- Resolves: rhbz#1272453 A marked as CA certificate cannot be written in a softhsmv2 db

softhsm-2.0.0-1272453-Issue162.patch

@@ -0,0 +1,201 @@
+diff -Naur softhsm-2.0.0-orig/src/lib/P11Attributes.cpp softhsm-2.0.0/src/lib/P11Attributes.cpp
+--- softhsm-2.0.0-orig/src/lib/P11Attributes.cpp	2015-06-01 07:28:14.000000000 -0400
++++ softhsm-2.0.0/src/lib/P11Attributes.cpp	2016-02-25 11:36:25.005775010 -0500
+@@ -482,15 +482,10 @@
+ }
+ 
+ // Update the value if allowed
+-CK_RV P11AttrClass::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op)
++CK_RV P11AttrClass::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
+ {
+ 	// Attribute specific checks
+ 
+-	if (op == OBJECT_OP_SET)
+-	{
+-		return CKR_ATTRIBUTE_READ_ONLY;
+-	}
+-
+ 	if (ulValueLen !=sizeof(CK_ULONG))
+ 	{
+ 		return CKR_ATTRIBUTE_VALUE_INVALID;
+@@ -516,15 +511,10 @@
+ }
+ 
+ // Update the value if allowed
+-CK_RV P11AttrKeyType::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op)
++CK_RV P11AttrKeyType::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
+ {
+ 	// Attribute specific checks
+ 
+-	if (op == OBJECT_OP_SET)
+-	{
+-		return CKR_ATTRIBUTE_READ_ONLY;
+-	}
+-
+ 	if (ulValueLen !=sizeof(CK_ULONG))
+ 	{
+ 		return CKR_ATTRIBUTE_VALUE_INVALID;
+@@ -552,15 +542,10 @@
+ }
+ 
+ // Update the value if allowed
+-CK_RV P11AttrCertificateType::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op)
++CK_RV P11AttrCertificateType::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
+ {
+ 	// Attribute specific checks
+ 
+-	if (op == OBJECT_OP_SET)
+-	{
+-		return CKR_ATTRIBUTE_READ_ONLY;
+-	}
+-
+ 	if (ulValueLen !=sizeof(CK_ULONG))
+ 	{
+ 		return CKR_ATTRIBUTE_VALUE_INVALID;
+@@ -586,22 +571,13 @@
+ }
+ 
+ // Update the value if allowed
+-CK_RV P11AttrToken::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op)
++CK_RV P11AttrToken::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
+ {
+ 	OSAttribute attrTrue(true);
+ 	OSAttribute attrFalse(false);
+ 
+ 	// Attribute specific checks
+ 
+-	if (op != OBJECT_OP_GENERATE &&
+-	    op != OBJECT_OP_DERIVE &&
+-	    op != OBJECT_OP_CREATE &&
+-	    op != OBJECT_OP_COPY &&
+-	    op != OBJECT_OP_UNWRAP)
+-	{
+-		return CKR_ATTRIBUTE_READ_ONLY;
+-	}
+-
+ 	if (ulValueLen !=sizeof(CK_BBOOL))
+ 	{
+ 		return CKR_ATTRIBUTE_VALUE_INVALID;
+@@ -633,22 +609,13 @@
+ }
+ 
+ // Update the value if allowed
+-CK_RV P11AttrPrivate::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op)
++CK_RV P11AttrPrivate::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
+ {
+ 	OSAttribute attrTrue(true);
+ 	OSAttribute attrFalse(false);
+ 
+ 	// Attribute specific checks
+ 
+-	if (op != OBJECT_OP_GENERATE &&
+-	    op != OBJECT_OP_DERIVE &&
+-	    op != OBJECT_OP_CREATE &&
+-	    op != OBJECT_OP_COPY &&
+-	    op != OBJECT_OP_UNWRAP)
+-	{
+-		return CKR_ATTRIBUTE_READ_ONLY;
+-	}
+-
+ 	if (ulValueLen !=sizeof(CK_BBOOL))
+ 	{
+ 		return CKR_ATTRIBUTE_VALUE_INVALID;
+@@ -680,22 +647,13 @@
+ }
+ 
+ // Update the value if allowed
+-CK_RV P11AttrModifiable::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op)
++CK_RV P11AttrModifiable::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
+ {
+ 	OSAttribute attrTrue(true);
+ 	OSAttribute attrFalse(false);
+ 
+ 	// Attribute specific checks
+ 
+-	if (op != OBJECT_OP_GENERATE &&
+-	    op != OBJECT_OP_DERIVE &&
+-	    op != OBJECT_OP_CREATE &&
+-	    op != OBJECT_OP_COPY &&
+-	    op != OBJECT_OP_UNWRAP)
+-	{
+-		return CKR_ATTRIBUTE_READ_ONLY;
+-	}
+-
+ 	if (ulValueLen !=sizeof(CK_BBOOL))
+ 	{
+ 		return CKR_ATTRIBUTE_VALUE_INVALID;
+@@ -738,22 +696,13 @@
+ }
+ 
+ // Update the value if allowed
+-CK_RV P11AttrCopyable::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op)
++CK_RV P11AttrCopyable::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
+ {
+ 	OSAttribute attrTrue(true);
+ 	OSAttribute attrFalse(false);
+ 
+ 	// Attribute specific checks
+ 
+-	if (op != OBJECT_OP_GENERATE &&
+-	    op != OBJECT_OP_DERIVE &&
+-	    op != OBJECT_OP_CREATE &&
+-	    op != OBJECT_OP_COPY &&
+-	    op != OBJECT_OP_UNWRAP)
+-	{
+-		return CKR_ATTRIBUTE_READ_ONLY;
+-	}
+-
+ 	if (ulValueLen !=sizeof(CK_BBOOL))
+ 	{
+ 		return CKR_ATTRIBUTE_VALUE_INVALID;
+@@ -955,15 +904,10 @@
+ }
+ 
+ // Update the value if allowed
+-CK_RV P11AttrCertificateCategory::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op)
++CK_RV P11AttrCertificateCategory::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
+ {
+ 	// Attribute specific checks
+ 
+-	if (op != OBJECT_OP_SET)
+-	{
+-		return CKR_ATTRIBUTE_READ_ONLY;
+-	}
+-
+ 	if (ulValueLen !=sizeof(CK_ULONG))
+ 	{
+ 		return CKR_ATTRIBUTE_VALUE_INVALID;
+@@ -1085,15 +1029,10 @@
+ }
+ 
+ // Update the value if allowed
+-CK_RV P11AttrJavaMidpSecurityDomain::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op)
++CK_RV P11AttrJavaMidpSecurityDomain::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
+ {
+ 	// Attribute specific checks
+ 
+-	if (op != OBJECT_OP_SET)
+-	{
+-		return CKR_ATTRIBUTE_READ_ONLY;
+-	}
+-
+ 	if (ulValueLen !=sizeof(CK_ULONG))
+ 	{
+ 		return CKR_ATTRIBUTE_VALUE_INVALID;
+@@ -1117,15 +1056,10 @@
+ }
+ 
+ // Update the value if allowed
+-CK_RV P11AttrNameHashAlgorithm::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op)
++CK_RV P11AttrNameHashAlgorithm::updateAttr(Token* /*token*/, bool /*isPrivate*/, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
+ {
+ 	// Attribute specific checks
+ 
+-	if (op != OBJECT_OP_SET)
+-	{
+-		return CKR_ATTRIBUTE_READ_ONLY;
+-	}
+-
+ 	if (ulValueLen !=sizeof(CK_ULONG))
+ 	{
+ 		return CKR_ATTRIBUTE_VALUE_INVALID;

