From d59902d783de10dc10e3d6aefe1544fed5d0e2d0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sat, 3 Dec 2022 04:15:12 +0000 Subject: [PATCH] import tpm2-pkcs11-1.6.0-1.el8 --- .gitignore | 2 + .tpm2-pkcs11.metadata | 2 + ...-Backup-with-sqlite3-special-command.patch | 43 ++++ ...stringop-overread-in-str_padded_copy.patch | 158 +++++++++++++++ ...bug-log-message-from-str_padded_copy.patch | 30 +++ ...t-re-encode-the-signed-data-when-imp.patch | 188 ++++++++++++++++++ SOURCES/0005-db-fix-upgrade-backup.patch | 78 ++++++++ .../0006-db-fix-upgrade-to-version-4.patch | 37 ++++ SOURCES/revert-require-py37.patch | 74 +++++++ SOURCES/tpm2-pkcs11-1.6.0.tar.gz.asc | 16 ++ SPECS/tpm2-pkcs11.spec | 186 +++++++++++++++++ 11 files changed, 814 insertions(+) create mode 100644 .gitignore create mode 100644 .tpm2-pkcs11.metadata create mode 100644 SOURCES/0001-Backup-with-sqlite3-special-command.patch create mode 100644 SOURCES/0002-utils-fix-stringop-overread-in-str_padded_copy.patch create mode 100644 SOURCES/0003-utils-remove-debug-log-message-from-str_padded_copy.patch create mode 100644 SOURCES/0004-tpm2_ptool-do-not-re-encode-the-signed-data-when-imp.patch create mode 100644 SOURCES/0005-db-fix-upgrade-backup.patch create mode 100644 SOURCES/0006-db-fix-upgrade-to-version-4.patch create mode 100644 SOURCES/revert-require-py37.patch create mode 100644 SOURCES/tpm2-pkcs11-1.6.0.tar.gz.asc create mode 100644 SPECS/tpm2-pkcs11.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0953b36 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/gpgkey-8E1F50C1.gpg +SOURCES/tpm2-pkcs11-1.6.0.tar.gz diff --git a/.tpm2-pkcs11.metadata b/.tpm2-pkcs11.metadata new file mode 100644 index 0000000..3f102d0 --- /dev/null +++ b/.tpm2-pkcs11.metadata @@ -0,0 +1,2 @@ +46f82c0fdf30219e0d95c6e9291bbc708b315080 SOURCES/gpgkey-8E1F50C1.gpg +80b9b8b11f1469e22682acb710a052ed396a43da SOURCES/tpm2-pkcs11-1.6.0.tar.gz diff --git a/SOURCES/0001-Backup-with-sqlite3-special-command.patch b/SOURCES/0001-Backup-with-sqlite3-special-command.patch new file mode 100644 index 0000000..d45399f --- /dev/null +++ b/SOURCES/0001-Backup-with-sqlite3-special-command.patch @@ -0,0 +1,43 @@ +From fc21b98dced2c78f90f917c1a45a28184024d604 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Tue, 6 Sep 2022 16:54:33 +0200 +Subject: [PATCH 1/6] Backup with sqlite3 special command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream uses method introduced in Python 3.7, but RHEL 8 uses +Python 3.6. This means that the method is not available and using the +command line interface seems to be the simplest solution. + +Signed-off-by: Štěpán Horáček +--- + tools/tpm2_pkcs11/db.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/tpm2_pkcs11/db.py b/tools/tpm2_pkcs11/db.py +index 7971028..1b18b8f 100644 +--- a/tools/tpm2_pkcs11/db.py ++++ b/tools/tpm2_pkcs11/db.py +@@ -6,6 +6,7 @@ import sys + import sqlite3 + import textwrap + import yaml ++import subprocess + + from .pkcs11t import ( + CKA_ALLOWED_MECHANISMS, +@@ -258,8 +259,8 @@ class Db(object): + if os.path.exists(dbpath): + raise RuntimeError("Backup DB exists at {} not overwriting. " + "Refusing to run".format(dbpath)) ++ subprocess.run(["sqlite3", self._path, ".backup {}".format(dbpath)]) + bck = sqlite3.connect(dbpath) +- con.backup(bck) + return (bck, dbpath) + + def _update_on_2(self, dbbakcon): +-- +2.38.1 + diff --git a/SOURCES/0002-utils-fix-stringop-overread-in-str_padded_copy.patch b/SOURCES/0002-utils-fix-stringop-overread-in-str_padded_copy.patch new file mode 100644 index 0000000..10dc9b1 --- /dev/null +++ b/SOURCES/0002-utils-fix-stringop-overread-in-str_padded_copy.patch @@ -0,0 +1,158 @@ +From f633526b34c052514f3739cb1e08fdac38603eea Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Wed, 5 May 2021 11:52:23 -0500 +Subject: [PATCH 2/6] utils: fix stringop-overread in str_padded_copy + +cc1: all warnings being treated as errors +| make: *** [Makefile:1953: src/lib/slot.lo] Error 1 +| make: *** Waiting