commit 63a2e562735e243794caf0509c45af0e17e24c5d1fb599fa3dd89049ba8b0ff0 Author: Adrian Schröter Date: Fri May 3 17:37:57 2024 +0200 Sync from SUSE:SLFO:Main p11-kit revision 6971e67d18439e0ba628019b9bf55f91 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..3da805e --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,9 @@ +libp11-kit0 +p11-kit + +/usr/lib(64)?/pkcs11/*.so + requires "p11-kit = " +p11-kit-nss-trust + +/usr/lib(64)?/*.so + requires "p11-kit = " + conflicts "mozilla-nss-certs-" + provides "libnssckbi.so" diff --git a/p11-kit-0.25.3.tar.xz b/p11-kit-0.25.3.tar.xz new file mode 100644 index 0000000..acd60d1 --- /dev/null +++ b/p11-kit-0.25.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8ddce1bb7e898986f9d250ccae7c09ce14d82f1009046d202a0eb1b428b2adc +size 991528 diff --git a/p11-kit-0.25.3.tar.xz.sig b/p11-kit-0.25.3.tar.xz.sig new file mode 100644 index 0000000..517af52 Binary files /dev/null and b/p11-kit-0.25.3.tar.xz.sig differ diff --git a/p11-kit.changes b/p11-kit.changes new file mode 100644 index 0000000..5975a28 --- /dev/null +++ b/p11-kit.changes @@ -0,0 +1,728 @@ +------------------------------------------------------------------- +Fri Nov 17 10:11:56 UTC 2023 - Pedro Monreal + +- Update to 0.25.3: + * rpc: fix serialization of NULL mechanism pointer [#601] + * fix meson build failure in macOS (appleframeworks not found) [#603] + +------------------------------------------------------------------- +Thu Nov 2 08:58:08 UTC 2023 - Pedro Monreal + +- Update to 0.25.2: + * fix error code checking of readpassphrase for --login option [#595] + * build fixes [#594] + * test fixes [#596] + +------------------------------------------------------------------- +Fri Oct 27 12:05:22 UTC 2023 - Pedro Monreal + +- Update to 0.25.1: + * fix probing of C_GetInterface [#535] + * p11-kit: add command to list tokens [#581] + * p11-kit: add command to list mechanisms supported by a token [#576] + * p11-kit: add command to generate private-public keypair on a token + [#551, #582] + * p11-kit: add commands to import/export certificates and public + keys into/from a token [#543, #549, #568, #588] + * p11-kit: add commands to list and delete objects of a token + [#533, #544, #571] + * p11-kit: add --login option to login into a token with object + and profile management commands [#587] + * p11-kit: adjust behavior of PKCS#11 profile management commands + [#558, #560, #583, #591] + * p11-kit: print PKCS#11 URIs in list-modules [#532] + * bug and build fixes [#528 #529, #534, #537, #540, #541, #545, + #547, #550, #557, #572, #575, #579, #585, #586, #590] + * test fixes [#553, #580] + * Remove patch fixed upstream: + - d1d4b0ac316a27c739ff91e6c4153f1154e96e5a.patch + +------------------------------------------------------------------- +Wed Sep 20 21:26:03 UTC 2023 - Bjørn Lie + +- Add d1d4b0ac316a27c739ff91e6c4153f1154e96e5a.patch: Fix probing + of C_GetInterface. + +------------------------------------------------------------------- +Wed Sep 20 08:49:47 UTC 2023 - Pedro Monreal + +- Update to 0.25.0: + * add PKCS#11 3.0 support + * add support for profile objects + * add ability to adjust module and config paths at run-time via + system environmental exports + * make terminal output nicer + * p11-kit: add command to print merged configuration + * p11-kit: add commands to list, add and delete profiles of a token + * trust: add command to check format of .p11-kit files + * virtual: fix libffi type signatures for PKCS#11 3.0 functions + * server: fix umask setting when --group is specified + * server: check SHELL only when neither --sh nor --csh is specified + * rpc: use space string in C_InitToken + * rpc: fix two off-by-one errors identified by asan + * modules: make logging message more translatable + * pkcs11.h: support CRYPTOKI_GNU for IBM vendor mechanisms + * pkcs11.h: add IBM specific mechanism and attributes + * pkcs11.h: add ChaCha20/Salsa20 and Poly1305 mechanisms + * pkcs11.h: add AES-GCM mechanism parameters for message-based encryption + * po: update translations from Transifex +- Update upstream p11-kit.keyring file +- Add missing lang files +- Switch to using Meson as the build system + +------------------------------------------------------------------- +Mon Aug 8 16:03:57 UTC 2022 - Dirk Müller + +- skip testsuite on qemu arches, it fails + +------------------------------------------------------------------- +Wed Mar 9 16:19:28 UTC 2022 - Ludwig Nussel + +- make sure p11-kit components have matching versions (boo#1196812) + +------------------------------------------------------------------- +Tue Jan 25 10:42:15 UTC 2022 - Bjørn Lie + +- Update to version 0.24.1: + * rpc: Support protocol version negotiation. + * proxy: Support copying attribute array recursively. + * Link libp11-kit so that it cannot unload. + * Translation improvements. + * Build fixes. + +------------------------------------------------------------------- +Fri Dec 17 13:47:17 UTC 2021 - Bjørn Lie + +- Update to version 0.24.0: + * Use inclusive language on certificate distrust. Note: This + changes the directory and attribute names to distrust certain + CAs to "blocklist". + * Fix issues spotted by coverity and ASan. + * Integrate gettext with tools more tightly. + * rpc: Forbid use of array of attributes. + * Build fixes. +- Change dirs from blacklist to blocklist ref upstream changes. + +------------------------------------------------------------------- +Mon Dec 13 11:11:31 UTC 2021 - Ludwig Nussel + +- Enable systemd support + +------------------------------------------------------------------- +Sun Jan 17 23:39:49 UTC 2021 - Dirk Müller + +- update to 0.23.22 (bsc#1180064, bsc#1180065, bsc#1180066, jsc#SLE-18495): + * Fix memory-safety issues that affect the RPC protocol + (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363), discovered + and fixed by David Cook + * anchor: Prefer persistent format when storing anchor [PR#329] + * common: Fix infloop in p11_path_build [PR#326, PR#327] + * proxy: C_CloseAllSessions: Make sure that calloc args are non-zero [PR#325] + * common: Check for a NULL locale before freeing it [PR#321] + * proxy: Do not assign duplicate slot IDs [PR#282] + * common: Get program name based on executable path if possible [PR#307] + * anchor: Exit with non-zero code, if any error occurs [PR#304] + * Build and test fixes + +------------------------------------------------------------------- +Mon Oct 5 13:19:09 UTC 2020 - Ludwig Nussel + +- avoid bareword to fix build failure + +------------------------------------------------------------------- +Wed Apr 15 07:01:38 UTC 2020 - Martin Pluskal + +- Update to version 0.23.20: + * Revert "Fix RPC when length-s are 0" changes [PR#276] +- Changes for version 0.23.19: + * common: add Russian PKCS#11 extensions to pkcs11x.h header [PR#255] + * Add simple bash completion for provided commands [PR#258] + * Unbreak list matching in enable-in and disable-in [PR#262] + * Fix RPC when length-s are 0 [PR#259] + * rpc: Add vsock transport support [PR#270] + * trust: Support CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER [PR#265] + * Build fixes [PR#271, PR#272, PR#273, ...] +- Changes for version 0.23.18: + * rpc: Allow empty CK_DATE value [PR#253] + * build: Meson fixes [PR#245] + * build: Adjust feature parity between meson and autotools [PR#247] +- Changes for version 0.23.17: + * common: Fix uClibc-ng compilation [PR#237] + * trust: do not allow daylight to invalidate date validation [PR#236] + * build: Port to meson build system [PR#231, PR#234] + * rpc: On UNIX wait on condition variable instead of FD if header is for a different thread [PR#232] + * doc: Add 'server' command in help [PR#229] + * Build and test fixes [PR#230] +- Changes for version 0.23.16: + * proxy: Support C_WaitForSlotEvent() if CKF_DONT_BLOCK is specified [PR#225] + * conf: Ignore user configuration if the program is running as root [PR#226] + * proxy: Refresh slot list on every C_GetSlotList call [PR#224] + * modules: Fix index used in call to p11_dict_remove() [PR#219] + * Fix Win32 p11_dl_error crash [PR#218] + * modules: check gl.modules before iterates on it when freeing [PR#217] + * trust: Ignore unreadable content in anchors [PR#215] + * extract-jks: Prefer _p11_extract_jks_timestamp to SOURCE_DATE_EPOCH [PR#213] +- Changes for version 0.23.15: + * trust: Improve error handling if backed trust file is corrupted [PR#206] + * url: Prefer upper-case letters in hex characters when encoding [PR#193] + * trust/extract-jks.c: also honor SOURCE_DATE_EPOCH time [PR#202] + * virtual: Prefer fixed closures to libffi closures [PR#196] + * Fix issues spotted by coverity and cppcheck [PR#194, PR#204] + * Build and test fixes [PR#164, PR#191, PR#199, PR#201] +- Changes for version 0.23.14: + * proxy: Avoid invalid memory access when unloading proxy module [PR#180] + * Update pkcs11 header to allow SoftHSMv2 to compile [PR#181] + * build: Restore libpthread dependency [PR#183] + * Build fixes [PR#188] +- Changes for version 0.23.13: + * server: Enable socket activation through systemd [PR#173] + * rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules [PR#174] + * proxy: Fail early if there is no slot mapping [PR#175] + * Remove hard dependency on libpthread [PR#177] + * Build fixes [PR#170, PR#176] +- Remove obsolete patches: + * 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch + * 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch + +------------------------------------------------------------------- +Mon Dec 23 11:00:15 UTC 2019 - Ludwig Nussel + +- Also build documentation (boo#1013125) + +------------------------------------------------------------------- +Fri Nov 15 11:02:43 UTC 2019 - Ludwig Nussel + +- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox + detects built in certificates (boo#1154871, + 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch, + 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch) + + +------------------------------------------------------------------- +Fri May 10 09:28:21 UTC 2019 - Dominique Leuenberger + +- Move RPM macros to %_rpmmacrodir. + +------------------------------------------------------------------- +Fri Jun 15 04:09:24 UTC 2018 - fezhang@suse.com + +- New version 0.23.12 + * Fix compile error when PKCS#11 GNU calling convention enabled +- Changelog from version 0.23.11 + * trust: Add extractor for edk2/cacerts.bin + * modules: Add option to control module visibility from proxy + * trust: Prevent trust module being loaded by proxy module + * library: Use dedicated locale object for printing error + * Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly + * Improve const correctness for P11KitUri + * PKCS#11 URI scheme comparison is now case insensitive +- Drop p11-kit-biarch.patch: Obsolete since 0.23.10 + +------------------------------------------------------------------- +Tue Mar 27 08:33:43 UTC 2018 - lnussel@suse.de + +- New version 0.23.10 + * New p11-kit server command + * The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY attribute + * New trust dump command + * New envvar P11_KIT_NO_USER_CONFIG to stop looking at user configurations + * trust: Respect anyExtendedKeyUsage in CA certificates + * Support x-init-reserved argument of C_Initialize() in remote modules + * install private executables in libexecdir, obsoletes p11-kit-biarch.patch +- new server subpackage +- change keyring to new maintainer Daiki Ueno + +- Changes for version 0.23.9 + * Fix p11-kit server regressions [PR#103, PR#104] + * trust: Respect anyExtendedKeyUsage in CA certificates [PR#99] + * Build fixes related to reallocarray [PR#96, PR#98, PR#100] + +- Changes for version 0.23.8 + * Improve vendor query attributes handling in PKCS#11 URI [PR#92] + * Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91] + * New envvar P11_KIT_NO_USER_CONFIG to stop looking at user + configurations [PR#87] + * Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86] + +- Changes for version 0.23.7 + * Fix memory issues with "p11-kit server" [PR#78] + * Build fixes [PR#77 ...] + +- Changes for version 0.23.6 + * Port "p11-kit server" to Windows and portability fixes of the RPC + protocol [PR#67, PR#72, PR#74] + * Recover the old behavior of "trust anchor --remove" [PR#70, PR#71] + * Build fixes [PR#63 ...] + +- Changes for version 0.23.5 + * Fix license notice of common/unix-peer.c [PR#58] + * Remove systemd unit files for now [PR#60] + * Build fixes for FreeBSD [PR#56] + +- Changes for version 0.23.4 + * Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31, + PR#37, PR#52] + * The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY + attribute, used by Firefox [#99453, PR#46] + * Add 'trust dump' command to dump all PKCS#11 objects in the + persistence format [PR#44] + * New experimental 'p11-kit server' command that allows PKCS#11 + forwarding through a Unix domain socket. A client-side module + p11-kit-client.so is also provided [PR#15] + * Add systemd unit files for exporting the proxy module through a + Unix domain socket [PR#35] + * New P11KitIter API to iterate over slots, tokens, and modules in + addition to objects [PR#28] + * libffi dependency is now optional [PR#9] + * Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45] + +- Changes for version 0.23.3 + * Install private executables in libexecdir [fdo#98817] + * Fix link error of proxy module on macOS [fdo#98022] + * Use new PKCS#11 URI specification for URIs [fdo#97245] + * Support x-init-reserved argument of C_Initialize() in remote modules + [fdo#80519] + * Incorporate changes from PKCS#11 2.40 specification + * Bump libtool library version + * Documentation fixes + * Build fixes [fdo#87192 ...] + +------------------------------------------------------------------- +Tue Mar 20 