softhsm.spec

@@ -3,7 +3,7 @@
 Summary: Software version of a PKCS#11 Hardware Security Module
 Name: softhsm
 Version: 2.0.0
-Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}.1
+Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz
@@ -12,6 +12,8 @@ Source2: softhsm.module
 # taken from coolkey which is not build on all arches we build on
 Source3: softhsm2-pk11install.c
 
+Patch1: softhsm-2.0.0-1272453-Issue162.patch
+
 Group: Applications/System
 BuildRequires: openssl-devel >= 1.0.1k-6, sqlite-devel >= 3.4.2, cppunit-devel
 BuildRequires: gcc-c++, pkgconfig, p11-kit-devel, nss-devel
@@ -44,6 +46,9 @@ The devel package contains the libsofthsm include files
 
 %prep
 %setup -q -n %{name}-%{version}%{?prever}
+
+%patch1 -p1
+
 %if 0%{?prever:1}
 autoreconf -fiv
 %endif
@@ -124,6 +129,9 @@ if [ -f /var/softhsm/slot0.db ]; then
 fi
 
 %changelog
+* Thu Feb 25 2016 Paul Wouters <pwouters@redhat.com> - 2.0.0-2
+- Resolves: rhbz#1272453 A marked as CA certificate cannot be written in a softhsmv2 db
+
 * Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild