pool/p11-kit
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 209621 from home:lnussel:branches:Base:System

Browse Source 
- trust: allow to also add openssl style hashes to pem-directory
  0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff

OBS-URL: https://build.opensuse.org/request/show/209621
OBS-URL: https://build.opensuse.org/package/show/Base:System/p11-kit?expand=0&rev=9
This commit is contained in:
Ludwig Nussel 2013-12-06 12:41:11 +00:00 committed by Git OBS Bridge
parent d985fe3e15
commit b909077196
3 changed files with 237 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

222
0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff Normal file
View File

@ -0,0 +1,222 @@
From a7f02ca0a88019da353381a25d2e7c42150abb39 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Fri, 6 Dec 2013 10:00:32 +0100
Subject: [PATCH] trust: allow to also add openssl style hashes to
pem-directory
For backward compatibility with older openssl and other libs like
gnutls /etc/ssl/certs needs to be created as pem-directory rather
than openssl-directory on openSUSE. Therefore also allow to install
openssl style hashes there to avoid having to call c_rehash with a
script.
---
trust/extract-openssl.c | 76 ++++++++++++++++++++++++++-----------------------
trust/extract-pem.c | 26 +++++++++++++----
trust/extract.c | 1 +
trust/extract.h | 5 ++++
trust/tests/Makefile.am | 1 +
5 files changed, 69 insertions(+), 40 deletions(-)
diff --git a/trust/extract-openssl.c b/trust/extract-openssl.c
index 912c90d..16e12fd 100644
--- a/trust/extract-openssl.c
+++ b/trust/extract-openssl.c
@@ -587,6 +587,46 @@ symlink_for_subject_old_hash (p11_enumerate *ex)
#endif /* OS_UNIX */
+
+/*
+ * The OpenSSL style c_rehash stuff
+ *
+ * Different versions of openssl build these hashes differently
+ * so output both of them. Shouldn't cause confusion, because
+ * multiple certificates can hash to the same link anyway,
+ * and this is the reason for the trailing number after the dot.
+ *
+ * The trailing number is incremented p11_save_symlink_in() if it
+ * conflicts with something we've already written out.
+ *
+ * On Windows no symlinks.
+ */
+bool
+p11_openssl_symlink (p11_enumerate *ex,
+ p11_save_dir *dir,
+ const char *filename)
+{
+ bool ret = true;
+#ifdef OS_UNIX
+ char *linkname;
+
+ linkname = symlink_for_subject_hash (ex);
+ if (linkname) {
+ ret = p11_save_symlink_in (dir, linkname, ".0", filename);
+ free (linkname);
+ }
+
+ if (ret) {
+ linkname = symlink_for_subject_old_hash (ex);
+ if (linkname) {
+ ret = p11_save_symlink_in (dir, linkname, ".0", filename);
+ free (linkname);
+ }
+ }
+#endif /* OS_UNIX */
+ return ret;
+}
+
bool
p11_extract_openssl_directory (p11_enumerate *ex,
const char *destination)
@@ -601,10 +641,6 @@ p11_extract_openssl_directory (p11_enumerate *ex,
char *name;
CK_RV rv;
-#ifdef OS_UNIX
- char *linkname;
-#endif
-
dir = p11_save_open_directory (destination, ex->flags);
if (dir == NULL)
return false;
@@ -638,37 +674,7 @@ p11_extract_openssl_directory (p11_enumerate *ex,
filename = p11_path_base (path);
}
- /*
- * The OpenSSL style c_rehash stuff
- *
- * Different versions of openssl build these hashes differently
- * so output both of them. Shouldn't cause confusion, because
- * multiple certificates can hash to the same link anyway,
- * and this is the reason for the trailing number after the dot.
- *
- * The trailing number is incremented p11_save_symlink_in() if it
- * conflicts with something we've already written out.
- *
- * On Windows no symlinks.
- */
-
-#ifdef OS_UNIX
- if (ret) {
- linkname = symlink_for_subject_hash (ex);
- if (linkname) {
- ret = p11_save_symlink_in (dir, linkname, ".0", filename);
- free (linkname);
- }
- }
-
- if (ret) {
- linkname = symlink_for_subject_old_hash (ex);
- if (linkname) {