13:26:02 CET 2018 - kukuk@suse.de + +- Use %license instead of %doc [bsc#1082318] + +------------------------------------------------------------------- +Tue Nov 22 14:57:50 CET 2016 - sbrabec@suse.com + +- 32-bit compatibility fixes: + * Add PKCS11 module to p11-kit-32bit (bsc#996047#c39) + * Add p11-kit-nss-trust-32bit NSS module + * Fix potential bi-arch issue with private binaries + (fdo#98817, p11-kit-biarch.patch) + +------------------------------------------------------------------- +Mon Feb 8 21:25:45 UTC 2016 - mpluskal@suse.com + +- Update to 0.23.2 + * Fix forking issues with libffi + * Fix various crashes in corner cases + * Updated translations + * Build fixes +- Make building more verbose +- Enable tests +- Small spec file cleanup with spec-cleaner + +------------------------------------------------------------------- +Sun Mar 8 18:56:55 UTC 2015 - p.drouand@gmail.com + +- Update to version 0.23.1 (stable) + * Use new PKCS#11 URI draft fields for URIs [fdo#86474 fdo#87582] + * Add pem-directory-hash extract format + * Build fixes +- Remove 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff; + fixed on upstream release +- Remove autoconf, automake and libtool require; unneeded dependencies +- Add gtk-doc require; needed to build html documentation +- Remove redundant %clean section + +------------------------------------------------------------------- +Mon Oct 13 16:09:09 UTC 2014 - lnussel@suse.de + +- remove patches: + * trust-Print-label-of-certificate-when-complaining-.patch + * trust-Dont-use-invalid-public-keys-for-looking-up-.patch + +- new version 0.20.7 (stable) + * New public pkcs11x.h header containing extensions [fdo#83495] + * Export necessary defines to lookup attached extensions [fdo#83495] + * Build fixes + +- new version 0.20.6 (stable) + * Make the p11-kit-proxy.so module respect critical = no [fdo#83651] + * Build fix for FreeBSD [fdo#75674] + +- new version 0.20.5 (stable) + * Don't use invalid keys for looking up stapled extensions [fdo#82328] + * Better error messages when invalid certificate extensions + * Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files + * Fix some leaks, and memory issues + * Silence some clang scanner warnings + +- new version 0.20.4 (stable) + * Don't complain about C_Finalize after a fork + * Fix typo + +------------------------------------------------------------------- +Fri Aug 29 06:47:50 UTC 2014 - lnussel@suse.de + +- new version 0.20.3 + * Fix problems reinitializing managed modules after fork + * Fix bad bookeeping when fail initializing one of the modules + * Fix case where module would be unloaded while in use [#74919] + * Remove assertions when module used before initialized [#74919] + * Fix handling of mmap failure and mapping empty files [#74773] + * Stable p11_kit_be_quiet() and p11_kit_be_loud() functions + * Require automake 1.12 or later + * Build fixes for Windows [#76594 #74149] +- apply patches to avoid errors from certificates with invalid public key + (fdo#82328, bnc#890908, + trust-Dont-use-invalid-public-keys-for-looking-up-.patch, + trust-Print-label-of-certificate-when-complaining-.patch) + +------------------------------------------------------------------- +Mon May 19 07:04:38 UTC 2014 - lnussel@suse.de + +- New version 0.20.2 + * Fix bug where blacklist didn't affect extracted ca-anchors if the anchor + and blacklist were not in the same trust path (regression) [fdo#73558] + * Check for race in BasicConstraints stapled extension [fdo#69314] + * Build fixes and cleanup + +------------------------------------------------------------------- +Tue Feb 11 12:53:06 UTC 2014 - meissner@suse.com + +- added .sig file. trying to locate source of the keyring. + +------------------------------------------------------------------- +Fri Dec 6 09:31:32 UTC 2013 - lnussel@suse.de + +- trust: allow to also add openssl style hashes to pem-directory + 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff + +------------------------------------------------------------------- +Tue Sep 10 09:02:33 UTC 2013 - lnussel@suse.de + +- upgrade to 0.20.1 which is 0.19 declared stable + * Extract compat trust data after we've changes + * Skip compat extraction if running as non-root + * Better failure messages when removing anchors + +------------------------------------------------------------------- +Fri Aug 30 12:33:32 UTC 2013 - lnussel@suse.de + +- new version 0.19.4 + * 'trust anchor' now adds/removes certificate anchors + * 'trust list' lists trust policy stuff + * 'p11-kit extract' is now 'trust extract' + * 'p11-kit extract-trust' is