for unfinished jobs.... +| In file included from src/lib/mutex.h:10, +| from src/lib/session_ctx.h:6, +| from src/lib/digest.h:13, +| from src/lib/tpm.c:28: +| In function 'str_padded_copy', +| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5: +| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source size 5 [-Werror=stringop-overread] +| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len)); +| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +| src/lib/utils.h: In function 'tpm_get_token_info': +| src/lib/tpm.c:739:19: note: source object declared here +| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage +| | ^~~~~~~~~~~~~~ +| cc1: all warnings being treated as errors +| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1 +| WARNING: exit code 1 from a shell command. + +Fixes #676 + +Signed-off-by: William Roberts +--- + src/lib/general.c | 8 ++++---- + src/lib/general.h | 2 +- + src/lib/slot.c | 4 ++-- + src/lib/token.c | 4 ++-- + src/lib/tpm.c | 7 +++---- + src/lib/utils.h | 6 ++++-- + 6 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/src/lib/general.c b/src/lib/general.c +index 9b7327c..eaddaf8 100644 +--- a/src/lib/general.c ++++ b/src/lib/general.c +@@ -19,8 +19,8 @@ + #define VERSION "UNKNOWN" + #endif + +-#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki" +-#define LIBRARY_MANUFACTURER (CK_UTF8CHAR_PTR)"tpm2-software.github.io" ++static const CK_UTF8CHAR LIBRARY_DESCRIPTION[] = "TPM2.0 Cryptoki"; ++static const CK_UTF8CHAR LIBRARY_MANUFACTURER[] = "tpm2-software.github.io"; + + #define CRYPTOKI_VERSION { \ + .major = CRYPTOKI_VERSION_MAJOR, \ +@@ -78,8 +78,8 @@ CK_RV general_get_info(CK_INFO *info) { + + static CK_INFO *_info = NULL; + if (!_info) { +- str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER, sizeof(_info_.manufacturerID)); +- str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION, sizeof(_info_.libraryDescription)); ++ str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER); ++ str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION); + + parse_lib_version(&_info_.libraryVersion.major, + &_info_.libraryVersion.minor); +diff --git a/src/lib/general.h b/src/lib/general.h +index 14a18e4..356c142 100644 +--- a/src/lib/general.h ++++ b/src/lib/general.h +@@ -10,7 +10,7 @@ + #define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token" + #define TPM2_TOKEN_MANUFACTURER "Intel" + #define TPM2_TOKEN_MODEL "TPM2 PKCS#11" +-#define TPM2_TOKEN_SERIAL_NUMBER "0000000000000000" ++static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000"; + #define TPM2_TOKEN_HW_VERSION { 0, 0 } + #define TPM2_TOKEN_FW_VERSION { 0, 0 } + +diff --git a/src/lib/slot.c b/src/lib/slot.c +index 548d22b..6db5bb9 100644 +--- a/src/lib/slot.c ++++ b/src/lib/slot.c +@@ -119,8 +119,8 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) { + return CKR_GENERAL_ERROR; + } + +- str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID)); +- str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription)); ++ str_padded_copy(info->manufacturerID, token_info.manufacturerID); ++ str_padded_copy(info->slotDescription, token_info.label); + + info->hardwareVersion = token_info.hardwareVersion; + info->firmwareVersion = token_info.firmwareVersion; +diff --git a/src/lib/token.c b/src/lib/token.c +index 6d7ebd2..c721129 100644 +--- a/src/lib/token.c ++++ b/src/lib/token.c +@@ -317,8 +317,8 @@ CK_RV token_get_info (token *t, CK_TOKEN_INFO *info) { + } + + // Identification +- str_padded_copy(info->label, t->label, sizeof(info->label)); +- str_padded_copy(info->serialNumber, (unsigned char*) TPM2_TOKEN_SERIAL_NUMBER, sizeof(info->serialNumber)); ++ str_padded_copy(info->label, t->label); ++ str_padded_copy(info->serialNumber, TPM2_TOKEN_SERIAL_NUMBER); + + + // Memory: TODO not sure what memory values should go here, the platform? +diff --git a/src/lib/tpm.c b/src/lib/tpm.c +index 1639df4..7f9f052 100644 +--- a/src/lib/tpm.c ++++ b/src/lib/tpm.c +@@ -740,15 +740,14 