import RHEL 10 Beta pkcs11-provider-0.5-5.el10

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,8 +1 @@
-/pkcs11-provider-0.2.tar.xz
-/pkcs11-provider-0.2.tar.xz.asc
-/pkcs11-provider-0.3.tar.xz
-/pkcs11-provider-0.3.tar.xz.asc
-/pkcs11-provider-0.5.tar.xz
-/pkcs11-provider-0.5.tar.xz.asc
-/pkcs11-provider-1.0.tar.xz
-/pkcs11-provider-1.0.tar.xz.asc
+pkcs11-provider-0.5.tar.xz

0001-Fix-peer-keys-domain-parameter-copying.patch

@@ -1,91 +0,0 @@
-From e4b44e81e8a4aa92ab62eca00eb046a99956b04d Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Thu, 13 Mar 2025 10:48:25 -0400
-Subject: [PATCH] Fix peer keys domain parameter copying
-
-OpenSSL assumes you can create a new EC key by copying the domain
-parameters from a peer key first (to establish a compatible key
-type for operations like ECDH), and only later generates the private key
-material.
-
-Better identify those keys by assigning the CKO_DOMAIN_PARAMETER class
-to them as parameters are set. We do not have a fully formed key at
-this point but we already have a bunch of parameters so this also
-allows to make decisions on what should or should not be changed anymore
-at this point. (for example this now will prevent re-importing other
-parameters over the "proto" key).
-
-Fixes #543
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
----
- src/objects.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/src/objects.c b/src/objects.c
-index 310e6a5..69688a0 100644
---- a/src/objects.c
-+++ b/src/objects.c
-@@ -574,6 +574,7 @@ CK_KEY_TYPE p11prov_obj_get_key_type(P11PROV_OBJ *obj)
-         switch (obj->class) {
-         case CKO_PRIVATE_KEY:
-         case CKO_PUBLIC_KEY:
-+        case CKO_DOMAIN_PARAMETERS:
-             return obj->data.key.type;
-         }
-     }
-@@ -638,6 +639,7 @@ CK_ULONG p11prov_obj_get_key_bit_size(P11PROV_OBJ *obj)
-         switch (obj->class) {
-         case CKO_PRIVATE_KEY:
-         case CKO_PUBLIC_KEY:
-+        case CKO_DOMAIN_PARAMETERS:
-             return obj->data.key.bit_size;
-         }
-     }
-@@ -650,6 +652,7 @@ CK_ULONG p11prov_obj_get_key_size(P11PROV_OBJ *obj)
-         switch (obj->class) {
-         case CKO_PRIVATE_KEY:
-         case CKO_PUBLIC_KEY:
-+        case CKO_DOMAIN_PARAMETERS:
-             return obj->data.key.size;
-         }
-     }
-@@ -4277,10 +4280,13 @@ CK_RV p11prov_obj_import_key(P11PROV_OBJ *key, CK_KEY_TYPE type,
- 
-     switch (class) {
-     case CKO_PUBLIC_KEY:
-+        key->class = CKO_PUBLIC_KEY;
-         return p11prov_obj_import_public_key(key, type, params);
-     case CKO_PRIVATE_KEY:
-+        key->class = CKO_PRIVATE_KEY;
-         return p11prov_obj_import_private_key(key, type, params);
-     case CKO_DOMAIN_PARAMETERS:
-+        key->class = CKO_DOMAIN_PARAMETERS;
-         return p11prov_obj_set_domain_params(key, type, params);
-     default:
-         P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
-@@ -4313,15 +4319,15 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
-         return CKR_KEY_INDIGESTIBLE;
-     }
- 
--    if (key->class == CK_UNAVAILABLE_INFORMATION) {
--        key->class = CKO_PUBLIC_KEY;
--    }
--
-     switch (key->data.key.type) {
-     case CKK_EC:
-     case CKK_EC_EDWARDS:
--        /* check that this is a public key */
--        if (key->class != CKO_PUBLIC_KEY) {
-+        /* if class is still "domain parameters" convert it to
-+         * a public key */
-+        if (key->class == CKO_DOMAIN_PARAMETERS) {
-+            key->class = CKO_PUBLIC_KEY;
-+        } else if (key->class != CKO_PUBLIC_KEY) {
-+            /* check that this is a public key */
-             P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
-                           "Invalid Key type, not a public key");
-             return CKR_KEY_INDIGESTIBLE;
--- 
-2.48.1
-

0001-Fix-types-for-old-32-bit-systems.patch

@@ -0,0 +1,49 @@
+From 9fa16b7fd398b62f06cb10892fe93dc574d67399 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 5 Jun 2024 11:22:35 -0400
+Subject: [PATCH] Fix types for old 32 bit systems
+
+On x86 CK_ULONG and size_t have different sizes, ensure we use
+compatible types on our helper functions.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ src/asymmetric_cipher.c | 4 ++--
+ src/util.h              | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/asymmetric_cipher.c b/src/asymmetric_cipher.c
+index 4d87b1c..3256fd2 100644
+--- a/src/asymmetric_cipher.c
++++ b/src/asymmetric_cipher.c
+@@ -251,12 +251,12 @@ static int p11prov_rsaenc_decrypt_init(void *ctx, void *provkey,
+ static int
+ p11prov_tls_constant_time_depadding(struct p11prov_rsaenc_ctx *encctx,
+                                     unsigned char *out, unsigned char *buf,
+-                                    size_t *out_size, CK_ULONG *ret_cond)
++                                    CK_ULONG *out_size, CK_ULONG *ret_cond)
+ {
+     unsigned char randbuf[SSL_MAX_MASTER_KEY_LENGTH];
+     CK_ULONG ver_cond = 0;
+     CK_ULONG cond = 0;
+-    size_t length = SSL_MAX_MASTER_KEY_LENGTH;
++    CK_ULONG length = SSL_MAX_MASTER_KEY_LENGTH;
+     int err;
+ 
+     /* always generate a random buffer, to constant_time swap in
+diff --git a/src/util.h b/src/util.h
+index bcbc2db..1b24666 100644
+--- a/src/util.h
++++ b/src/util.h
+@@ -120,7 +120,7 @@ static inline int constant_select_int(CK_ULONG cond, int a, int b)
+     return (int)((A & mask) | (B & ~mask));
+ }
+ 
+-static inline void constant_select_buf(CK_ULONG cond, size_t size,
++static inline void constant_select_buf(CK_ULONG cond, CK_ULONG size,
+                                        unsigned char *dst, unsigned char *a,
+                                        unsigned char *b)
+ {
+-- 
+2.45.0
+

0001-utils-Do-not-fail-if-non-mandatory-attribute-is-not-.patch

@@ -1,35 +0,0 @@
-From 577471d781d1ee0365f6739b1cfc1c9c566c893a Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 3 Mar 2025 15:54:07 +0100
-Subject: [PATCH] utils: Do not fail if non-mandatory attribute is not
- available
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- src/util.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/src/util.c b/src/util.c
-index 66a3bd0..a956f9d 100644
---- a/src/util.c
-+++ b/src/util.c
-@@ -34,10 +34,13 @@ CK_RV p11prov_fetch_attributes(P11PROV_CTX *ctx, P11PROV_SESSION *session,
-         unsigned long retrnums = 0;
-         for (size_t i = 0; i < attrnums; i++) {
-             if (q[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
--                /* This can't happen according to the algorithm described
--                 * in the spec when the call returns CKR_OK. */
-+                /* This means the attribute is valid, but not available for a
-+                 * given object. Just skip it, unless it is required */
-+                if (!attrs[i].required) {
-+                    continue;
-+                }
-                 ret = CKR_GENERAL_ERROR;
--                P11PROV_raise(ctx, ret, "Failed to get attributes");
-+                P11PROV_raise(ctx, ret, "Failed to get required attributes");
-                 goto done;
-             }
-             if (attrs[i].allocate) {
--- 
-2.48.1
-

0001-utils-Do-not-repeat-GetAttribute-calls-when-the-size.patch

@@ -1,28 +0,0 @@
-From cf6bcbb4edbe983691996f8fb126c6b143dc796d Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 3 Mar 2025 17:11:03 +0100
-Subject: [PATCH] utils: Do not repeat GetAttribute calls when the size query
- already failed
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- src/util.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/util.c b/src/util.c
-index bb1a389..3c72e8c 100644
---- a/src/util.c
-+++ b/src/util.c
-@@ -83,6 +83,9 @@ CK_RV p11prov_fetch_attributes(P11PROV_CTX *ctx, P11PROV_SESSION *session,
-                     if (attrs[i].required) {
-                         return ret;
-                     }
-+                    /* Invalid attribute: No need to call the function again for
-+                     * this attribute */
-+                    continue;
-                 } else {
-                     CK_ULONG len = attrs[i].attr.ulValueLen;
-                     if (len == CK_UNAVAILABLE_INFORMATION) {
--- 
-2.48.1
-

0001-utils-Handle-correctly-CK_UNAVAILABLE_INFORMATION-wh.patch

@@ -1,34 +0,0 @@
-From 02dc73fd441f9f87bd237a1fbd0a7cab9d948cbe Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 3 Mar 2025 17:10:17 +0100
-Subject: [PATCH] utils: Handle correctly CK_UNAVAILABLE_INFORMATION when
- reading attributes
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- src/util.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/util.c b/src/util.c
-index a956f9d..bb1a389 100644
---- a/src/util.c
-+++ b/src/util.c
-@@ -84,8 +84,13 @@ CK_RV p11prov_fetch_attributes(P11PROV_CTX *ctx, P11PROV_SESSION *session,
-                         return ret;
-                     }
-                 } else {
--                    attrs[i].attr.pValue =
--                        OPENSSL_zalloc(attrs[i].attr.ulValueLen + 1);
-+                    CK_ULONG len = attrs[i].attr.ulValueLen;
-+                    if (len == CK_UNAVAILABLE_INFORMATION) {
-+                        /* The attribute is known to the module, but not
-+                         * available on this object */
-+                        continue;
-+                    }
-+                    attrs[i].attr.pValue = OPENSSL_zalloc(len + 1);
-                     if (!attrs[i].attr.pValue) {
-                         ret = CKR_HOST_MEMORY;
-                         P11PROV_raise(ctx, ret, "Failed to get attributes");
--- 
-2.48.1
-

README.md

@@ -1,3 +0,0 @@
-# pkcs11-provider
-
-The pkcs11-provider package

ci.fmf

@@ -1,2 +0,0 @@
-resultsdb-testcase: separate
-

gating.yaml

@@ -1,7 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}

pkcs11-provider.spec

@@ -1,8 +1,18 @@
+## START: Set by rpmautospec
+## (rpmautospec version 0.6.5)
+## RPMAUTOSPEC: autorelease, autochangelog
+%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
+    release_number = 5;
+    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
+    print(release_number + base_release_number - 1);
+}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## END: Set by rpmautospec
+
 #Enable gpg signature verification
 %bcond_with gpgcheck
 
 Name:          pkcs11-provider
-Version:       1.0
+Version:       0.5
 Release:       %autorelease
 Summary:       A PKCS#11 provider for OpenSSL 3.0+
 License:       Apache-2.0
@@ -14,11 +24,6 @@ Source2:       https://people.redhat.com/~ssorce/simo_redhat.asc
 %endif
 Source3:       pkcs11-provider.conf
 
-Patch1: 0001-utils-Do-not-fail-if-non-mandatory-attribute-is-not-.patch
-Patch2: 0001-utils-Handle-correctly-CK_UNAVAILABLE_INFORMATION-wh.patch
-Patch3: 0001-utils-Do-not-repeat-GetAttribute-calls-when-the-size.patch
-Patch4: 0001-Fix-peer-keys-domain-parameter-copying.patch
-
 BuildRequires: openssl-devel >= 3.0.7
 BuildRequires: gcc
 BuildRequires: meson
@@ -40,6 +45,7 @@ BuildRequires: gnutls-utils
 BuildRequires: xz
 BuildRequires: expect
 
+Patch01: 0001-Fix-types-for-old-32-bit-systems.patch
 
 %description
 This is an Openssl 3.x provider to access Hardware or Software Tokens using
@@ -82,4 +88,41 @@ install -m644 '%{SOURCE3}' \
 %config(noreplace) %{_sysconfdir}/pki/tls/openssl.d/pkcs11-provider.conf
 
 %changelog
-%autochangelog
+## START: Generated by rpmautospec
+* Wed Aug 07 2024 Ondrej Moris <omoris@redhat.com> - 0.5-5
+- Add RHEL-10 CI and gating configuration
+
+* Tue Aug 06 2024 Simo Sorce <simo@redhat.com> - 0.5-4
+- Add automatic configuration on install
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.5-3
+- Bump release for June 2024 mass rebuild
+
+* Wed Jun 05 2024 Simo Sorce <simo@redhat.com> - 0.5-2
+- Fix issue on i686 builds
+
+* Wed Jun 05 2024 Simo Sorce <simo@redhat.com> - 0.5-1
+- Update to version 0.5
+
+* Tue Feb 20 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 0.3-4
+- Revert "Temporarily disable softhsm test dependency"
+
+* Tue Feb 13 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 0.3-3
+- Temporarily disable softhsm test dependency
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Simo Sorce <simo@redhat.com> - 0.3-1
+- Updato to version 0.3
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jul 18 2023 Sahana Prasad <sahana@redhat.com> - 0.2-1
+- Adding the sources and spec file to build the package Approved fedora
+  review bug rhbz#2211754
+## END: Generated by rpmautospec

plans/ci.fmf

@@ -1,11 +0,0 @@
-/fips-disabled-buildroot-disabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/pkcs11-provider
-      name: /plans/ci/fips-disabled-buildroot-disabled
-
-/fips-disabled-buildroot-enabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/pkcs11-provider
-      name: /plans/ci/fips-disabled-buildroot-enabled

sources

@@ -1,2 +1 @@
-SHA512 (pkcs11-provider-1.0.tar.xz) = 004eeb8816903a670abff51c150e50b93515aeeeb29af7cdf921578981326286ffc7432057abf8e9b4e35972800a8bf554255ace3f8bf2359c010cc343194798
-SHA512 (pkcs11-provider-1.0.tar.xz.asc) = a19bea50f056a5dbe66ed3fc21960107eb49eb893d25b5b32599388042124bb06776a34596191cddd20ab660e07dccc14d4fb593eb8a001f84c94a9a5d4dd3c4
+SHA512 (pkcs11-provider-0.5.tar.xz) = df292ba7da467608aad5343041708ccbe896422f21718092235ae3610035c91b57ffc6f4e495edd29c55f6f48d9c88f29e0c251ab5ff865f3b1554de37d1492d