now 'trust extract-compat' + * Workarounds for working on broken zfsonlinux.org [#68525] + * Add --with-module-config parameter to the configure script [#68122] + * Add support for removing stored PKCS#11 objects in trust module + +------------------------------------------------------------------- +Thu Jul 25 09:06:51 UTC 2013 - lnussel@suse.de + +- new version 0.19.3 + * Fix up problems with automake testing + * Fix a bunch of memory leaks in newly refactored code + * Don't use _GNU_SOURCE and the unportability it brings + * Add basic 'trust anchor' command to store a new anchor + * Support for writing out trust token objects + * Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec + * Add option to use freebl for hashing + * Implement reloading of token data + * Fix warnings and possible minor bugs higlighted by code scanners + * Don't load configs in home directories when running setuid or setgid + * Support treating ~/.config as $XDG_CONFIG_HOME + * Use $XDG_DATA_HOME/pkcs11 as default user config directory + * Use $TMPDIR instead of $TEMP while testing + * Open files and fds with O_CLOEXEC + * Abort initialization if a critical module fails to load + * Don't use thread-unsafe functions: strerror, getpwuid + * Fix p11_kit_space_strlen() result when empty string + * Refactoring of where various components live + +------------------------------------------------------------------- +Fri Jul 5 08:09:46 UTC 2013 - lnussel@suse.de + +- fix 32bit provides of libnssckbi.so +- repace p11-kit-extract-trust with update-ca-certificates + +------------------------------------------------------------------- +Fri Jun 28 09:30:03 UTC 2013 - lnussel@suse.de + +- provide libnssckbi.so to replace mozilla-nss-certs + +------------------------------------------------------------------- +Mon Jun 24 13:08:21 UTC 2013 - lnussel@suse.de + +- add p11-kit-nss-trust subpackage that serves as drop-in + replacement for mozilla-nss-certs + +------------------------------------------------------------------- +Wed Jun 19 09:24:45 UTC 2013 - lnussel@suse.de + +- use /etc/pki/trust and /usr/share/pki/trust as system CA + certificate store + +------------------------------------------------------------------- +Mon May 27 14:40:57 UTC 2013 - dimstar@opensuse.org + +- Update to version 0.19.1: + + Refactor API to be able to handle managed modules. + + Deprecate much of old p11-kit API. + + Implement concept of managed modules. + + Make C_CloseAllSessions function work for multiple callers. + + New dependency on libffi. + + Fix possible threading problems reported by hellgrind. + + Add log-calls option. + + Mark p11_kit_message() as a stable function. + + Use our own unit testing framework. +- Add pkgconfig(libffi) BuildRequires: new dependency. + +------------------------------------------------------------------- +Tue May 14 18:27:52 UTC 2013 - dimstar@opensuse.org + +- Update to version 0.18.2: + + Build fixes (fdo#64378) + +------------------------------------------------------------------- +Mon May 13 21:13:20 UTC 2013 - dimstar@opensuse.org + +- Also provide p11-kit-32bit (in fact, the pkcs#11 modules) + (bnc#819246). + +------------------------------------------------------------------- +Mon Apr 15 18:46:10 UTC 2013 - dimstar@opensuse.org + +- Update to version 0.18.1: + + Put the external tools in $libdir/p11-kit. + + Documentation build fixes. + +------------------------------------------------------------------- +Thu Apr 4 13:34:40 UTC 2013 - dimstar@opensuse.org + +- Update to version 0.18.0: + + Fix use of trust module with gcr and empathy (fdo#62896). + + Further tweaks to trust module date parsing. + + Fix unaligned memory reads (fdo#62819). + + Win32 fixes (fdo#63062, fdo#63046). + + Debug and logging tweaks (fdo#62874). + + Other build fixes. + +------------------------------------------------------------------- +Thu Mar 28 21:42:55 UTC 2013 - zaitor@opensuse.org + +- Update to version 0.17.5: + + Don't try to guess at overflowing time values on 32-bit + systems (fdo#62825). + + Test fixes (fdo#927394). + +------------------------------------------------------------------- +Thu Mar 21 08:10:37 UTC 2013 - dimstar@opensuse.org + +- Update to version 0.17.4: + + Check for duplicate certificates in a token, warn and discard + (fdo#62548). + + Implement a proper index so we have decent load performance. + +------------------------------------------------------------------- +Wed Mar 20 19:09:13 UTC 2013 - dimstar@opensuse.org + +- Update to version 0.17.3: + + Use descriptive labels for the trust module tokens (fdo#62534). + + Remove