Sync from SUSE:SLFO:Main openCryptoki revision 8c4e76323b612c79cb1f2a028df5a527

openCryptoki.changes

@@ -1,9 +1,24 @@
+-------------------------------------------------------------------
+Thu Jul 18 06:07:40 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file accorinding to the recommendation in (bsc#1225876) 
+
+-------------------------------------------------------------------
+Thu Jul 11 07:57:25 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Updated the .spec file (bsc#1225876, bsc#1227280)
+  * Amended for group %{pkcs_group} and user pkcsslotd
+  * Copying example script files from /usr/share/doc/opencryptoki to
+    /usr/share/opencryptoki (policy-example.conf and strength-example.conf)
+    in case that there is 'rpm.install.excludedocs=yes' set in the
+    zypper.conf(zypp.conf)
+
 -------------------------------------------------------------------
 Wed Feb  7 07:27:00 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 
 - Upgrade openCryptoki to version 3.23 (jsc#PED-3360, jsc#PED-3361)
   * EP11: Add support for FIPS-session mode
-  * Updates to harden against RSA timing attacks
+  * Updates to harden against RSA timing attacks (bsc#1219217,CVE-2024-0914)
   * Bug fixes
 - Renamed ocki-3.22-remove-make-install-chgrp.patch to
           ocki-3.23-remove-make-install-chgrp.patch
@@ -58,7 +73,8 @@ Fri May 26 06:55:10 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 -------------------------------------------------------------------
 Thu Feb 16 13:22:45 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 
-- Updated package to openCryptoki 3.20 (jsc#PED-2870)
+- Updated package to openCryptoki 3.20 (bsc#1207760,
+         jsc#PED-3376, jsc#PED-2870, jsc#PED-2869 ) 
 - Removed the following obsolite patches:
         * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
         * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch

openCryptoki.spec

@@ -165,6 +165,10 @@ install -d %{buildroot}%{_localstatedir}/lib/opencryptoki
 install -d %{buildroot}%{_initddir}
 install -d %{buildroot}%{_sbindir}
 install -d %{buildroot}%{_prefix}/lib/tmpfiles.d
+#
+mkdir -p %{buildroot}%{_datadir}/opencryptoki
+cp %{buildroot}%{_datadir}/doc/opencryptoki/*.conf %{buildroot}%{_datadir}/opencryptoki
+#
 ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcpkcsslotd
 rm -rf %{buildroot}/tmp
 
@@ -177,8 +181,8 @@ rm -f %{buildroot}%{_libdir}/opencryptoki/methods
 # autobuild:/work/cd/lib/misc/group
 # openCryptoki    pkcs11:x:64:
 # openCryptoki    pkcsslotd:x:64:
-%{_sbindir}/groupadd -g %{pkcs11_group_id} -r %{pkcs_group} 2>/dev/null || true
-%{_sbindir}/useradd -g %{pkcs11_group_id} -r pkcsslotd -s /sbin/nologin -d /run/opencryptoki   2>/dev/null || true
+getent group %{pkcs_group} 2>/dev/null || %{_sbindir}/groupadd -g %{pkcs11_group_id} -r %{pkcs_group} 2>/dev/null || true
+getent passwd pkcsslotd 2>/dev/null || %{_sbindir}/useradd -g %{pkcs11_group_id} -r pkcsslotd -s /sbin/nologin -d /run/opencryptoki 2>/dev/null || true
 %{_sbindir}/usermod -a -G %{pkcs_group} root
 
 %preun
@@ -238,8 +242,11 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %doc openCryptoki-TFAQ.html FAQ
 %doc doc/*
 %dir %{_datadir}/doc/opencryptoki
-%{_datadir}/doc/opencryptoki/policy-example.conf
-%{_datadir}/doc/opencryptoki/strength-example.conf
+%doc %{_datadir}/doc/opencryptoki/policy-example.conf
+%doc %{_datadir}/doc/opencryptoki/strength-example.conf
+%dir %{_datadir}/opencryptoki
+%{_datadir}/opencryptoki/policy-example.conf
+%{_datadir}/opencryptoki/strength-example.conf
   # configuration directory
 %dir %{_sysconfdir}/opencryptoki
 %config %{_sysconfdir}/opencryptoki/opencryptoki.conf