From b909077196a66856298b9fd88f6984de1d3bc79663a6c388bc24f1f82ac9d96c Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <lnussel@suse.com>
Date: Fri, 6 Dec 2013 12:41:11 +0000
Subject: [PATCH] Accepting request 209621 from
 home:lnussel:branches:Base:System

- trust: allow to also add openssl style hashes to pem-directory
  0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff

OBS-URL: https://build.opensuse.org/request/show/209621
OBS-URL: https://build.opensuse.org/package/show/Base:System/p11-kit?expand=0&rev=9
---
 ...lso-add-openssl-style-hashes-to-pem-d.diff | 222 ++++++++++++++++++
 p11-kit.changes                               |   6 +
 p11-kit.spec                                  |   9 +
 3 files changed, 237 insertions(+)
 create mode 100644 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff

diff --git a/0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff b/0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
new file mode 100644
index 0000000..133d22f
--- /dev/null
+++ b/0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
@@ -0,0 +1,222 @@
+From a7f02ca0a88019da353381a25d2e7c42150abb39 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Fri, 6 Dec 2013 10:00:32 +0100
+Subject: [PATCH] trust: allow to also add openssl style hashes to
+ pem-directory
+
+For backward compatibility with older openssl and other libs like
+gnutls /etc/ssl/certs needs to be created as pem-directory rather
+than openssl-directory on openSUSE. Therefore also allow to install
+openssl style hashes there to avoid having to call c_rehash with a
+script.
+---
+ trust/extract-openssl.c | 76 ++++++++++++++++++++++++++-----------------------
+ trust/extract-pem.c     | 26 +++++++++++++----
+ trust/extract.c         |  1 +
+ trust/extract.h         |  5 ++++
+ trust/tests/Makefile.am |  1 +
+ 5 files changed, 69 insertions(+), 40 deletions(-)
+
+diff --git a/trust/extract-openssl.c b/trust/extract-openssl.c
+index 912c90d..16e12fd 100644
+--- a/trust/extract-openssl.c
++++ b/trust/extract-openssl.c
+@@ -587,6 +587,46 @@ symlink_for_subject_old_hash (p11_enumerate *ex)
+ 
+ #endif /* OS_UNIX */
+ 
++
++/*
++ * The OpenSSL style c_rehash stuff
++ *
++ * Different versions of openssl build these hashes differently
++ * so output both of them. Shouldn't cause confusion, because
++ * multiple certificates can hash to the same link anyway,
++ * and this is the reason for the trailing number after the dot.
++ *
++ * The trailing number is incremented p11_save_symlink_in() if it
++ * conflicts with something we've already written out.
++ *
++ * On Windows no symlinks.
++ */
++bool
++p11_openssl_symlink (p11_enumerate *ex,
++                     p11_save_dir *dir,
++                     const char *filename)
++{
++	bool ret = true;
++#ifdef OS_UNIX
++	char *linkname;
++
++	linkname = symlink_for_subject_hash (ex);
++	if (linkname) {
++		ret = p11_save_symlink_in (dir, linkname, ".0", filename);
++		free (linkname);
++	}
++
++	if (ret) {
++		linkname = symlink_for_subject_old_hash (ex);
++		if (linkname) {
++			ret = p11_save_symlink_in (dir, linkname, ".0", filename);
++			free (linkname);
++		}
++	}
++#endif /* OS_UNIX */
++	return ret;
++}
++
+ bool
+ p11_extract_openssl_directory (p11_enumerate *ex,
+                                const char *destination)
+@@ -601,10 +641,6 @@ p11_extract_openssl_directory (p11_enumerate *ex,
+ 	char *name;
+ 	CK_RV rv;
+ 
+-#ifdef OS_UNIX
+-	char *linkname;
+-#endif
+-
+ 	dir = p11_save_open_directory (destination, ex->flags);
+ 	if (dir == NULL)
+ 		return false;
+@@ -638,37 +674,7 @@ p11_extract_openssl_directory (p11_enumerate *ex,
+ 					filename = p11_path_base (path);
+ 			}
+ 
+-			/*
+-			 * The OpenSSL style c_rehash stuff
+-			 *
+-			 * Different versions of openssl build these hashes differently
+-			 * so output both of them. Shouldn't cause confusion, because
+-			 * multiple certificates can hash to the same link anyway,
+-			 * and this is the reason for the trailing number after the dot.
+-			 *
+-			 * The trailing number is incremented p11_save_symlink_in() if it
+-			 * conflicts with something we've already written out.
+-			 *
+-			 * On Windows no symlinks.
+-			 */
+-
+-#ifdef OS_UNIX
+-			if (ret) {
+-				linkname = symlink_for_subject_hash (ex);
+-				if (linkname) {
+-					ret = p11_save_symlink_in (dir, linkname, ".0", filename);
+-					free (linkname);
+-				}
+-			}
+-
+-			if (ret) {
+-				linkname = symlink_for_subject_old_hash (ex);
+-				if (linkname) {
+-					ret = p11_save_symlink_in (dir, linkname, ".0", filename);
+-					free (linkname);
+-				}
+-			}
+-#endif /* OS_UNIX */
++			ret = p11_openssl_symlink(ex, dir, filename);
+ 
+ 			free (filename);
+ 			free (path);
+diff --git a/trust/extract-pem.c b/trust/extract-pem.c
+index 1e1c857..04dc600 100644
+--- a/trust/extract-pem.c
++++ b/trust/extract-pem.c
+@@ -42,6 +42,7 @@
+ #include "message.h"
+ #include "pem.h"
+ #include "save.h"
++#include "path.h"
+ 
+ #include <stdlib.h>
+ 
+@@ -107,6 +108,8 @@ p11_extract_pem_directory (p11_enumerate *ex,
+ 	p11_buffer buf;
+ 	bool ret = true;
+ 	char *filename;
++	char *path;
++	char *name;
+ 	CK_RV rv;
+ 
+ 	dir = p11_save_open_directory (destination, ex->flags);
+@@ -121,14 +124,27 @@ p11_extract_pem_directory (p11_enumerate *ex,
+ 		if (!p11_pem_write (ex->cert_der, ex->cert_len, "CERTIFICATE", &buf))
+ 			return_val_if_reached (false);
+ 
+-		filename = p11_enumerate_filename (ex);
+-		return_val_if_fail (filename != NULL, false);
++		name = p11_enumerate_filename (ex);
++		return_val_if_fail (name != NULL, false);
+ 
+-		file = p11_save_open_file_in (dir, filename, ".pem");
+-		free (filename);
++		path = NULL;
+ 
+-		ret = p11_save_write_and_finish (file, buf.data, buf.len);
++		file = p11_save_open_file_in (dir, name, ".pem");
+ 
++		ret = p11_save_write (file, buf.data, buf.len);
++
++		if (!p11_save_finish_file (file, &path, ret))
++			ret = false;
++
++		/* XXX: getenv is a hack here, any better idea? */
++		if (ret && getenv("P11_KIT_PEMDIR_HASH")) {
++			filename = p11_path_base (path);
++			ret = p11_openssl_symlink(ex, dir, filename);
++			free (filename);
++		}
++
++		free (path);
++		free (name);
+ 		if (!ret)
+ 			break;
+ 	}
+diff --git a/trust/extract.c b/trust/extract.c
+index 1a38f11..1a23967 100644
+--- a/trust/extract.c
++++ b/trust/extract.c
+@@ -46,6 +46,7 @@
+ #include "pkcs11x.h"
+ #include "save.h"
+ #include "tool.h"
++#include "digest.h"
+ 
+ #include <assert.h>
+ #include <ctype.h>
+diff --git a/trust/extract.h b/trust/extract.h
+index ca14238..d2e58c3 100644
+--- a/trust/extract.h
++++ b/trust/extract.h
+@@ -39,6 +39,7 @@
+ 
+ #include "enumerate.h"
+ #include "pkcs11.h"
++#include "save.h"
+ 
+ enum {
+ 	/* These overlap with the flags in save.h, so start higher */
+@@ -75,4 +76,8 @@ int             p11_trust_extract              (int argc,
+ int             p11_trust_extract_compat       (int argc,
+                                                 char *argv[]);
+ 
++/* from extract-openssl.c but also used in extract-pem.c */
++bool            p11_openssl_symlink            (p11_enumerate *ex,
++                                                p11_save_dir *dir,
++                                                const char *filename);
+ #endif /* P11_EXTRACT_H_ */
+diff --git a/trust/tests/Makefile.am b/trust/tests/Makefile.am
+index e53a6ae..6d81363 100644
+--- a/trust/tests/Makefile.am
++++ b/trust/tests/Makefile.am
+@@ -105,6 +105,7 @@ test_bundle_SOURCES = \
+ 	test-bundle.c \
+ 	$(TRUST)/enumerate.c \
+ 	$(TRUST)/extract-pem.c \
++	$(TRUST)/extract-openssl.c \
+ 	$(TRUST)/save.c \
+ 	$(NULL)
+ 
+-- 
+1.8.1.4
+
diff --git a/p11-kit.changes b/p11-kit.changes
index 9753345..e9dbb93 100644
--- a/p11-kit.changes
+++ b/p11-kit.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Dec  6 09:31:32 UTC 2013 - lnussel@suse.de
+
+- trust: allow to also add openssl style hashes to pem-directory
+  0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
+
 -------------------------------------------------------------------
 Tue Sep 10 09:02:33 UTC 2013 - lnussel@suse.de
 
diff --git a/p11-kit.spec b/p11-kit.spec
index 14e9cff..8e7499b 100644
--- a/p11-kit.spec
+++ b/p11-kit.spec
@@ -30,6 +30,12 @@ Group:          Development/Libraries/C and C++
 Url:            http://p11-glue.freedesktop.org/p11-kit.html
 Source0:        http://p11-glue.freedesktop.org/releases/%{name}-%{version}.tar.gz
 Source99:       baselibs.conf
+# patch proposed upstream. If it gets rejected, need to implement
+# this in ca-certificates.
+Patch0:         0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
 BuildRequires:  pkg-config
 BuildRequires:  pkgconfig(libffi) >= 3.0.0
 BuildRequires:  pkgconfig(libtasn1) >= 2.3
@@ -85,8 +91,11 @@ to be installed intead of mozilla-nss-certs.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
+# just because of patch0
+autoreconf -f -i
 %configure %--with-trust-paths=%{trustdir_cfg}:%{trustdir_static}
 make %{?_smp_mflags} -C trust asn
 make %{?_smp_mflags}