the temporary built in distrust objects. + + Make extracted output directories and files read-only + (fdo#61898). + + Don't export unneccessary ABI. + + Build fixes (fdo#62479). + +------------------------------------------------------------------- +Tue Mar 19 20:39:24 UTC 2013 - dimstar@opensuse.org + +- Update to version 0.17.2: + + Fix build on 32-bit linux. + + Fix several crashers. +- Changes from version 0.17.1: + + Support a p11-kit specific PKCS#11 attribute persistance format + (fdo#62156). + + Use the SHA1 hash of SPKI as the CKA_ID in the trust module by + default (fdo#62329). + + Refactor a trust builder which builds objects out of parsed + data (fdo#62329). + + Combine trust policy when extracting certificates (fdo#61497). + + The extract --comment option adds comments to PEM bundles + (fdo#62029). + + A new 'priority' config option for ordering modules + (fdo#61978). + + Make each configured path its own trust module token + (fdo#61499). + + Use --with-trust-paths to configure trust module (fdo#62327). + + Fix bug decoding some PEM files. + + Better debug output for trust module lookups. + + Work around bug in NSS when doing serial number lookups. + + Work around broken strndup() function in firefox. + + Fix the nickname for the distrusted attribute. + + Build fixes. +- Add ca-certificates BuildRequires: needed to find the location of + the root certificates. + +------------------------------------------------------------------- +Thu Mar 14 12:26:18 UTC 2013 - dimstar@opensuse.org + +- Update to version 0.16.4: + + Display per command help again (fdo#62153). + + Don't always print tools debug output (fdo#62152). +- Changes from version 0.16.3: + + When iterating don't skip tokens without the + CKF_TOKEN_INITIALIZED flag. + + Hardcode some distrust records for NSS temporarily. + + Parse global options better in the p11-kit command. + + Better debugging. +- Changes from version 0.16.2: + + Fix regression in 'p11-kit extract --purpose' option + (fdo#62009) + + Documentation updates + + Build fixes (fdo#62001). +- Changes from version 0.16.1: + + Don't break when cA field of BasicConstraints is missing + (fdo#61975). + + Documentation fixes and updates. + + p11-kit extract-trust is a placeholder script now. + +------------------------------------------------------------------- +Tue Mar 5 13:36:20 UTC 2013 - dimstar@opensuse.org + +- Update to version 0.16.0: + + Update the pkcs11.h header for new mechanisms + + Fix build and tests on mingw64 (ie: win32) + + Relicense LGPL code to BSD license + + Documentation tweaks + + Bugs fixed: fdo#61739, fdo#60894, fdo#61740, fdo#60792 + + Updated translations. +- Changes from version 0.15.2: + + Better define the libtasn1 dependency. + + Crasher and bug fixes. + + Build fixes. + + Updated translations. +- Changes from version 0.15.1: + + Fix some memory leaks. + + Add a location for packages to drop module configs. + + Documentation updates and fixes. + + Add command line tool manual page. + + Remove unused err() function and friends. + + Move more code into common/ directory and refactor. + + Add a system trust policy module. + + Refactor how the p11-kit command line tool works. + + Add p11-kit extract and extract-trust commands. + + Don't complain if we cannot access ~/.pkcs11/pkcs11.conf. + + Refuse to load the p11-kit-proxy.so as a registered module. + + Don't fail initialization if last initialized module fails. + +------------------------------------------------------------------- +Fri Sep 7 11:04:40 UTC 2012 - dimstar@opensuse.org + +- Update to version 0.14: + + Change default for user-config to merge + + Always URI-encode the 'id' attribute in PKCS#11 URIs + + Expect a .module extension on module configs + + Windows compatibility fixes + + Testing fixes + + Build fixes + +------------------------------------------------------------------- +Mon Jul 23 06:26:02 UTC 2012 - zaitor@opensuse.org + +- Update to version 0.13: + + Don't allow reading of PIN files larger than 4096 bytes + + If a module is not marked as critical then ignore init failure + + Use preconditions to check for input problems and out of memory + + Add enable-in and disable-in options to module config + + Fix the flags in pin.h + + Use gcc extensions to check varargs during compile + + Fix crasher when a duplicate module is present + + Fix broken hashmap behavior + + Testing fixes + + Win32 build fixes + + 'p11-kit -h' now works + + Documentation fixes + +------------------------------------------------------------------- +Fri Mar 9 19:37:44 UTC 2012 - dimstar@opensuse.org + +- Update