.c
|
||||
index 974a559..bf7485f 100644
|
||||
--- a/src/daemon.c
|
||||
+++ b/src/daemon.c
|
||||
@@ -204,10 +204,10 @@ malformed:
|
||||
cms_set_pw_callback(ctx->cms, get_password_fail);
|
||||
cms_set_pw_data(ctx->cms, NULL);
|
||||
|
||||
- if (rc < 0)
|
||||
+ if (rc == -1)
|
||||
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
|
||||
"could not find token \"%s\"", tn->value);
|
||||
- else
|
||||
+ else if (rc == 0)
|
||||
ctx->cms->log(ctx->cms, ctx->priority|LOG_NOTICE,
|
||||
"authentication succeeded for token \"%s\"",
|
||||
tn->value);
|
||||
--
|
||||
1.7.12.1
|
||||
|
||||
@ -0,0 +1,28 @@
|
||||
From 9c2daa8d3761b49961498cb9a9bbc8a37e05b0da Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 19 Oct 2012 10:19:39 -0400
|
||||
Subject: [PATCH 40/41] Use setfacl in sysvinit script to allow kojibuilder
|
||||
access.
|
||||
|
||||
---
|
||||
src/pesign.sysvinit | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit
|
||||
index f955e01..ea37c58 100644
|
||||
--- a/src/pesign.sysvinit
|
||||
+++ b/src/pesign.sysvinit
|
||||
@@ -24,6 +24,10 @@ start(){
|
||||
RETVAL=$?
|
||||
echo
|
||||
touch /var/lock/subsys/pesign
|
||||
+ setfacl -m u:kojibuilder:x /var/run/pesign
|
||||
+ setfacl -m u:kojibuilder:rw /var/run/pesign/socket
|
||||
+ setfacl -m g:kojibuilder:x /var/run/pesign
|
||||
+ setfacl -m g:kojibuilder:rw /var/run/pesign/socket
|
||||
}
|
||||
|
||||
stop(){
|
||||
--
|
||||
1.7.12.1
|
||||
|
||||
@ -0,0 +1,33 @@
|
||||
From 2bd84dcfbdf084bcfb3e6d7c26756ca3783cdae4 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 19 Oct 2012 10:20:40 -0400
|
||||
Subject: [PATCH 41/41] Don't return quite so immediately if we're the parent
|
||||
pid when daemonizing.
|
||||
|
||||
Long term we probably want to look for the socket and/or sigchld instead
|
||||
of this.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/daemon.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/daemon.c b/src/daemon.c
|
||||
index bf7485f..6951f0a 100644
|
||||
--- a/src/daemon.c
|
||||
+++ b/src/daemon.c
|
||||
@@ -885,8 +885,10 @@ daemonize(cms_context *cms_ctx, int do_fork)
|
||||
if (do_fork) {
|
||||
pid_t pid;
|
||||
|
||||
- if ((pid = fork()))
|
||||
+ if ((pid = fork())) {
|
||||
+ sleep(2);
|
||||
return 0;
|
||||
+ }
|
||||
}
|
||||
ctx.pid = getpid();
|
||||
write_pid_file(ctx.pid);
|
||||
--
|
||||
1.7.12.1
|
||||
|
||||
12
pesign.spec
12
pesign.spec
@ -1,7 +1,7 @@
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Name: pesign
|
||||
Version: 0.99
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Group: Development/System
|
||||
License: GPLv2
|
||||
URL: https://github.com/vathpela/pesign
|
||||
@ -53,6 +53,11 @@ Patch33: 0033-Allow-use-of-e-from-rpm-macro.patch
|
||||
Patch34: 0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch
|
||||
Patch35: 0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch
|
||||
Patch36: 0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch
|
||||
Patch37: 0037-Fix-command-line-checking-for-s.patch
|
||||
Patch38: 0038-Add-support-to-read-the-pin-from-stdin-in-client.patch
|
||||
Patch39: 0039-Fix-token-auth-authentication-failure-error-reportin.patch
|
||||
Patch40: 0040-Use-setfacl-in-sysvinit-script-to-allow-kojibuilder-.patch
|
||||
Patch41: 0041-Don-t-return-quite-so-immediately-if-we-re-the-paren.patch
|
||||
|
||||
%description
|
||||
This package contains the pesign utility for signing UEFI binaries as
|
||||
@ -117,6 +122,11 @@ exit 0
|
||||
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
|
||||
|
||||
%changelog
|
||||
* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-7
|
||||
- setfacl u:kojibuilder:rw /var/run/pesign/socket
|
||||
- Fix command line checking in client
|
||||
- Add client stdin pin reading.
|
||||
|
||||
* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-6
|
||||
- Automatically select daemon as signer when using rpm macros.
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user