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) { + unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage + UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value); + memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t)); +- str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID)); ++ str_padded_copy(info->manufacturerID, manufacturerID); + + // Map human readable Manufacturer String, if available, + // otherwise 4 byte ID was already padded and will be used. + for (unsigned int i=0; i < ARRAY_LEN(TPM2_MANUFACTURER_MAP); i++){ + if (!strncasecmp((char *)info->manufacturerID, TPM2_MANUFACTURER_MAP[i][0], 4)) { + str_padded_copy(info->manufacturerID, +- (unsigned char *)TPM2_MANUFACTURER_MAP[i][1], +- sizeof(info->manufacturerID)); ++ (unsigned char *)TPM2_MANUFACTURER_MAP[i][1]); + } + } + +@@ -758,7 +757,7 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) { + vendor[1] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_2 - TPM2_PT_FIXED].value); + vendor[2] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_3 - TPM2_PT_FIXED].value); + vendor[3] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_4 - TPM2_PT_FIXED].value); +- str_padded_copy(info->model, (unsigned char*) &vendor, sizeof(info->model)); ++ str_padded_copy(info->model, (unsigned char*) &vendor); + + return CKR_OK; + } +diff --git a/src/lib/utils.h b/src/lib/utils.h +index 81c61fa..cf35746 100644 +--- a/src/lib/utils.h ++++ b/src/lib/utils.h +@@ -39,9 +39,11 @@ + + int str_to_ul(const char *val, size_t *res); + +-static inline void str_padded_copy(CK_UTF8CHAR_PTR dst, const CK_UTF8CHAR_PTR src, size_t dst_len) { ++#define str_padded_copy(dst, src) _str_padded_copy(dst, sizeof(dst), src, strnlen((const char *)src, sizeof(src))) ++static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) { + memset(dst, ' ', dst_len); +- memcpy(dst, src, strnlen((char *)(src), dst_len)); ++ memcpy(dst, src, src_len); ++ LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst); + } + + twist utils_hash_pass(const twist pin, const twist salt); +-- +2.38.1 + diff --git a/SOURCES/0003-utils-remove-debug-log-message-from-str_padded_copy.patch b/SOURCES/0003-utils-remove-debug-log-message-from-str_padded_copy.patch new file mode 100644 index 0000000..d2bd95e --- /dev/null +++ b/SOURCES/0003-utils-remove-debug-log-message-from-str_padded_copy.patch @@ -0,0 +1,30 @@ +From ad882c439cc6580837196bab5fd82599685d84e0 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Thu, 20 May 2021 16:03:20 +0200 +Subject: [PATCH 3/6] utils: remove debug log message from str_padded_copy + +Commit 9af101b54035 ("utils: fix stringop-overread in str_padded_copy") +introduced a log message which is displayed every time the function +`str_padded_copy` is used. This looks like a debug message used while +working on the patch. Now that it is applied, remove the log message. + +Signed-off-by: Nicolas Iooss +--- + src/lib/utils.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/lib/utils.h b/src/lib/utils.h +index cf35746..983da06 100644 +--- a/src/lib/utils.h ++++ b/src/lib/utils.h +@@ -43,7 +43,6 @@ int str_to_ul(const char *val, size_t *res); + static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) { + memset(dst, ' ', dst_len); + memcpy(dst, src, src_len); +- LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst); + } + + twist utils_hash_pass(const twist pin, const twist salt); +-- +2.38.1 + diff --git a/SOURCES/0004-tpm2_ptool-do-not-re-encode-the-signed-data-when-imp.patch b/SOURCES/0004-tpm2_ptool-do-not-re-encode-the-signed-data-when-imp.patch new file mode 100644 index 0000000..58aa44b --- /dev/null +++ b/SOURCES/0004-tpm2_ptool-do-not-re-encode-the-signed-data-when-imp.patch @@ -0,0 +1,188 @@ +From 5bf5d6c22b9461321cec9ddeaae5795a5465bb03 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Thu, 23 Sep 2021 21:34:03 +0200 +Subject: [PATCH 4/6] tpm2_ptool: do not re-encode the signed data when + importing a certificate + +When using `tpm2_ptool addcert`, several users experienced issues +because the signed data of the certificate was re-encoded when being +added to the database. More precisely, the encoded certificate data is +encoded using a BER encoder which encodes booleans using 1 of True (cf. +https://github.com/etingof/pyasn1/blob/v0.4.8/pyasn1/codec/ber/encoder.py#L164 +). But in DER, the encoding of "True" is 0xff, and changing the signed +data made the signature of the certificate no longer valid. + +To fix this issue: + +- Directly use the result of `pem.readPemFromFile(f)` in attribute + `CKA_VALUE`: this is directly the encoded form of the certificate. +- Remove `pyasn1.codec.ber`, as this encoder is no longer used. +- Rename the DER decoder from `decoder` to `derdecoder` and the encoder + from `derenc` to `derencoder`, to make the code easier to read. + +While at it: + +- Reindent the code to 4-space indentation +- Use `hashlib.sha1(bercert).digest()` directly to compute a SHA1 + digest, instead of using `m.update()`. + +Fixes: https://github.com/tpm2-software/tpm2-pkcs11/issues/700 +Signed-off-by: Nicolas Iooss +--- + tools/tpm2_pkcs11/utils.py | 126 ++++++++++++++++++------------------- + 1 file changed, 60 insertions(+), 66 deletions(-) + +diff --git a/tools/tpm2_pkcs11/utils.py b/tools/tpm2_pkcs11/utils.py +index b803f4c..91eab9a 100644 +--- a/tools/tpm2_pkcs11/utils.py ++++ b/tools/tpm2_pkcs11/utils.py +@@ -15,9 +15,7 @@ from cryptography.hazmat.primitives.asymmetric import (rsa, padding) + from cryptography.hazmat.primitives import hashes + + from pyasn1_modules import pem, rfc2459 +-from pyasn1.codec.der import decoder +-from pyasn1.codec.ber import encoder as berenc +-from pyasn1.codec.der import encoder as derenc ++from pyasn1.codec.der import decoder as derdecoder, encoder as derencoder + from pyasn1.type import namedtype, tag, univ + + from .pkcs11t import * # noqa +@@ -247,68 +245,64 @@ def asn1_format_ec_point_uncompressed(x, y): + return s + + def pemcert_to_attrs(certpath): +- # rather than use pycryptography x509 parser, which gives native type access to certificate +- # fields use pyASN1 to get raw ASN1 encoded values for the fields as the spec requires them +- with open(certpath, "r") as f: +- substrate = pem.readPemFromFile(f) +- cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0] +- +- c = cert['tbsCertificate'] +- +- # print(cert.prettyPrint()) +- +- h = binascii.hexlify +- b = berenc.encode +- d = derenc.encode +- +- bercert = b(cert) +- hexbercert = h(bercert).decode() +- +- # the CKA_CHECKSUM attrs is the first 3 bytes of a sha1hash +- m = hashlib.sha1() +- m.update(bercert) +- bercertchecksum = m.digest()[0:3] +- hexbercertchecksum = h(bercertchecksum).decode() +- +- subj = c['subject'] +- hexsubj = h(d(str2bytes(subj))).decode() +- +- issuer = c['issuer'] +- hexissuer = h(d(str2bytes(issuer))).decode() +- +- serial = c['serialNumber'] +- hexserial = h(d(str2bytes(serial))).decode() +- +- return { +- # The attrs of this attribute is derived by taking the first 3 bytes of the CKA_VALUE +- # field. +- CKA_CHECK_VALUE: hexbercertchecksum, +- # Start date for the certificate (default empty) +- CKA_START_DATE : "", +- # End date for the certificate (default empty) +- CKA_END_DATE : "", +- # DER-encoding of the SubjectPublicKeyInfo for the public key +- # contained in this certificate (default empty) +- CKA_PUBLIC_KEY_INFO : "", +- # DER encoded subject +- CKA_SUBJECT : hexsubj, +- # DER encoding of issuer +- CKA_ISSUER : hexissuer, +- # DER encoding of the cert serial +- CKA_SERIAL_NUMBER : hexserial, +- # BER encoding of the certificate +- CKA_VALUE : hexbercert, +- # RFC2279 string to URL where cert can be found, default empty +- CKA_URL : '', +- # hash of pub key subj, default empty +- CKA_HASH_OF_SUBJECT_PUBLIC_KEY : '', +- # Hash of pub key, default empty +- CKA_HASH_OF_ISSUER_PUBLIC_KEY : '', +- # Java security domain, default CK_SECURITY_DOMAIN_UNSPECIFIED +- CKA_JAVA_MIDP_SECURITY_DOMAIN : CK_SECURITY_DOMAIN_UNSPECIFIED, +- # Name hash