to version 0.12: + + Build fix. + +------------------------------------------------------------------- +Fri Feb 10 08:05:27 UTC 2012 - vuntz@opensuse.org + +- Update to version 0.11: + + Remove automatic reinitialization of PKCS#11 after fork + +------------------------------------------------------------------- +Wed Jan 4 09:08:59 UTC 2012 - vuntz@opensuse.org + +- Update to version 0.10: + + Build fixes, for windows, gcc 4.6.1. + +------------------------------------------------------------------- +Tue Nov 15 10:18:49 UTC 2011 - dimstar@opensuse.org + +- Update to version 0.9: + + p11-kit can't be used as a static library. + + Fix problems crashing when freeing TLS on windows. + + Add debug output to windows init and uninit of library. + +.Build fixes, especially for windows + +------------------------------------------------------------------- +Thu Oct 27 21:53:33 UTC 2011 - dimstar@opensuse.org + +- Update to version 0.8: + + Rename non-static functions to have a _p11_xxx prefix + + No concurrent calling of C_Initialize and C_Finalize + + Print more information in 'p11-kit -l' + + Initial port to win32 + + Build and testing fixes. + +------------------------------------------------------------------- +Tue Sep 27 19:24:59 UTC 2011 - vuntz@opensuse.org + +- Update to version 0.7: + + Expand p11-kit config variables correctly in various build + scenarios + + Add test tool to print out error messages + + Build fix on FreeBSD + +------------------------------------------------------------------- +Thu Sep 15 05:02:07 UTC 2011 - vuntz@opensuse.org + +- Update to version 0.6: + + Add concept of a default module directory from which modules + with relative paths are loaded. + + Renamed pkg-config variables to make it clearer what's what. + +------------------------------------------------------------------- +Fri Sep 2 08:20:47 UTC 2011 - vuntz@opensuse.org + +- Update to version 0.5: + + Fix crasher in p11_kit_registered_modules() + + Add 'critical' setting for modules, which defaults to 'no' + + Fix initialization issues in the proxy module + +------------------------------------------------------------------- +Fri Aug 19 19:37:44 CEST 2011 - dimstar@opensuse.org + +- Update to version 0.4: + + Fix endless loop if module forks during initialization + + Update PKCS#11 URI code for new draft of spec + + Don't fail when duplicate modules are configured + + Better debug output + + Add example configuration documentation + + Support whitespace in PKCS#11 URIs +- Move the p11-kit.conf.example to the doc folder. + +------------------------------------------------------------------- +Sat Jul 30 15:04:36 CEST 2011 - vuntz@opensuse.org + +- Update to version 0.3: + + Rewrite hash table, and simplify licensing. + + Correct paths for p11-kit config files. + + Many build fixes and tweaks. +- Remove Apache-2 part from License tag, as the code was rewritten. + +------------------------------------------------------------------- +Mon Jul 25 15:35:57 CEST 2011 - vuntz@opensuse.org + +- Initial package (version 0.2). + diff --git a/p11-kit.keyring b/p11-kit.keyring new file mode 100644 index 0000000..c3d2b3b Binary files /dev/null and b/p11-kit.keyring differ diff --git a/p11-kit.spec b/p11-kit.spec new file mode 100644 index 0000000..042e36d --- /dev/null +++ b/p11-kit.spec @@ -0,0 +1,210 @@ +# +# spec file for package p11-kit +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define pkidir_cfg %{_sysconfdir}/pki +%define pkidir_static %{_datadir}/pki +%define trustdir_cfg %{pkidir_cfg}/trust +%define trustdir_static %{pkidir_static}/trust +Name: p11-kit +Version: 0.25.3 +Release: 0 +Summary: Library to work with PKCS#11 modules +License: BSD-3-Clause +Group: Development/Libraries/C and C++ +URL: https://p11-glue.freedesktop.org/p11-kit.html +Source0: https://github.com/p11-glue/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz +Source1: https://github.com/p11-glue/%{name}/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig +Source98: https://p11-glue.github.io/p11-glue/%{name}/%{name}-release-keyring.gpg#/%{name}.keyring +Source99: baselibs.conf +BuildRequires: gtk-doc +%if 0%{?suse_version} >= 1600 +BuildRequires: libtasn1-tools +%else +BuildRequires: libtasn1 +%endif +BuildRequires: meson >= 0.59.0 +BuildRequires: pkgconfig +BuildRequires: pkgconfig(libffi) >= 3.0.0 +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libtasn1) >= 2.3 +BuildRequires: pkgconfig(systemd) + +%description +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + +%package -n libp11-kit0 +Summary: Library to work with PKCS#11 modules +Group: System/Libraries +Conflicts: p11-kit < %{version}-%{release} + +%description -n libp11-kit0 +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + +%package tools +Summary: Library to work with PKCS#11 modules -- Tools +Group: Development/Libraries/C and C++ +Conflicts: p11-kit < %{version}-%{release} + +%description tools +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + +%package devel +Summary: Library to work with PKCS#11 modules -- Development Files +Group: Development/Libraries/C and C++ +Requires: libp11-kit0 = %{version} + +%description devel +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + +%package nss-trust +Summary: Adaptor to make NSS read the p11-kit trust store +Group: Productivity/Networking/Security +Requires: p11-kit = %{version} +Conflicts: mozilla-nss-certs +%if "%{_lib}" == "lib64" +Provides: libnssckbi.so()(64bit) +%else +Provides: libnssckbi.so +%endif + +%description nss-trust +Adaptor library to make NSS read the p11-kit trust store. It has +to be installed intead of mozilla-nss-certs. + +%package server +Summary: Server and client commands for p11-kit +Group: Development/Libraries/C and C++ +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description server +Command line tools that enable to export PKCS#11 modules through a +Unix domain socket. Note that this feature is still experimental. + +%prep +%autosetup -p1 + +%build +%meson -Dtrust_paths=%{trustdir_cfg}:%{trustdir_static} \ + -Dbash_completion=disabled \ + -Dgtk_doc=true -Dman=true +%meson_build + +%install +%meson_install +# +install -d m 755 %{buildroot}%{trustdir_cfg}/{anchors,blocklist} +install -d m 755 %{buildroot}%{trustdir_static}/{anchors,blocklist} +# Create pkcs11 config directory +test ! -e %{buildroot}%{_sysconfdir}/pkcs11/modules +install -d %{buildroot}%{_sysconfdir}/pkcs11/modules +# Remove sample config away to doc folder. Having the sample there would conflict +# with future versions of the library on file level. As replacement, we package +# the file as documentation file. +install -d m 755 %{buildroot}%{_docdir}/libp11-kit0 +mv %{buildroot}%{_sysconfdir}/pkcs11/pkcs11.conf.example %{buildroot}%{_docdir}/libp11-kit0 +find %{buildroot} -type f -name "*.la" -delete -print +# +install -d -m 755 %{buildroot}%{_rpmmacrodir} +cat <<'FIN' >%{buildroot}%{_rpmmacrodir}/macros.%{name} +# Macros from p11-kit package +%%pkidir_cfg %{pkidir_cfg} +%%pkidir_static %{pkidir_static} +%%trustdir_cfg %{trustdir_cfg} +%%trustdir_static %{trustdir_static} +FIN +# +# nss compat lib +ln -s %{_libdir}/pkcs11/p11-kit-trust.so %{buildroot}%{_libdir}/libnssckbi.so +# +# call update-ca-certificates when trust changes +rm %{buildroot}%{_libexecdir}/%{name}/trust-extract-compat +ln -s ../../sbin/update-ca-certificates %{buildroot}%{_libexecdir}/%{name}/p11-kit-extract-trust +export NO_BRP_STALE_LINK_ERROR=yes # *grr* +%find_lang %{name} + +%if !0%{?qemu_user_space_build} +%check +%meson_test +%endif + +%post -n libp11-kit0 -p /sbin/ldconfig +%postun -n libp11-kit0 -p /sbin/ldconfig + +%files -f %{name}.lang +%dir %{_libdir}/pkcs11 +%dir %{_datadir}/%{name} +%dir %{_datadir}/%{name}/modules +%dir %{pkidir_cfg} +%dir %{trustdir_cfg} +%dir %{trustdir_cfg}/anchors +%dir %{trustdir_cfg}/blocklist +%dir %{pkidir_static} +%dir %{trustdir_static} +%dir %{trustdir_static}/anchors +%dir %{trustdir_static}/blocklist +%{_datadir}/%{name}/modules/p11-kit-trust.module +%{_libdir}/pkcs11/p11-kit-trust.so +%dir %{_libexecdir}/%{name} +%{_libexecdir}/%{name}/p11-kit-remote +%{_libexecdir}/%{name}/p11-kit-extract-trust + +%files -n libp11-kit0 +%license COPYING +# Package the example conf file as documentation. Like this we're sure that we will +# not introduce conflicts with this version of the library and future ones. +%doc pkcs11.conf.example +%doc AUTHORS ChangeLog NEWS README +%dir %{_sysconfdir}/pkcs11 +%dir %{_sysconfdir}/pkcs11/modules/ +%{_libdir}/libp11-kit.so.* +%{_libdir}/p11-kit-proxy.so + +%files tools +%{_bindir}/p11-kit +%{_bindir}/trust +%{_mandir}/man1/trust.1%{?ext_man} +%{_mandir}/man5/pkcs11.conf.5%{?ext_man} +%{_mandir}/man8/p11-kit.8%{?ext_man} + +%files devel +%{_rpmmacrodir}/macros.%{name} +%{_includedir}/p11-kit-1/ +%{_libdir}/libp11-kit.so +%{_libdir}/pkgconfig/p11-kit-1.pc +%doc %dir %{_datadir}/gtk-doc +%doc %dir %{_datadir}/gtk-doc/html +%doc %{_datadir}/gtk-doc/html/p11-kit/ + +%files nss-trust +%{_libdir}/libnssckbi.so + +%files server +%{_libdir}/pkcs11/p11-kit-client.so +%{_libexecdir}/p11-kit/p11-kit-server +%{_userunitdir}/p11-kit-server.service +%{_userunitdir}/p11-kit-server.socket + +%changelog