- ret = p11_save_symlink_in (dir, linkname, ".0", filename);
- free (linkname);
- }
- }
-#endif /* OS_UNIX */
+ ret = p11_openssl_symlink(ex, dir, filename);
free (filename);
free (path);
diff --git a/trust/extract-pem.c b/trust/extract-pem.c
index 1e1c857..04dc600 100644
--- a/trust/extract-pem.c
+++ b/trust/extract-pem.c
@@ -42,6 +42,7 @@
#include "message.h"
#include "pem.h"
#include "save.h"
+#include "path.h"
#include <stdlib.h>
@@ -107,6 +108,8 @@ p11_extract_pem_directory (p11_enumerate *ex,
p11_buffer buf;
bool ret = true;
char *filename;
+ char *path;
+ char *name;
CK_RV rv;
dir = p11_save_open_directory (destination, ex->flags);
@@ -121,14 +124,27 @@ p11_extract_pem_directory (p11_enumerate *ex,
if (!p11_pem_write (ex->cert_der, ex->cert_len, "CERTIFICATE", &buf))
return_val_if_reached (false);
- filename = p11_enumerate_filename (ex);
- return_val_if_fail (filename != NULL, false);
+ name = p11_enumerate_filename (ex);
+ return_val_if_fail (name != NULL, false);
- file = p11_save_open_file_in (dir, filename, ".pem");
- free (filename);
+ path = NULL;
- ret = p11_save_write_and_finish (file, buf.data, buf.len);
+ file = p11_save_open_file_in (dir, name, ".pem");
+ ret = p11_save_write (file, buf.data, buf.len);
+
+ if (!p11_save_finish_file (file, &path, ret))
+ ret = false;
+
+ /* XXX: getenv is a hack here, any better idea? */
+ if (ret && getenv("P11_KIT_PEMDIR_HASH")) {
+ filename = p11_path_base (path);
+ ret = p11_openssl_symlink(ex, dir, filename);
+ free (filename);
+ }
+
+ free (path);
+ free (name);
if (!ret)
break;
}
diff --git a/trust/extract.c b/trust/extract.c
index 1a38f11..1a23967 100644
--- a/trust/extract.c
+++ b/trust/extract.c
@@ -46,6 +46,7 @@
#include "pkcs11x.h"
#include "save.h"
#include "tool.h"
+#include "digest.h"
#include <assert.h>
#include <ctype.h>
diff --git a/trust/extract.h b/trust/extract.h
index ca14238..d2e58c3 100644
--- a/trust/extract.h
+++ b/trust/extract.h
@@ -39,6 +39,7 @@
#include "enumerate.h"
#include "pkcs11.h"
+#include "save.h"
enum {
/* These overlap with the flags in save.h, so start higher */
@@ -75,4 +76,8 @@ int p11_trust_extract (int argc,
int p11_trust_extract_compat (int argc,
char *argv[]);
+/* from extract-openssl.c but also used in extract-pem.c */
+bool p11_openssl_symlink (p11_enumerate *ex,
+ p11_save_dir *dir,
+ const char *filename);
#endif /* P11_EXTRACT_H_ */
diff --git a/trust/tests/Makefile.am b/trust/tests/Makefile.am
index e53a6ae..6d81363 100644
--- a/trust/tests/Makefile.am
+++ b/trust/tests/Makefile.am
@@ -105,6 +105,7 @@ test_bundle_SOURCES = \
test-bundle.c \
$(TRUST)/enumerate.c \
$(TRUST)/extract-pem.c \
+ $(TRUST)/extract-openssl.c \
$(TRUST)/save.c \
$(NULL)
--
1.8.1.4

6
p11-kit.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Fri Dec 6 09:31:32 UTC 2013 - lnussel@suse.de
- trust: allow to also add openssl style hashes to pem-directory
0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
-------------------------------------------------------------------
Tue Sep 10 09:02:33 UTC 2013 - lnussel@suse.de

9
p11-kit.spec
View File

@ -30,6 +30,12 @@ Group: Development/Libraries/C and C++
Url: http://p11-glue.freedesktop.org/p11-kit.html
Source0: http://p11-glue.freedesktop.org/releases/%{name}-%{version}.tar.gz
Source99: baselibs.conf
# patch proposed upstream. If it gets rejected, need to implement
# this in ca-certificates.
Patch0: 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: pkg-config
BuildRequires: pkgconfig(libffi) >= 3.0.0
BuildRequires: pkgconfig(libtasn1) >= 2.3
@ -85,8 +91,11 @@ to be installed intead of mozilla-nss-certs.
%prep
%setup -q
%patch0 -p1
%build
# just because of patch0
autoreconf -f -i
%configure %--with-trust-paths=%{trustdir_cfg}:%{trustdir_static}
make %{?_smp_mflags} -C trust asn
make %{?_smp_mflags}