algorithm, defaults to SHA1 +- CKA_NAME_HASH_ALGORITHM : CKM_SHA_1 +- } ++ # rather than using pycryptography x509 parser, which gives native type access to certificate ++ # fields use pyASN1 to get raw ASN1 encoded values for the fields as the spec requires them ++ with open(certpath, "r") as f: ++ bercert = pem.readPemFromFile(f) ++ ++ cert = derdecoder.decode(bercert, asn1Spec=rfc2459.Certificate())[0] ++ c = cert['tbsCertificate'] ++ ++ # print(cert.prettyPrint()) ++ ++ h = binascii.hexlify ++ d = derencoder.encode ++ ++ hexbercert = h(bercert).decode() ++ ++ # the CKA_CHECKSUM attrs is the first 3 bytes of a sha1hash ++ bercertchecksum = hashlib.sha1(bercert).digest()[0:3] ++ hexbercertchecksum = h(bercertchecksum).decode() ++ ++ subj = c['subject'] ++ hexsubj = h(d(str2bytes(subj))).decode() ++ ++ issuer = c['issuer'] ++ hexissuer = h(d(str2bytes(issuer))).decode() ++ ++ serial = c['serialNumber'] ++ hexserial = h(d(str2bytes(serial))).decode() ++ ++ return { ++ # The attrs of this attribute is derived by taking the first 3 bytes of the CKA_VALUE ++ # field. ++ CKA_CHECK_VALUE: hexbercertchecksum, ++ # Start date for the certificate (default empty) ++ CKA_START_DATE: "", ++ # End date for the certificate (default empty) ++ CKA_END_DATE: "", ++ # DER-encoding of the SubjectPublicKeyInfo for the public key ++ # contained in this certificate (default empty) ++ CKA_PUBLIC_KEY_INFO: "", ++ # DER encoded subject ++ CKA_SUBJECT: hexsubj, ++ # DER encoding of issuer ++ CKA_ISSUER: hexissuer, ++ # DER encoding of the cert serial ++ CKA_SERIAL_NUMBER: hexserial, ++ # BER encoding of the certificate ++ CKA_VALUE: hexbercert, ++ # RFC2279 string to URL where cert can be found, default empty ++ CKA_URL: '', ++ # hash of pub key subj, default empty ++ CKA_HASH_OF_SUBJECT_PUBLIC_KEY: '', ++ # Hash of pub key, default empty ++ CKA_HASH_OF_ISSUER_PUBLIC_KEY: '', ++ # Java security domain, default CK_SECURITY_DOMAIN_UNSPECIFIED ++ CKA_JAVA_MIDP_SECURITY_DOMAIN: CK_SECURITY_DOMAIN_UNSPECIFIED, ++ # Name hash algorithm, defaults to SHA1 ++ CKA_NAME_HASH_ALGORITHM: CKM_SHA_1 ++ } + + def _pkcs11_to_str(value, prefix): + +@@ -407,7 +401,7 @@ def asn1parse_tss_key(keypath): + if len(substrate) == 0: + sys.exit('Did not find key in tss key file: {}'.format(keypath)) + +- tss2_privkey, _ = decoder.decode(substrate, asn1Spec=TSSPrivKey()) ++ tss2_privkey, _ = derdecoder.decode(substrate, asn1Spec=TSSPrivKey()) + + return tss2_privkey + +-- +2.38.1 + diff --git a/SOURCES/0005-db-fix-upgrade-backup.patch b/SOURCES/0005-db-fix-upgrade-backup.patch new file mode 100644 index 0000000..d2605e3 --- /dev/null +++ b/SOURCES/0005-db-fix-upgrade-backup.patch @@ -0,0 +1,78 @@ +From 64b6bd89d0faad3274d0b224b1d1c92fcd397a62 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Wed, 2 Nov 2022 19:23:13 +0100 +Subject: [PATCH 5/6] db: fix upgrade backup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +During a failed upgrade, the original database was deleted and replaced +with the upgraded one, making it impossible to revert the failed +upgrade. + +This commit fixes this problem by keeping the old version of the +database as a separate file for upgrades that finished successfully and +keeping the original database for those that did not. + +Signed-off-by: Štěpán Horáček +--- + tools/tpm2_pkcs11/db.py | 36 +++++++++++++++++++++--------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +diff --git a/tools/tpm2_pkcs11/db.py b/tools/tpm2_pkcs11/db.py +index 1b18b8f..d0a526b 100644 +--- a/tools/tpm2_pkcs11/db.py ++++ b/tools/tpm2_pkcs11/db.py +@@ -454,27 +454,33 @@ class Db(object): + REPLACE INTO schema (id, schema_version) VALUES (1, {version}); + '''.format(version=new_version)) + dbbakcon.execute(sql) +- finally: +- # Close the connections +- self._conn.commit() +- self._conn.close() +- ++ except Exception as e: ++ # Close the connection to backup + dbbakcon.commit() + dbbakcon.close() + +- # move old db to ".old" suffix +- olddbpath = self._path + ".old" +- os.rename(self._path, olddbpath) ++ # unlink the backup ++ os.unlink(dbbakpath) ++ ++ raise e ++ ++ # Close the connections ++ self._conn.commit() ++ self._conn.close() + +- # move the backup to the normal dbpath +- os.rename(dbbakpath, self._path) ++ dbbakcon.commit() ++ dbbakcon.close() + +- # unlink the old +- os.unlink(olddbpath) ++ # move old db to ".old" suffix ++ olddbpath = self._path + ".old" ++ os.rename(self._path, olddbpath) + +- # re-establish a connection +- self._conn = sqlite3.connect(self._path) +- self._conn.row_factory = sqlite3.Row ++ # move the backup to the normal dbpath ++ os.rename(dbbakpath, self._path) ++ ++ # re-establish a connection ++ self._conn = sqlite3.connect(self._path) ++ self._conn.row_factory = sqlite3.Row + + def _get_version(self): + c = self._conn.cursor() +-- +2.38.1 + diff --git a/SOURCES/0006-db-fix-upgrade-to-version-4.patch b/SOURCES/0006-db-fix-upgrade-to-version-4.patch new file mode 100644 index 0000000..31546a3 --- /dev/null +++ b/SOURCES/0006-db-fix-upgrade-to-version-4.patch @@ -0,0 +1,37 @@ +From 1d28d6eee8c1b02a900810e6f1e4582e1c4381a5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Wed, 12 Oct 2022 15:50:33 +0200 +Subject: [PATCH 6/6] db: fix upgrade to version 4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +During upgrade of the database from version 3 to version 4, parameter +'persistent' was used, although everywhere else the opposite 'transient' +is used. This causes KeyError: 'transient' when using the upgraded +database. + +This commit fixes this by adding 'transient' during upgrade instead. + +Signed-off-by: Štěpán Horáček +--- + tools/tpm2_pkcs11/db.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tpm2_pkcs11/db.py b/tools/tpm2_pkcs11/db.py +index d0a526b..01ab298 100644 +--- a/tools/tpm2_pkcs11/db.py ++++ b/tools/tpm2_pkcs11/db.py +@@ -380,7 +380,7 @@ class Db(object): + hexblob = bytes.hex(blob) + + config = { +- 'persistent' : True, ++ 'transient': False, + 'esys-tr': hexblob + } + +-- +2.38.1 + diff --git a/SOURCES/revert-require-py37.patch b/SOURCES/revert-require-py37.patch new file mode 100644 index 0000000..0100460 --- /dev/null +++ b/SOURCES/revert-require-py37.patch @@ -0,0 +1,74 @@ +diff -Naur tpm2-pkcs11-1.3.2/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch tpm2-pkcs11-1.3.2a/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch +--- tpm2-pkcs11-1.3.2/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch 1969-12-31 16:00:00.000000000 -0800 ++++ tpm2-pkcs11-1.3.2a/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch 2021-03-23 15:26:46.043878215 -0700 +@@ -0,0 +1,43 @@ ++From ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6 Mon Sep 17 00:00:00 2001 ++From: William Roberts ++Date: Mon, 30 Dec 2019 14:10:14 -0600 ++Subject: [PATCH] tpm2_ptool: require python3.7 for db upgrade ++ ++SQLite3 bindings for python don't have the backup API implemented until ++Python 3.7. Make this the new minimum requirement for tpm2_ptool so ++we can use this feature. ++ ++Signed-off-by: William Roberts ++--- ++ tools/setup.py | 1 + ++ tools/tpm2_pkcs11/__init__.py | 6 +++--- ++ 2 files changed, 4 insertions(+), 3 deletions(-) ++ ++diff --git a/tools/setup.py b/tools/setup.py ++index 494f9edd..4490dc61 100644 ++--- a/tools/setup.py +++++ b/tools/setup.py ++@@ -9,6 +9,7 @@ ++ ++ setup( ++ name='tpm2-pkcs11-tools', +++ python_requires='>=3.7', ++ long_description=long_description, ++ long_description_content_type='text/markdown', ++ version='1.33.7', ++diff --git a/tools/tpm2_pkcs11/__init__.py b/tools/tpm2_pkcs11/__init__.py ++index ed83ef52..1ed8b3af 100644 ++--- a/tools/tpm2_pkcs11/__init__.py +++++ b/tools/tpm2_pkcs11/__init__.py ++@@ -2,6 +2,6 @@ ++ ++ import sys ++ ++-# Sunset python < 3 support ++-if sys.version_info[0] < 3: ++- sys.exit("Python 3 or a more recent version is required.") ++\ No newline at end of file +++# Requires python 3.7 or greater +++if (sys.version_info[0], sys.version_info[1]) < (3, 7): +++ sys.exit("Python 3.7 or a more recent version is required.") ++\ No newline at end of file +diff -Naur tpm2-pkcs11-1.3.2/tools/setup.py tpm2-pkcs11-1.3.2a/tools/setup.py +--- tpm2-pkcs11-1.3.2/tools/setup.py 2020-08-10 07:31:22.000000000 -0700 ++++ tpm2-pkcs11-1.3.2a/tools/setup.py 2021-03-23 15:27:01.160008742 -0700 +@@ -9,7 +9,6 @@ + + setup( + name='tpm2-pkcs11-tools', +- python_requires='>=3.7', + long_description=long_description, + long_description_content_type='text/markdown', + version='1.33.7', +diff -Naur tpm2-pkcs11-1.3.2/tools/tpm2_pkcs11/__init__.py tpm2-pkcs11-1.3.2a/tools/tpm2_pkcs11/__init__.py +--- tpm2-pkcs11-1.3.2/tools/tpm2_pkcs11/__init__.py 2020-08-09 06:46:13.000000000 -0700 ++++ tpm2-pkcs11-1.3.2a/tools/tpm2_pkcs11/__init__.py 2021-03-23 15:27:01.161008751 -0700 +@@ -2,6 +2,6 @@ + + import sys + +-# Requires python 3.7 or greater +-if (sys.version_info[0], sys.version_info[1]) < (3, 7): +- sys.exit("Python 3.7 or a more recent version is required.") +\ No newline at end of file ++# Sunset python < 3 support ++if sys.version_info[0] < 3: ++ sys.exit("Python 3 or a more recent version is required.") +\ No newline at end of file + diff --git a/SOURCES/tpm2-pkcs11-1.6.0.tar.gz.asc b/SOURCES/tpm2-pkcs11-1.6.0.tar.gz.asc new file mode 100644 index 0000000..5d90d79 --- /dev/null +++ b/SOURCES/tpm2-pkcs11-1.6.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmCQRvIACgkQbeLpB44f +UMGsBw//UOD/t2rZ18jAZSmordwrvYdtFNYC4229IxTnxOtq7agnieJUFrR9HZ+R +eWzc3AIxMDK0+BSja+WKpLE64YPde7ZMjS2kXDYCFhjzJy8cq33Sf87KvEuonXp+ +Bp4MBQ5B8T4TngqGTUvTvZfM+h1LQf+CeUzgjsRcJPIwmhGD4dkCB6P+H7IZzth8 +tsGlprJsoOz5JChm7mBEhyyz4Z4odLB8jXmnZxL0W9FpQ6cbAWcSSg+9t9qSck4g +xXgmR9GE3ZlbGcjCO0Sbazf12n3kL6NDDPB4j3XvGLA0xezsyaEmV31LDFMu4WbG +X2vLVDT2zj3AUmeiYxjcSpRV4GJ6B+tqAOz1QqtFEnWuAuSupsZ/N3K3jRdpcAl+ +hw/Cyzo7Vnwt5RhAGJ/Eek1QdrtKKBWoVspbKsxOgsSJt/09q3bl9qQj5BtVeYT1 +RQOP0XDLhMQKwFlCiSS6jUDf7v/0bIwMV0eJXKmMhKFoxkN88fAPNgDSCXUNFme6 +2hOeZMkCuAaMKfFwJsJOg/1efPmJnpjwFKpKj6b2cz6PLqxGn1D1tVJMKOsJy/ME +rMN8dSrftl/CJda4hKhz/wvZDkyH7Vd3ev5Yqg11Dr4IQyfuy296jsUKcMo6pM9q +bSHTwelbqnsUy03MoghU67Mc480G0E1xzu8rTtbFIPCTxLuCK1s= +=g3T8 +-----END PGP SIGNATURE----- diff --git a/SPECS/tpm2-pkcs11.spec b/SPECS/tpm2-pkcs11.spec new file mode 100644 index 0000000..07142e3 --- /dev/null +++ b/SPECS/tpm2-pkcs11.spec @@ -0,0 +1,186 @@ +%ifarch s390x +# https://bugzilla.redhat.com/show_bug.cgi?id=1861276 -> Disable LTO for now +%define _lto_cflags %{nil} +%endif + +#global candidate RC0 + +Name: tpm2-pkcs11 +Version: 1.6.0 +Release: 1%{?candidate:.%{candidate}}%{?dist} +Summary: PKCS#11 interface for TPM 2.0 hardware + +License: BSD +URL: https://github.com/tpm2-software/tpm2-pkcs11 +Source0: https://github.com/tpm2-software/%{name}/releases/download/%{version}%{?candidate:-%{candidate}}/%{name}-%{version}%{?candidate:-%{candidate}}.tar.gz +Source1: https://github.com/tpm2-software/%{name}/releases/download/%{version}%{?candidate:-%{candidate}}/%{name}-%{version}%{?candidate:-%{candidate}}.tar.gz.asc +# William Roberts (Bill Roberts) key from pgp.mit.edu +Source2: gpgkey-8E1F50C1.gpg +# Revert of ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6 to build on EPEL 8 +Patch0: revert-require-py37.patch +Patch1: 0001-Backup-with-sqlite3-special-command.patch +Patch2: 0002-utils-fix-stringop-overread-in-str_padded_copy.patch +Patch3: 0003-utils-remove-debug-log-message-from-str_padded_copy.patch +Patch4: 0004-tpm2_ptool-do-not-re-encode-the-signed-data-when-imp.patch +Patch5: 0005-db-fix-upgrade-backup.patch +Patch6: 0006-db-fix-upgrade-to-version-4.patch + + +BuildRequires: autoconf-archive +BuildRequires: automake +BuildRequires: libtool +BuildRequires: gcc +BuildRequires: make +BuildRequires: python3 +BuildRequires: libgcrypt-devel +BuildRequires: libyaml-devel +BuildRequires: openssl-devel +BuildRequires: p11-kit-devel +BuildRequires: sqlite-devel +BuildRequires: tpm2-tools +BuildRequires: tpm2-tss-devel +# for tests +BuildRequires: libcmocka-devel +BuildRequires: dbus-daemon +# for tools +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-pyasn1-modules +BuildRequires: python3-pyyaml +BuildRequires: python3-cryptography +# for tarball signature verification +BuildRequires: gnupg2 + +%description +PKCS #11 is a Public-Key Cryptography Standard that defines a standard method +to access cryptographic services from tokens/ devices such as hardware security +modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device +as the cryptographic token. + +%package tools +Summary: The tools required to setup and configure TPM2 for PKCS#11 +# Automatic generator does not work for me even though the requires.txt is in place +Requires: tpm2-tools +Requires: python3-cryptography +Requires: python3-pyyaml +Requires: python3-pyasn1-modules +Requires: sqlite + +%description tools +The tools required to setup and configure TPM2 for PKCS#11. + +%prep +gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} +%autosetup -p1 -n %{name}-%{version}%{?candidate:-%{candidate}} + + +%build +%configure --enable-unit +%{make_build} +cd tools +%py3_build + + +%install +%make_install +rm $RPM_BUILD_ROOT%{_libdir}/pkgconfig/tpm2-pkcs11.pc +[ -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/libtpm2_pkcs11.la ] && \ + rm $RPM_BUILD_ROOT%{_libdir}/pkcs11/libtpm2_pkcs11.la +[ -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/libtpm2_pkcs11.a ] && \ + rm $RPM_BUILD_ROOT%{_libdir}/pkcs11/libtpm2_pkcs11.a +cd tools +%py3_install +install -Dpm 755 tpm2_ptool $RPM_BUILD_ROOT%{_bindir}/tpm2_ptool + + +%check +make check +cd tools +%{__python3} setup.py test + + +%files +%license LICENSE +%{_datadir}/p11-kit/modules/tpm2_pkcs11.module +%%dir %{_libdir}/pkcs11 +%{_libdir}/pkcs11/libtpm2_pkcs11.so +%{_libdir}/pkcs11/libtpm2_pkcs11.so.0* + +%files tools +%{_bindir}/tpm2_ptool +%{python3_sitelib}/tpm2_pkcs11/* +%{python3_sitelib}/tpm2_pkcs11_tools-*/* + + +%changelog +* Wed Nov 16 2022 Štěpán Horáček - 1.6.0-1 +- Update to 1.6.0 for RHEL 8 + Resolves: rhbz#1896871 + +* Tue Mar 23 2021 Davide Cavalca - 1.3.2-2 +- Revert python 3.7 requirement commit to allow building on EPEL 8 + +* Mon Aug 10 2020 Peter Robinson - 1.3.2-1 +- Update to 1.3.2 + +* Mon Jul 27 2020 Peter Robinson - 1.3.1-1 +- Update to 1.3.1 + +* Tue Jul 07 2020 Peter Robinson - 1.3.0-1 +- Update to 1.3.0 + +* Thu Jul 02 2020 Jakub Jelen - 1.3.0-0.1-RC0 +- Update to 1.3.0-RC0 + +* Tue May 26 2020 Miro Hrončok - 1.2.0-2 +- Rebuilt for Python 3.9 + +* Mon Mar 30 2020 Peter Robinson - 1.2.0-1 +- Update to 1.2.0 + +* Mon Mar 09 2020 Peter Robinson - 1.1.0-1 +- Update to 1.1.0 + +* Mon Mar 2 2020 Peter Robinson 1.1.0-0.1-RC1 +- Update to 1.1.0 RC1 candidate + +* Mon Feb 10 2020 Jakub Jelen - 1.0.1-3 +- Unbreak build with gcc10 (#1796383) + +* Fri Jan 31 2020 Fedora Release Engineering - 1.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Jan 07 2020 Jakub Jelen - 1.0.1-1 +- New upstream release (#1784580) + +* Tue Dec 31 2019 Peter Robinson 1.0-1 +- Update to 1.0 stable release + +* Thu Dec 26 2019 Peter Robinson 1.0-0.1-RC1 +- Update to 1.0 RC1 candidate + +* Fri Oct 11 2019 Jakub Jelen - 0-0.3.20191011git0b7ceff +- Update to current git version +- Fix missing requires (#1757179) + +* Thu Oct 03 2019 Miro Hrončok - 0-0.7.20190813git2f3058c +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Wed Aug 21 2019 Miro Hrončok - 0-0.6.20190813git2f3058c +- Rebuilt for Python 3.8 + +* Tue Aug 20 2019 Peter Robinson 0-0.5.20190813git2f3058c +- Update to new git snapshot for better use of tss2-tools 4.0 features + +* Mon Aug 19 2019 Miro Hrončok - 0-0.4.20190219git1e84553 +- Rebuilt for Python 3.8 + +* Sat Jul 27 2019 Fedora Release Engineering - 0-0.3.20190219git1e84553 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Apr 23 2019 Jakub Jelen - 0-0.2.20190219git1e84553 +- Package missing python tool for TPM2 initialization +- Update to current version from github + +* Tue Feb 19 2019 Jakub Jelen - 0-0.1.20190219git836d715 +- Initial release for Fedora