Accepting request 183593 from home:gary_lin:branches:Base:System

Add pesign-allow-no-issuer-cert.patch to avoid crash when the
issuer's certificate is not available

OBS-URL: https://build.opensuse.org/request/show/183593
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=21

pesign-allow-no-issuer-cert.patch

@@ -0,0 +1,44 @@
+From be564827927e9845b61807b1355467df9d8115e6 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 4 Mar 2013 16:25:08 +0800
+Subject: [PATCH] Include the issuer's certificate only when available
+
+---
+ src/cms_common.c  |    2 +-
+ src/signed_data.c |    7 +------
+ 2 files changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 7cca21b..755dd31 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -588,7 +588,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
+ 		if (!strcmp(node->cert->subjectName, name))
+ 			break;
+ 	}
+-	if (!node) {
++	if (CERT_LIST_END(node,certlist)) {
+ 		PK11_DestroySlotListElement(slots, &psle);
+ 		PK11_FreeSlotList(slots);
+ 		CERT_DestroyCertList(certlist);
+diff --git a/src/signed_data.c b/src/signed_data.c
+index fc1d137..97bf8b5 100644
+--- a/src/signed_data.c
++++ b/src/signed_data.c
+@@ -96,12 +96,7 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
+ 		CERTCertificate *signer = NULL;
+ 		int rc = find_named_certificate(cms, cms->cert->issuerName,
+ 						&signer);
+-		if (rc < 0) {
+-			PORT_ArenaRelease(cms->arena, mark);
+-			return -1;
+-		}
+-
+-		if (signer) {
++		if (rc == 0 && signer) {
+ 			if (signer->derCert.len != cms->cert->derCert.len ||
+ 					memcmp(signer->derCert.data,
+ 						cms->cert->derCert.data,
+-- 
+1.7.10.4
+

pesign-privkey_unneeded.diff

@@ -1,8 +1,8 @@
 ---
- src/cms_common.c |   10 +++++++++-
+ src/cms_common.c |   12 ++++++++++--
  src/cms_common.h |    1 +
  src/pesign.c     |    1 +
- 3 files changed, 11 insertions(+), 1 deletion(-)
+ 3 files changed, 12 insertions(+), 2 deletions(-)
 
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -44,6 +44,15 @@
  	};
  
  	if (needs_private_key) {
+@@ -562,7 +570,7 @@ find_named_certificate(cms_context *cms,
+ 	}
+ 
+ 	SECStatus status;
+-	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
++	if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
+ 		status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
+ 		if (status != SECSuccess) {
+ 			PK11_DestroySlotListElement(slots, &psle);
 --- a/src/cms_common.h
 +++ b/src/cms_common.h
 @@ -63,6 +63,7 @@ typedef int (*cms_common_logger)(struct

pesign.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jul 18 06:54:19 UTC 2013 - glin@suse.com
+
+- Add pesign-allow-no-issuer-cert.patch to avoid crash when the
+  issuer's certificate is not available
+
 -------------------------------------------------------------------
 Tue Jul  9 04:44:44 UTC 2013 - glin@suse.com
 

pesign.spec

@@ -32,6 +32,8 @@ Patch2:         pesign-fix-build-errors.patch
 Patch3:         pesign-privkey_unneeded.diff
 # PATCH-FIX-UPSTREAM pesign-clear-padding-bits.patch glin@suse.com -- Clear the allocated space before inserting the certificate list
 Patch4:         pesign-clear-padding-bits.patch
+# PATCH-FIX-UPSTREAM pesign-allow-no-issuer-cert.patch glin@suse.com -- Don't crash if the issuer's certificate is not available
+Patch5:         pesign-allow-no-issuer-cert.patch
 BuildRequires:  mozilla-nss-devel
 BuildRequires:  pkg-config
 BuildRequires:  popt-devel
@@ -60,6 +62,7 @@ Authors:
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %build
 make OPTFLAGS="$RPM_OPT_FLAGS"